Microsoft Fixes Critical Windows Internet Name Service Flaw In Two-Patch Release
Microsoft designated just one of the two patches in its May release with the highest severity rating of "critical," which repaired a vulnerability in the Windows Internet Name Service. The critical ranking typically indicates that the vulnerability could be exploited remotely in malicious attacks with limited, if any, user intervention.
During a successful exploit, the vulnerability could enable hackers to launch remote code execution attacks if a user installed malware on an affected system running the Windows Internet Name service.
Pete Voss, senior response communications manager for Microsoft's Trustworthy Computing Group, said in a blog post that users should prioritize that security bulletin. However, he also said that Windows Internet Name Service wasn't a default installation , limiting impact of the vulnerability to users who had manually installed the component.
But security experts maintain that install base happens to be pretty wide and underscored the importance of patching the Internet Name Service flaw, while also noting that Microsoft appeared to be downplaying the severity of the vulnerability.
Andrew Storms, director of security operations at security firm nCircle, said that the security bug might initially trigger denial of service attacks, but would likely open the door for more critical remote code execution exploits in the future.
"Microsoft is downplaying the bug, but there is potential here for remote code execution," Storms said, in an e-mail. "WINS is a network aware application that does not require authentication, and many enterprises require WINS on their networks. Taken together, these factors mean that a lot of enterprises will find their internal network servers vulnerable to a remote code bug. Initially, most attackers will probably only trigger a DOS event, but finding the remote code exploit won't be far behind."
Other experts echoed that the vulnerability will likely affect numerous users due to WINS wide deployment, despite the fact that it requires manual installation.
"The problem here is that many third party applications use WINS, especially legacy applications," said Marcus Carey, community manager at Rapid7, in a statement. "WINS is widely deployed in government and commercial networks. Since Windows Server 2003 WINS was optional, but many people found that it broke things when it was disabled. This may have been an attempt by Microsoft to downplay this critical vulnerability. Organizations should test and deploy this update as soon as possible.”
In addition, Microsoft also repaired two security flaws, given the slightly less severe rating of "important," in Microsoft's Office PowerPoint.
Both vulnerabilities could be exploited remotely by hackers if users opened up a PowerPoint file infected with malicious code. In a successful attack scenario, attackers could elevate their privileges to log on to a system as authenticated users.
Microsoft said that installing the Office File Validation feature, available by default in Office 2010, mitigates the risk of attack by blocking the attack vectors that exploit the vulnerabilities.
The May security bulletin was the first that used Microsoft's Exploitability Index, which the company rolled out last week. The new Exploitability Index provides two ratings per vulnerability -- one for the latest version of the affected platform, and the other as an aggregate rating for all older versions of the software.
And nCircle's Storms hailed the updated Exploitability Index as a crucial step in raising awareness about critical security vulnerabilities in their infrastructure. "This information should make it impossible for enterprises to ignore the dramatic security improvements in Microsoft’s latest releases and help enterprise security teams make a stronger case for long overdue upgrades," he said.