Microsoft Patches WINS Vulnerability, Plugs Three Holes In SP2

All of the issues in Windows cited Tuesday, however, were ranked by the Redmond, Wash.-based developer as merely "Important," the company's second-highest threat rating in its four-step system. Microsoft's recommendation for such bulletins is that customers "install the update at the earliest opportunity."

"The most serious is the WINS vulnerability," said Oliver Friedrichs, the senior manager of Symantec's security response team. "It's the one that could lead to the most attacks because it was the one which was really out there [in public]."

That fix addresses a vulnerability in Windows NT, 2000, and Server 2003 that was publicized in late November by security organizations like Secunia and the SANS Institute's Internet Storm Center. The WINS component is often used by enterprises for name registration and name resolution functions.

At the time, some security professionals blasted the independent researcher for going public with his information before a patch was available, with the Storm Center calling the practice "irresponsible."

"When a vulnerability is out there, it changes the landscape," said Friedrichs. "Because it's now within the potential, it makes a company like Microsoft expedite the patch-making process. They simply have to respond quicker."

That pressure isn't without reason, since by Symantec's estimate, there are just 5.8 days between the disclosure of a vulnerability and an exploit hitting the streets.

"The race starts at that point," he said.

The other bugs revealed Tuesday affect every still-supported edition of Windows, including Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003.

Bulletin MS04-041, for instance, impacts NT 4.0, 2000, Server 2003, and XP, including the just-fixed Windows XP SP2.

WordPad, a bundled text tool in those editions, can be exploited via a bug in the Word for Windows 6.0 Converter component by an attacker, who could conceivably take control of the system remotely. The hacker would have to entice victims to a malicious Web site, however, and hope they didn't have any version of Microsoft Word installed (since its similar component isn't vulnerable). As part of the patch Microsoft offered up, it sets Windows to disable the Converter by default, a step already taken by Windows XP SP2 (which is not as vulnerable to this attack as XP SP1.)

Windows XP SP2 is also vulnerable to the HyperTerminal bug outlined in Microsoft's MS04-043 alert. Although an attacker would have to go to lengths to exploit this -- he/she would have to set up a malicious Telnet session, then convince the potential victim to open a file transmitted during the session -- the results could be significant. Microsoft said that hackers exploiting this bug could gain complete control of the compromised PC.

The third flaw that hits SP2, among other versions of Windows, was detailed in Microsoft's MS04-044 bulletin, which repairs bugs in the Windows kernel and the LSASS component. The patches, which supersede fixes released last year, plug holes that could be exploited by in-house attackers.

"One of the reasons why several of these affect SP2," explained Symantec's Friedrichs, "is that they're not the traditional cookie cutter buffer overflow type of vulnerabilities. Those are the kind that SP2 really helped fix."

The remaining bug affects Windows NT and stems from a gaffe in Windows NT 4.0 that could be used to bring down a DHCP (Dynamic Host Configuration Protocol) server.

The first of December, Microsoft went "out-of-cycle" to patch a vulnerability in Internet Explorer that had been used to attack users for nearly a month.

Users can download the month's fixes from Microsoft's Windows Update site.