Microsoft fixes critical worm hole in Windows Server

Microsoft issued two patches that fix three holes, in Windows Server and PowerPoint.

As part of its monthly Patch Tuesday cycle, Microsoft issued a critical patch, MS11-035, that fixes a rare hole affecting all versions of Windows Server, even Server Core. The vulnerability is in the Windows Internet Name Service (WINS). It could allow remote code execution if a user received an evil WINS replication packet on a system running the WINS service.

The hole could also allow an attacker to create a self-propagating worm. A successful attack could let the hacker run code with elevated privileges on vulnerable systems. An attacker could then install programs or view, change, or delete data; or create new accounts with full user rights, Microsoft warns.

WINS is the name resolution system that was originally used for Windows NT Server 4.0 and earlier operating systems. Although rated critical, Microsoft notes that WINS is not installed by default on any affected operating system. It is still a necessary service for some Windows networks. While many a network uses IP addresses and DNS, WINS is used in networks that access devices via their NetBIOS names.

“What might make the WINS vulnerability appealing to attackers is that it is a server-side issue,” said Joshua Talbot, security intelligence manager, Symantec Security Response. “That means an attacker wouldn’t have to trick a user into doing anything. All they would have to do to exploit this is find a server running the vulnerable service and send that machine a malicious string of data.”

If you have Windows 2003 boxes running WINS, your need to patch becomes even more urgent, Talbot notes. “At its heart, this is a memory corruption issue. In-built protections such as DEP and ASLR in Server 2008 will probably keep most attackers from achieving a complete takeover. However, a complete system compromise appears to be more likely on Server 2003, which lacks the ASLR protection.”

The other patch, MS11-036, is rated important, and it fixes two vulnerabilities in Microsoft PowerPoint. These could allow remote code execution if a user opens a malware-laced PowerPoint file. Microsoft has downgraded its severity because it has previously offered protections as optional add-ins and automated Fix-it programs. For PowerPoint 2010, there is a Microsoft Fix it which will set PowerPoint to "Disable Edit in Protected View." For older versions, last month Microsoft offered a free add-in, its Office File Validation (OFV) service, which also protects against attack. OVF is an add-in for Office 2003 and 2007. OVF was previously only available in Office 2010.

In keeping with its tradition of alternating heavy and light Patch Tuesdays, May Patch Tuesday was light. April's Patch Tuesday was a record breaker in the number of patches and holes fixed.

Microsoft is also this month using its revised exploitability index, announced last week. For each patch it will tell users on a 1-3 scale how likely it is that exploit code will appear within a month. For this month's patches, one of the PowerPoint holes got the highest exploitability rating of 1, the WINS hole a 2 (meaning "Inconsistent exploit code likely") and the third Power Point hole was rated a 3.

The light Patch Tuesday belies all the patches Microsoft has released since last month's official patch day, April 12. Microsoft updated about a dozen other patches, plus issued a few security warnings of unpatched issues and other warnings such as one about fraudulent digital certificates issued, and revoked by Comodo. Microsoft has taken to issuing less important patches on the fourth Tuesday of the month, what some are terming the Second Patch Tuesday. On April 27, Microsoft updated a handful of patches, so please be sure to check out the revised April Update list.

Today, it also re-released MS11-028 a critical patch from April that fixes the patch's issues with SQL and Exchange.

More from Microsoft Subnet

How to use a known IPv6 hole to fast freeze a Windows Network

Record-breaking Microsoft patch day affects all versions of Windows

Microsoft says Google made 'misleading security claims to the government'

Microsoft: Happy 36th birthday!

Microsoft pays Nortel $7.5 million for IPv4 addresses

Read my blogs other blogs, covering Cisco and Open Source. Follow Julie Bort on Twitter @Julie188

Follow all Microsoft Subnet bloggers on Twitter @microsoftsubnet

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Take IDG’s 2020 IT Salary Survey: You’ll provide important data and have a chance to win $500.