Vulnerability in WINS won’t be fixed

By now, admins running Microsoft Windows servers in their environments should already have removed the use of WINS, but if they haven’t, now is the perfect time to give it the bullet for once and for all.

According to Fortinet’s Honggang Ren, a vulnerability exists in the proprietary Microsoft Windows Internet Name Service (WINS) Server that isn’t going to be fixed. This is because the people over at Redmond don’t want it to be used at all. Customers should have replaced WINS with DNS.

WINS is a legacy name resolution service that was used to map computer NetBIOS names to IP addresses. These days, the same functionality is offered by DNS and internal code has long since been updated to include this method of resolving computers.

In his blog, Ren writes that a remote memory corruption can be triggered by sending the server malformed WINS packets and exists in Windows server versions 2008, 2012 and 2016.

The vulnerability exists due to the incorrect handling of multiple WINS-Replication sessions.  If specially crafted packets are sent to the WINS server, it will crash. Therefore, an attacker can create a remote denial of service attack.

According to Ren, Fortiguard Labs, who discovered the vulnerability, reported it to Microsoft back in December 2016.  It took Microsoft 6 months to issue a response. They said: “a fix would require a complete overhaul of the code to be considered comprehensive. The functionality provided by WINS was replaced by DNS and Microsoft has advised customers to migrate away from it.”

The following two tabs change content below.

Andrew Smith

Andrew is a senior systems-engineer with over 20 years experience in corporate and small business environments. This includes consulting for large ICT service providers. He has supported systems at every level in the organization, including infrastructure, operating systems, applications, and perimeter protection. He also collaborates with software development teams on web, database, and infrastructure security. Andrew has co-founded multiple ICT businesses, where he advises on cybersecurity strategies and policies. Andrew has a 3-year National Diploma in Electronics (light current).

Latest posts by Andrew Smith (see all)