The “critical” WINS vulnerability that Microsoft issued a patch for last week is now being exploited actively in the wild, according to the SANS Institute.
The Internet Storm Center (ISC), which is operated by SANS, is receiving preliminary reports that hackers are targeting Microsoft's WINS service on Windows NT, 2000 and 2003 servers.
WINS is a central mapping of host names to network addresses and lets users find computers on a network.
Last week, Microsoft issued patch MS09-039 to close the WINS vulnerability, which could allow remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a Windows replications packet sent to TCP Port 42.
Data collected by the ISC shows that over the past few days Internet activity associated with Port 42 has risen dramatically.
MS09-039 was issued on Aug. 11 when ISC was reporting roughly zero targets per day in association with Port 42 activity. By Aug. 13 that number had spiked to around 30,000, and by Aug. 16 the number was 70,000.
Microsoft reported on its Exploitability Index, which is calculated for each patch released, that there is a high likelihood of “consistent exploit code” for the WINS vulnerability on Windows 2000 Service Pack 4. For the other affected platforms, Windows Server NT and 2003, Microsoft said that “inconsistent exploit code” was likely.
Eric Schultze, CTO for Shavlik Technologies, said last week that the WINS issue “is an unauthenticated server-side attack — the bad guy simply points and shoots some packets at the WINS server and they can execute code of their choice on that server.” He noted, however, that the attack is most likely to come from inside a user's network because the necessary port — Port 42 — to execute the attack is usually blocked at the Internet firewall.
Regardless, his recommendation was to “patch this right away on your WINS servers.”
Andrew Storms, director of security operations for nCircle, also said last week that the WINS vulnerability could become a “potential worm vector.”