Reported February 10, 2004, by Microsoft.
VERSIONS AFFECTED
· Windows Server 2003
· Windows 2000 Server
· Windows NT Server 4.0 Terminal Server Edition (WTS)
· Windows NT Server 4.0 Service Pack 6a (SP6a)
DESCRIPTION
Windows Internet Naming Service (WINS) contains a Denial of Service (DoS) vulnerability. This vulnerability stems from the method that WINS uses to validate the length of specially crafted packets. On Windows 2003, this vulnerability could permit an attacker who sends a series of specially crafted packets to a WINS server to cause the service to fail. Windows 2000 contains the same vulnerable code, but the DoS condition isn't present.
VENDOR RESPONSE
Microsoft has released security bulletin MS04-006, "Vulnerability in the Windows Internet Naming Service (WINS) Could Allow Code Execution (830352)," to address this vulnerability and recommends that affected users immediately apply the appropriate patch listed in the bulletin.
CREDIT
Discovered by Qualsys.