Microsoft plugs critical hole in Windows

Microsoft today fixed a critical hole in Windows and two less serious holes in Office in one of the lightest Patch Tuesdays in recent history.

The critical bulletin, MS11-035, fixes a vulnerability in the Windows Internet Name Service (WINS) that “could allow remote code execution if a user received specially crafted malware on an affected system running the WINS service,” according to the bulletin advisory. It affects Windows Server 2003 and 2008.

WINS is not installed on the affected operating system software by default, so only customers who manually install it are affected and will be offered the update, Microsoft said.

“Microsoft is downplaying the bug, but there is potential here for remote code execution,” and thus total control of the computer, said Andrew Storms, director of security operations at nCircle. “WINS is a network-aware application that does not require authentication, and many enterprises require WINS on their networks. Taken together, these factors mean that a lot of enterprises will find their internal network servers vulnerable to a remote code bug. Initially, most attackers will probably only trigger a DoS (denial-of-service) event, but finding the remote code exploit won’t be far behind.”

Full Story Via