How to help protect against a WINS security issue

Microsoft is investigating reports of a security issue with Microsoft Windows Internet Name Service (WINS).  This security issue affects Microsoft Windows NT Server 4.0, Microsoft Windows NT Server 4.0 Terminal Server Edition, Microsoft Windows 2000 Server, and Microsoft Windows Server 2003. Microsoft Windows 2000 Professional, Microsoft Windows XP, and Microsoft Windows Millennium Edition are not affected by this vulnerability.

By default, WINS is not installed on Windows NT Server 4.0, on Windows NT Server 4.0 Terminal Server Edition, on Windows 2000 Server, or on Windows Server 2003. By default, WINS is installed and running on Microsoft Small Business Server 2000 and on Microsoft Windows Small Business Server 2003. However, by default, on all versions of Microsoft Small Business Server, the WINS component communication ports are blocked from the Internet, and WINS is available only on the local network.

This security issue could make it possible for an attacker to remotely take control of a WINS server. As of November 26, 2004, Microsoft is not aware of any customers who have been affected by this security issue. Microsoft will continue to investigate this security issue to determine the appropriate steps to help protect the customers. Additionally, to help protect your computer against this security issue, follow the steps in;en-us;890710 – Free Spam Blacklist Protection For All Non-Profits, the first web-based blacklist protection service, provides networks and corporate email systems with round-the-clock monitoring of false listings on spam blacklists, providing 24/7 protection. “Up to 40% of small businesses are blacklisted. Most companies don’t know if they are blacklisted and they don’t know what to do about it. If a few of your company emails aren’t getting through your email server could be blacklisted.” said Steve Bickel, cofounder of ListShield.

ListShield Partner for a Cause
ListShield is donating its services free to all non-profits. For non-profits relying on e-mail as a core communication tool for connecting with business associates, partners, and customers, ListShield is proud to provide its service for a cause.

Internet Explorer Infinite Array Sort Denial Of Service Vulnerability

Microsoft Internet is prone to a vulnerability that may result in a browser crash. This issue is exposed when the browser performs an infinite JavaScript array sort operation. It is conjectured that this will only result in a denial of service and is not further exploitable to execute arbitrary code, though this has not been confirmed.

Microsoft Internet Explorer 6.0 SP2
Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 6.0

Not vulnerable
Microsoft Internet Explorer Macintosh Edition 5.2.3

The above is discovered by Berend-Jan Wever

Mozilla Firefox Infinite Array Sort Denial Of Service Vulnerability

Mozilla Firefox is prone to a vulnerability that may result in a browser crash. This issue is exposed when the browser performs an infinite JavaScript array sort operation. It is conjectured that this will only result in a denial of service and is not further exploitable to execute arbitrary code, though this has not been confirmed.

It is not known if other Mozilla products or Gecko-based browsers are affected by this vulnerability.

Mozilla Firefox Preview Release
Mozilla Firefox 0.8
Mozilla Firefox 0.9 rc
Mozilla Firefox 0.9
Mozilla Firefox 0.9.1
Mozilla Firefox 0.9.2
Mozilla Firefox 0.9.3
Mozilla Firefox 0.10
Mozilla Firefox 0.10.1

The above is discovered by Berend-Jan Wever.

Microsoft Help ActiveX Control Related Topics Local Content Accessing Vulnerability

IEXPLORE.EXE file version 6.0.2900.2180
MSHTML.DLL file version 6.00.2800.1400
Microsoft Windows XP Home SP2


Recently, a security professional aliased http-equiv ( found a vulnerability in Microsoft’s new Service Pack (SP2). What was required to compromise the victim’s machine was the dragging of an specially-crafted into a folderview window, and then the clicking of a button. LongNameVuln is a more efficient way of acheiving this common goal of compromising the system. It removes the extra step of having to click a button in order to access a page on the local machine. It can be done easily. Using the Related Topics command of Microsoft’s Help ActiveX Control, any page can be loaded into a target frame. Unfortuneatly, only addresses that actually point to a location can be used. This does not include protocols such as javascript and vbscript. However, we can still break out of the Internet Zone and open up a page in the local zone. That is what this vulnerability achieves.

The example shows the picture of a garden which includes a carrot. Dragging the carrot to the bottom frame in the browser (set up to be the outside of the garden) will copy a file to PCHealth directory in C:windows, which will then be launched, creating another file in the same directory called Greyhats.hta, which must be launched manually. The directory could easily be changed to shell:startup, however this is not necissary for this example. This is the same payload as given in NoCeegar on because my server doesn’t have the capabilities to host the payload file like does .

Also in

PhishGuard Anti-Scam System (free software)

PhishGuard is a FREE service that detects and rapidly disables Internet “phishing” or “spoofing” attacks designed to steal critical financial data.

Phishing attacks use fraudulent websites and emails that mimic well-known organizations in order to trick unsuspecting Internet users. A simple login or account number entry screen becomes a sophisticated trap. By assuming you are dealing with a trusted party, you can reveal financial information including credit card numbers, bank accounts, passwords, and social security numbers to the “bad guys”. This type of attack is very difficult for the typical person to detect, as the scammer’s emails and websites mimic the exact style and graphics of the spoofed company, and appear genuine. Sensitive financial information disclosed to scammers is used to make fraudulent financial transactions and to enable long-term identity theft.

Organizations recently impersonated by phishers have included eBay, Citibank, Federal Deposit Insurance Corporation (FDIC), PayPal, AOL, Visa, Bank One, EarthLink, Microsoft, AT&T, Yahoo, Chase, and numerous others. You can view examples at

PhishGuard is a simple, free software service. The first person to discover a suspected phishing scam can report the offending email or URL (website address), literally in seconds. There is no need to divulge any confidential information to the scammers. Within minutes, our monitoring team has verified the scam, and added it to the ScamBase database. Updates to the database are rapidly distributed to every participating computer, effectively immunizing them against the newly discovered scam.

The PhishGuard system utilizes the collective observations of Internet users plus a rapid server-based submission and distribution system. This unique architecture dramatically reduces the chance that any phishing scam can “slip through the cracks” and blindside an unsuspecting Internet user.

For a step-by-step example of how PhishGuard works, visit

Go to to download the free PhishGuard

Microsoft WINS Memory Overwrite Lets Remote Users Execute Arbitary Code

A vulnerability was reported in Microsoft Windows in ‘wins.exe’. A remote user can execute arbitrary code on the target system.

Nicolas Waisman from Immunity reported that a remote user can send a specially crafted WINS packet to the target server on TCP port 42 to modify a memory pointer and write arbitrary contents to arbitrary memory locations. A remote user can execute arbitrary code on the target system.

The original advisory is available at:

Impact:  A remote user can execute arbitrary code on the target system.

Solution:  No solution was available at the time of this entry.

Underlying OS:  Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000), Windows (2003), Windows (XP)

OS Comments:  Tested on Windows 2000 SP2, SP3, SP4

Reported By:  Nicolas Waisman

Don’t be conservative. Malware aren’t. Why you?

I know there is a saying “If It Ain’t Broke…Don’t Fix It!” but you should consider reading what is new on whatever products has been upgraded by the vendor.  See what has been fixed with the new version.  See if there are security fixes.  Check if there are new features that might make your life easier.

Don’t be conservative.  Malware aren’t conservative.  Why you?

I’m talking about those users who until now do not want to upgrade to SP2, AVG 7, JRE 1.5 or 1.4.2_06, IE 6 SP1, Ad-aware SE.. etc.

I’m also talking about users of old and unsupported systems (e.g. Windows 98, Windows ME..  See and unsupported products by many vendors especially the security products.  Malware are not only using old tricks but new tricks.  We need new and improved protections. 

Afraid that the new version or build will not play nice? Then you should really use a system that can create a Restore Point.

Keeping everything up-to-date can help in protecting your data.  Don’t forget to keep good backups too.

Symantec Windows LiveUpdate potential for minor Denial of Service and Directory Traversal

Revision History:  None

Risk Impact: Very low

Symantec is responding to an advisory ( issued concerning the potential for a minor denial of service (DoS) during a client’s Symantec Windows LiveUpdate download from an actual or spoofed Symantec LiveUpdate server. In addition, the advisory states there is potential for a limited directory traversal vulnerability since Symantec Windows LiveUpdate fails to validate file path input during decompression of included file path data.

NOTE: Neither of these potential issues could be used to deploy malware or result in remote access to a client system.

Affected Components
Symantec Windows LiveUpdate 1.80.x, 1.90.x, 2.0.x, 2.5.x

The posted advisory states that Symantec’s Windows LiveUpdate does not do proper size checking on downloaded archive zip files. This could potentially allow an external attacker, who has been able to spoof a Symantec LiveUpdate download site, or a hostile insider with privileged access to a valid LiveUpdate server to include an oversized zip file in the initial download package. Decompressing an overly large zip file could potentially consume all system resources resulting in a DoS condition on the client system. Killing the running Symantec LiveUpdate process or a system restart would clear the DoS. Additionally, according to the advisory, Symantec Windows LiveUpdate does not properly validate content in the file path of downloaded archive files. This could allow an attacker to modify the path in such a manner to download archive files to arbitrary locations on the targeted system.

Symantec Response
The Symantec Windows LiveUpdate component is an essential piece of technology providing a method to deliver product and virus definition updates directly to the desktop, gateway or server. Symantec engineers have thoroughly tested these issues. While it is potentially possible to do what the advisory states, there are some basic misunderstandings in the impact of as well as the ability to successfully accomplish this type of attack involving Symantec Windows LiveUpdate.

Symantec LiveUpdate servers, as are any servers, are potentially susceptible to misdirection, attacks. This is an Internet infrastructure problem, not only a Symantec problem. However, were such an attack to occur, only a very small percentage of a very large user base could potentially be impacted to any degree by a spoofing or misdirection attack since, by its very nature, such an attack would be limited to a local Internet area/region.

Symantec Windows LiveUpdate does not currently perform size validation on the initial download file. This initial file is a very small catalog file reflecting which installed Symantec applications have available updates. The zip library used by Symantec Windows LiveUpdate only extracts a specific subset of the content of the initial archive file downloaded so “redirecting” these files to locations other than their expected location would have minimal impact other than potential usability problems.

While Symantec considers the issues outlined in this reported advisory to be low-risk, and to have a low probability of occurrence Symantec considers the reports of possible vulnerabilities in any Symantec product to be very important. We will be adding additional capabilities to mitigate any potential actions of this nature in an update that will be available shortly.