Microsoft Won't Fix High Risk Flaw

2-SEP-00 - Microsoft says "too much effort" to fix major security flaw in all versions of Windows95, 98, NT and 2000.





This recently discovered Windows vulnerability is common to almost all Microsoft based networks, is easy to exploit, difficult to prevent, and leaves few tracks. It has to be considered "High Risk", but it isn't going to be fixed.

"Interested parties" can easily use this vulnerability to capture logins and passwords, or to implant "trojans" like Back Orifice. Hackers will soon complete easy to use "point and click" tools so even "script kiddies" can exploit this vulerability.

Microsoft has stated they will not issue a fix because the problem so deeply ingrained in Microsoft Networking a fix would be too difficult.

PGP Security, discoverer of the problem, suggests several measures to minimize the risk, but they are beyond the understanding of even advanced users. You will find these suggestions in PGP's Advisory on the subject. Windows 2000 has an option to turn off NetBIOS. Doing so, of course would also break any software that depends on NetBIOS.

Windows networks with Internet access use a combined protocol called "NetBIOS over TCP/IP". NetBIOS was developed by IBM in the 1980's for small PC networks (IBM PCNet). Microsoft adopted this protocol and enhanced, patched, tweaked and mangled it into what is known as "Microsoft Networking".

NetBIOS is a required protocol for a lot of software packages, but NetBIOS is not routable so it can't be used on larger networks. To solve this problem, NetBIOS packets are bundled into TCP/IP packets, which are routable.

NetBIOS names (\\RHINO, \\Office, etc.) must be mapped to IP addresses (,, etc.). This process is known as "WINS Resolution". It is in this necessary mapping where the vulnerability lies.

Systems using IPX/SPX (Novell NetWare), pure TCP/IP (Unix, Linux, some Windows networks) are not vulnerable. Networks firewalled with some form of NAT (Network Address Translation) are not externally vulnerable, but are vulnerable within the network. Small Windows networks using NetBEUI without TCP/IP are not vulnerable.

©:Andrew Grygus - Automation Access - -
Velocity Networks: Network Consulting Service - Internet Service Provider - Web Page Design and Hosting
All trademarks and trade names are recognized as property of their owners