Vulnerability Note VU#445214

Microsoft Windows Internet Naming Service (WINS) fails to properly validate the length of specially crafted packets

Original Release date: 23 Feb 2004 | Last revised: 23 Feb 2004


Microsoft Windows Internet Naming Service (WINS) fails to properly validate the length of specially crafted packets which could allow an unauthenticated, remote attacker to cause a denial-of-service condition.


The Windows Internet Naming Service (WINS) maps IP addresses to NETBIOS computer names. There is a vulnerability in the way WINS validates the length of specially crafted packets. This could allow an attacker to cause WINS to crash.

According to Microsoft, this vulnerability will only cause a denial of service on Windows Server 2003. While the vulnerable code exists in Windows NT and Windows 2000, WINS will reject the specially crafted packet thus not causing a denial of service.


On Windows Server 2003, an unauthenticated, remote attacker could cause WINS to crash.


Apply Patch
Apply the patch (830352) referenced in Microsoft Security Bulletin MS04-006.

Block or restrict access

As a temporary measure, it is possible to limit the scope of this vulnerability by blocking access to ports used to initiate a connection with a remote WINS server at the network perimeter. These are typically ports 42/tcp and 137/udp. Please note that this workaround does not protect vulnerable WINS servers from internal attacks.

Disable vulnerable service

Disable WINS until a patch can be applied. As a best practice, the CERT/CC recommends disabling all services that are not explicitly required.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected-23 Feb 2004
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



This vulnerability was reported by Microsoft. Microsoft, in turn, credits Qualys for discovering this vulnerability.

This document was written by Damon Morda.

Other Information

  • CVE IDs: CAN-2003-0825
  • Date Public: 10 Feb 2004
  • Date First Published: 23 Feb 2004
  • Date Last Updated: 23 Feb 2004
  • Severity Metric: 2.62
  • Document Revision: 21


If you have feedback, comments, or additional information about this vulnerability, please send us email.