COMMAND

    Winsock 2.0

SYSTEMS AFFECTED

    Win95

PROBLEM

    John Robinson found following.    If a user has the newest winsock
    patch for winsock 2.0, which can be located at :

        http://www.microsoft.com/windows95/info/ws2.htm

    and attempts to  do an address  lookup on a  address which doesn't
    exist and is 13 characters long winsock will fault.  This has been
    reproduced on several computers and  it takes a couple of  seconds
    of looking up to occur.   This happens with every winsock  program
    tested including Netscape 3, Ie  3.0, and MS ping.   Example sites
    that work are:

        www.socois.cool
        www.pcorner.org
        blahd.yahoo.com

    This apparently only works on names that are exactly 13 characters
    long (not including periods) or with address isn't 13  characters,
    but instead, the total number of characters is 15.  This  includes
    the periods. For anyone wanting to test it, try:

        www.raen.com.br

    This is dangerous because web pages can simply redirect  browswers
    to these  pages or  put img  sources equal  to nonexistent address
    entries which will crash winsock.  Here are few more facts (by Ken
    Chase):

    - Any exploit would need to cause the target machine to do a  sort
      of lookup on a bogus domain name of the magic length (successful
      exploits would include all lengths of name from 9 to many  (32?)
      characters to be sure).

    - This could  include sending email  with a URL  or embedded image
      tag to someone, or seeding your webpage with bogus hostnames  of
      9-32 characters length.

    ONCE Winsock 2.0 is HOSED:

    - In  all  cases,  "shutting  down  my computer" left me with  the
      shutdown screen, but did not reboot.

    - In  all  cases,  other  networking  apps  were  either hosed  or
      partially functional. In many cases you can see data being  lost
      with any app that calls  Winsock after some other app  hoses the
      stack (ie Word  emailing out a  document by itself,  for eg, may
      hose itself  and your  changes after  someone sends  your Eudora
      some email with a bogus hostname link in it that you  innocently
      clicked).

    - Launching  new networkng  apps brought  up the  blue screen each
      time, or  did as  soon as  any networking  related function  was
      attempted.

    Further testings showed how this bug is related to the Client  for
    Microsoft  Networks.   Some  reports  show  Win98  4.10.1650  with
    Winsock 2.2 to be vulnerable too.

    Officially, the  Vnbt.386 file  installed into  the Windows\System
    folder  had  an  internal  problem:  any  attempt  at NetBIOS name
    resolution on  a name  of 15  characters containing  at least  two
    periods  (.)  resulted  in  internal  memory  problems.   The name
    resolution could  be by  any method  (such as  a NET  USE command,
    double-clicking    a    Network    Neighborhood    resource,    or
    programmatically by a  program).  Enabling  or disabling DNS  made
    no difference,  the problem  occurred if  any of  the forms listed
    above was passed  to Vnbt.386.   This problem could  cause Windows
    to stop responding (hang) without warning.  Note that the Vnbt.386
    file is  TCP/IP-specific; NetBIOS  name resolution  on NetBEUI and
    IPX/SPX were not affected.

SOLUTION

    MS has reproduced this problem only when you have ainvalid  static
    DNS entry.   A new  version of  the update  has been  posted which
    addresses this issue. You can download it and install overtop  the
    original update. It's available from (also):

        http://www.microsoft.com/windows95/info/ws2.htm