"What is the risk of this vulnerability?
A remote, anonymous attacker could use CVE-2009-1923 (addressed by MS09-039) to force wins.exe to under-allocate a buffer and copy in attacker-controlled data. This could lead to heap corruption and potential code execution as SYSTEM. Therefore, it is important to apply this security update to affected servers.
Why is it rated Critical?
The last WINS security update addressing a remote code execution vulnerability was MS04-045, shipped in December 2004. MS04-045 addressed a remote code execution security vulnerability rated "Important." The mitigating factor dropping the rating from the maximum "Critical" rating down to "Important" was the fact that WINS is not installed by default. MS09-039 has the same mitigating factor - WINS is still not installed by default. However, the most recent Security Development Lifecycle (SDL) bug bar has changed how we rate components necessary for critical infrastructure. Security bulletins affecting critical components on enterprise networks are no longer down-rated for being off by default. We know that enterprise networks will have WINS so while the mitigating factor applies, it does not change the bulletin severity."
For more information, check out:
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer