[ISN] Attack code raises Windows DNS zero-day risk

From: InfoSec News (alerts@private)
Date: Mon Apr 16 2007 - 22:20:35 PDT


By Joris Evers
Staff Writer, CNET News.com
April 16, 2007

The public release of computer code that exploits a yet-to-be-patched 
Windows security hole increases the possibility of widespread attacks, 
security experts have warned.

At least four exploits for the vulnerability in the Windows domain name 
system, or DNS, service were published on the Internet over the weekend, 
Symantec said in an alert Monday. In response, the Cupertino, Calif., 
company raised its ThreatCon to level 2, which means an increase in 
attacks is expected.

The security vulnerability affects Windows 2000 Server and Windows 
Server 2003. Microsoft last week warned that it had already heard of a 
"limited attack" exploiting the flaw. However, exploit code wasn't yet 
publicly available. Exploits may help miscreants craft malicious code 
that uses the vulnerability to compromise Windows systems.

Microsoft continues to work on a fix for the problem, and attacks are 
still limited, Christopher Budd, a Microsoft Security Response Center 
staffer, wrote on a corporate blog Sunday.

"Attacks are still limited. We are aware though of public disclosure of 
proof-of-concept code to exploit the vulnerability," Budd wrote. 
Microsoft urges users of the vulnerable systems to apply the workarounds 
it has suggested.

The attacks happen when someone sends rigged data to the Windows DNS 
service, which is meant to help map text-based Internet addresses to 
numeric Internet Protocol addresses. The vulnerability affects the DNS 
RPC interface. RPC, or Remote Procedure Call, is a protocol used by 
applications to send requests across a network.

The vulnerability is not exploitable over the standard DNS ports TCP/UDP 
53, according to Microsoft. The RPC Interface is typically bound to 
network ports between 1024 and 5000, Symantec said. This mitigates the 
risk, according to the SANS Internet Storm Center, which tracks network 

"Networks obliging to basic secure perimeter design would only allow 
port 53 UDP/TCP to the authoritative DNS servers, and definitely not the 
additional RPC ports required for exploitation," a SANS ISC staffer 
wrote on the organization's blog Monday.

Still, the issue is significant, according to SANS ISC. Web hosting 
companies may run various network services on a single server, and 
Active Directory servers often also run DNS and may be exposed, 
according to the blog post.

The DNS flaw does not affect Windows XP or Windows Vista. Windows 2000 
Server Service Pack 4, Windows Server 2003 Service Pack 1 and Windows 
Server 2003 Service Pack 2 are vulnerable, Microsoft said.

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Mon Apr 16 2007 - 22:33:19 PDT