Microsoft plans to have a fix for the recently disclosed Windows Domain Name System service flaw available by its May 8 patch day at the latest.
"This is a developing situation and we are constantly evaluating the situation and the status of our development and testing of updates," Christopher Budd, a Microsoft Security Response Center staffer wrote on a corporate blog Tuesday.
Microsoft is working on 133 separate updates for the problem, Budd wrote.
"One in every language for every currently supported version of Windows servers," he wrote. "Each of these has to be tested to ensure they effectively protect against the vulnerability."
The security vulnerability affects Windows 2000 Server and Windows Server 2003. Microsoft last week warned that it had already heard of a "limited attack" exploiting the flaw. Since then exploit code was publicly disclosed and a variant of the Nirbot worm that takes advantage of the hole has surfaced.
The attacks on the DNS service happen when someone sends rigged data to it. The service is meant to help map text-based Internet addresses to numeric Internet Protocol addresses. The vulnerability affects the DNS RPC interface. RPC, or Remote Procedure Call, is a protocol used by applications to send requests across a network.
Because DNS is a critical part of the networking infrastructure, Microsoft is taking special care with its patches, Budd wrote. "They also have to be tested to ensure that changes introduced by the updates don't pose a greater risk than the security issue we're addressing," he wrote.