Attack code raises Windows DNS zero-day risk

The public release of computer code that exploits a yet-to-be-patched Windows security hole increases the possibility of widespread attacks, security experts have warned.

At least four exploits for the vulnerability in the Windows domain name system, or DNS, service were published on the Internet over the weekend, Symantec said in an alert Monday. In response, the Cupertino, Calif., company raised its ThreatCon to level 2, which means an increase in attacks is expected.

The security vulnerability affects Windows 2000 Server and Windows Server 2003. Microsoft last week warned that it had already heard of a "limited attack" exploiting the flaw. However, exploit code wasn't yet publicly available. Exploits may help miscreants craft malicious code that uses the vulnerability to compromise Windows systems.

Microsoft continues to work on a fix for the problem, and attacks are still limited, Christopher Budd, a Microsoft Security Response Center staffer, wrote on a corporate blog Sunday.

"Attacks are still limited. We are aware though of public disclosure of proof-of-concept code to exploit the vulnerability," Budd wrote. Microsoft urges users of the vulnerable systems to apply the workarounds it has suggested.

McAfee on Monday afternoon said it had spotted a variant of Nirbot that appears to exploit the DNS vulnerability. Nirbot is a typical botworm that gives an attacker full control over an infected computer via an Internet Relay Chat channel.

"An attacker can gain control over the compromised computer and use it to send spam, install adware or launch a DDos attack on internet systems," according to McAfee's description of the pest. There are multiple versions of the Nirbot family, which is also known as Rinbot.

The attacks on the DNS service happen when someone sends rigged data to it. The service is meant to help map text-based Internet addresses to numeric Internet Protocol addresses. The vulnerability affects the DNS RPC interface. RPC, or Remote Procedure Call, is a protocol used by applications to send requests across a network.

The vulnerability is not exploitable over the standard DNS ports TCP/UDP 53, according to Microsoft. The RPC Interface is typically bound to network ports between 1024 and 5000, Symantec said. This mitigates the risk, according to the SANS Internet Storm Center, which tracks network threats.

"Networks obliging to basic secure perimeter design would only allow port 53 UDP/TCP to the authoritative DNS servers, and definitely not the additional RPC ports required for exploitation," a SANS ISC staffer wrote on the organization's blog Monday.

Still, the issue is significant, according to SANS ISC. Web hosting companies may run various network services on a single server, and Active Directory servers often also run DNS and may be exposed, according to the blog post.

The DNS flaw does not affect Windows XP or Windows Vista. Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 are vulnerable, Microsoft said.

[ckurowic]

You don't say...

Wow, by golly, you don't say! Another (4) microsoft security hole
big enough to drive a Freightliner through?! How did this happen?!
microsoft is such a great software manufacturer, unriveled in the
industry!!.....umm.....yeah, why even bother putting this up as
"news". Its not really news anymore, this has been happening since
Windows 3.0. Its more a ritual for them now. Good job, microsuck.
I'm going to go right out and buy Vista!

[regulator1956]

My Servers Are Perfect

All my Unix, Mac and Linux servers are perfect. They've never needed a patch. They run flawlessly and no bugs or other issues have ever been reported.

Now Windows, that's a different story. I don't believe one of those servers has ever booted properly. I hear tell that just having the software on an unplugged computer is risky.

They all have issues. They all have their pluses and minuses. Use what you or your employer thinks is best.

[wbenton]

Brilliant deduction!

I never would have figured that out by myself if you hadn't reported it like that! (* SNICKER *)

Well... that's probably the way Microsoft looks at it.

To them, it's NOT a serious threat until attacks have been reported from multiple sources! (* GRIN *)

Walt

[Schratboy]

The Zero-Day excuse

So what's the big deal? Flaws exist in all applications but Windows does seem to have more than most. Why not limit exposure to only legitimate operations and services and police them regularly? This can help prevent most disruptions without all the fuss and costs. All system design and operation, if done thoughtfully, is more than secure enough for even the most rigorous security tightwad.