April 12, 2007 11:20 PM PDT

Cybercrooks exploiting new Windows DNS flaw

Cybercrooks are using a yet-to-be-patched security flaw in certain Windows versions to attack computers running the operating systems, Microsoft warned late Thursday.

The attacks target Windows 2000 Server and Windows Server 2003 systems through a hole in the domain name system, or DNS, service, Microsoft said in a security advisory. The attacks happen by sending rigged data to the service, which by design is meant to help map text-based Internet addresses to numeric Internet Protocol addresses.

"An anonymous attacker could try to exploit the vulnerability by sending a specially crafted RPC packet to an affected system," Microsoft said in the advisory. RPC, or Remote Procedure Call, is a protocol that applications use to request services from programs on another computer in a network. RPC has been involved in several security bugs before, including in the vulnerability that let the Blaster worm spread.

The French Security Incident Response Team deems the Windows DNS vulnerability "critical," its highest rating.

The DNS and RPC warning comes days after Microsoft issued its April security patches. At the same time security experts have issued warnings on multiple zero-day flaws in Office and another one in Windows.

The latest vulnerability is a stack-based buffer overrun, Microsoft said. This is a common type of coding problem that has caused many headaches for Microsoft and Windows users. A successful attack will give full control over a vulnerable machine without any user interaction, Microsoft said.

There are "limited attacks" that exploit the issue, Microsoft said. The software maker said it is finishing a security update for Windows to repair the problem. Microsoft did not say when it plans to release the update. The company's next "Patch Tuesday" is on May 8, though if attacks increase a patch could be released out of that cycle.

While it works on the fix, Microsoft suggests several work-arounds for users of affected Windows versions. These include disabling remote management over RPC capability for DNS servers, blocking specific data ports using a firewall and enabling advanced filtering. Security firm Symantec on Thursday urged users to apply the work-arounds.

"Customers are advised to?apply the appropriate work-arounds as soon as possible, in the event that the attacks become more widespread," Symantec said in an alert sent to subscribers of its DeepSight security intelligence service.

Windows XP and Windows Vista are not impacted by the DNS flaw. Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 are vulnerable, Microsoft said.

See more CNET content tagged:
RPC, DNS, Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Windows Server

25 comments

Join the conversation!
Add your comment
Windows more secure than Linux or anything else for that matter???
I would like to expose 2 myths that I sometimes see still cropping up.

1) Windows is more secure Linux.
These types of claims are then based on the number of listed vulnerabilities over a period of time, and the average time to resolve. Both of those numbers are completely irrelevant. The truth here is this. When was the last time you saw, read about or heard about a remote root level exploit on Linux that was going to take 3 WEEKS to fix? I have been in the IT industry for almost 10 years and I can not think if any such situation. However a simple google search will show you a very large number of such situations regarding Windows. There is no other matrix that can compare. You can not compare a local KDELibs DoS "exploit" to a remote root one.

2) If Linux has as high a market share it would get just as many exploits.
The truth here is that Linux/Unix run more web servers and DNS servers than all Windows platforms combined. And yet its the Windows system that continue to get cracked.

To conclude, while you certainly CAN lock down a Windows system, it is by design an inferior platform.
Posted by linuxninja39 (3 comments )
Reply Link Flag
First this whole article screams of a slow news day
RPC attack on a Windows server running DNS????

DNS is usually in two locations?on your internal PROTECED network and in your DMZ if you host your own internet facing DNS servers. Most companies will have Windows DNS internally for Active Directory and Linux in the DMZ running nothing but DNS on some low end box.

This is a NON issue for a few reasons.

Windows servers running DNS on your internal network be protected by so many other things that if you don?t apply the patch you should not worry. You know layers of firewalls that don?t allow RPC from the internet. Not allowing PC?s on your internal network that dont have a proper certificate?.so only company machines can even get an IP address. Proper logging that would show a user at your company initiating an attack. Its not going to happen on a company network that is properly maintained. If it can?.then you have other priorities you need to attend to.

In the DMZ if you use a Windows DNS?..why do you even allow RPC into that area?.deny RPC in the DMZ done deal. With IP enabled KVM hardware you wont be remoting ot Windows box in the DMZ with RDP.

You comments were about Web Servers??? I agree there are more Webservers and DNS servers running Linux and UNIX. So what?.there way more Windows servers PERIOD than UNIX and Linux servers?..again so what.
Posted by Lindy01 (443 comments )
Link Flag
Thank you
Thank you for your unvaluable Linux kook post.
Posted by csturdivant (68 comments )
Link Flag
Redundant: All Flaws Are Unpatched
I am sick and tired of hearing the phrase "a yet as unpatched flaw". All software flaws, known and unknown, that exist in released software are unpatched until they are patched. How many unknown flaws in software do you suppose are unpatched? Billions! How many known flaws in software do you suppose are unpatched? Millions!
Posted by Stating (869 comments )
Reply Link Flag
File this under...
...DUH?
Posted by `WarpKat (275 comments )
Link Flag
All flaws unpatched, all _known_ MS flaws STILL unpatched
Yet another example on how Microsoft has absolutely no regard for its customers. Known flaws that are unpublished are not fixed until hackers exploit them. Microsoft does not give a d* about the security of your PC/network.
Posted by Microsoft_Facts (109 comments )
Link Flag
The Cure
tinydns:
<a class="jive-link-external" href="http://tinydns.org" target="_newWindow">http://tinydns.org</a>
Posted by Penguinisto (5042 comments )
Reply Link Flag
Actually...
...that's a pretty cool band. ^_^
Posted by `WarpKat (275 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.