By Jennifer LeClaire / Top Tech News. Updated April 16, 2007.
In what has become a string of vulnerabilities in recent weeks, Microsoft has confirmed limited, targeted attacks against its Windows Server Domain Name System (DNS) service.
Microsoft said its initial investigation reveals that the attempts to exploit this vulnerability could allow an attacker to run code in the security context of the DNS server service. That opens a door for phishing attacks, directory services issues, and e-mail disruptions.
The latest Microsoft zero-day vulnerability affects Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2. Windows 2000 Professional Service Pack 4, Windows XP Service Pack 2, and Windows Vista do not contain the vulnerable code and are not affected.
Microsoft said its security team is hard at work developing a security update to fix the issue. However, Christopher Budd of the Microsoft Security Response Center (MSRC) urged customers to deploy workarounds as quickly as possible because the company is aware of proof-of-concept code that can exploit the vulnerability. The SANS Internet Storm Center has confirmed at least two exploits.
Microsoft's internal investigation reveals that the vulnerability occurs in the processing of remote procedure call (RPC) traffic by Windows DNS. The DNS service is only installed on Windows server systems, not on client systems, and is not enabled by default on all Windows servers. That safeguards a percentage of customers.
What's more, even though the vulnerability is in the DNS service, Microsoft said it cannot be attacked over standard DNS port 53. An attempt to exploit the vulnerability has to be made over RPC, which uses traffic on port numbers above 1,024. However, on Sunday, Budd reported that it is also possible for a user with valid logon credentials to exploit the vulnerability over port 445.
Risks and Workarounds
The area of greatest risk potentially resides within intranets, where domain controllers are running DNS and might become compromised, according to Ken Dunham, director of the rapid response team for VeriSign iDefense. These servers store all the passwords for a Windows network.
"It is feasible that a bot may incorporate an intranet spreading routine to exploit vulnerable computers within the network to help it spread," Dunham explained, noting that a bot can be programmed to spread through the recent ANI vulnerability to infect clients and then use the zombies to exploit the DNS service against the local domain controller to gain complete control over an entire network.
"Malicious actors that compromise DNS servers will likely reconfigure the server to silently redirect Web traffic to compromised Web sites for monetary gain or corporate espionage," Dunham predicted. However, as Microsoft noted, there are workarounds. And for those who use Symantec security tools, the company already has released Bloodhound.Exploit.136 signatures to detect threats designed to exploit this vulnerability.
For now, Redmond is encouraging customers to evaluate the workaround that would disable remote management over RPC for DNS servers. Other recommended workarounds include blocking unsolicited inbound traffic on ports 1,024 to 5,000. In Windows 2003, Dunham added, data execution prevention is also helpful in blocking the exploit.