Microsoft is investigating new public reports of a limited attack exploiting a vulnerability in the Domain Name System (DNS) Server Service.
April 16, 2007 (Press Release) --
According to a security advisory posted on the company’s website, Microsoft is investigating new public reports of a limited attack exploiting a vulnerability in the Domain Name System (DNS) Server Service in Microsoft Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2.
The Redmond company also said the Microsoft Windows 2000 Professional Service Pack 4, Windows XP Service Pack 2, and Windows Vista are not affected as these versions do not contain the vulnerable code.
Microsoft’s initial investigation reveals that the attempts to exploit this vulnerability could allow an attacker to run code in the security context of the Domain Name System Server Service, which by default runs as Local SYSTEM. This can be exploited to cause a stack-based buffer overflow via a specially crafted RPC request.
Upon completion of this investigation, Microsoft will take appropriate action to help protect its customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
According to SANS, Microsoft has a few suggested actions that can mitigate the risk with the caveat that some tools may break.
1. Disable remote management over RPC for the DNS server via a registry key setting.
2. Block unsolicited inbound traffic on ports 1024-5000 using IPsec or other firewall.
3. Enable the advanced TCP/IP Filtering options on the appropriate interfaces of the server.
Also SANS said that there are two confirmed sources that were attacked on April 4th and 5th. Both were universities in the US.
The Danish security vendor Secunia rated the vulnerability as highly critical and also recommended disabling the remote management over RPC capability for DNS servers.
Author: Alex Radulescu
Source: http://www.playfuls.com/
The Redmond company also said the Microsoft Windows 2000 Professional Service Pack 4, Windows XP Service Pack 2, and Windows Vista are not affected as these versions do not contain the vulnerable code.
Microsoft’s initial investigation reveals that the attempts to exploit this vulnerability could allow an attacker to run code in the security context of the Domain Name System Server Service, which by default runs as Local SYSTEM. This can be exploited to cause a stack-based buffer overflow via a specially crafted RPC request.
Upon completion of this investigation, Microsoft will take appropriate action to help protect its customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
According to SANS, Microsoft has a few suggested actions that can mitigate the risk with the caveat that some tools may break.
1. Disable remote management over RPC for the DNS server via a registry key setting.
2. Block unsolicited inbound traffic on ports 1024-5000 using IPsec or other firewall.
3. Enable the advanced TCP/IP Filtering options on the appropriate interfaces of the server.
Also SANS said that there are two confirmed sources that were attacked on April 4th and 5th. Both were universities in the US.
The Danish security vendor Secunia rated the vulnerability as highly critical and also recommended disabling the remote management over RPC capability for DNS servers.
Author: Alex Radulescu
Source: http://www.playfuls.com/
Email
Print
SPAM
LEAVE A COMMENT
