Microsoft said late Thursday that is investigating reports of a limited attack exploiting a vulnerability in the Domain Name System (DNS) Server Service, which could allow an attacker to run code and gain access to the system.
A stack-based buffer overrun exists in the Windows DNS Server's remote procedure call (RPC) interface implementation on Windows 2000 Server and Windows Server 2003. An attacker can send a RPC packet to the interface and run malicious code on the system.
The vulnerability is reported in Microsoft Windows 2000 Service Pack 4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2. Microsoft said Windows XP Service Pack 2, and Windows Vista does not contain the vulnerable code.
Microsoft said a security update is planned to fix the flaws and has issued a specific workaround that can be used until a patch is issued.
In its 935964 security advisory Microsoft said it's "initial investigation reveals that the attempts to exploit this vulnerability could allow an attacker to run code in the security context of the Domain Name System Server Service, which by default runs as Local System."
Adrian Stone, a Microsoft researcher, said in the Microsoft Security Response Center blog that Microsoft has identified steps customers can take to protect themselves. Microsoft is urging customers to disable remote management over RPC capability for DNS Servers through the registry key setting. Users can also block unsolicited inbound traffic on ports between 1024 to 5000 and enable advanced TCP/IP filtering on systems.
"While the attack appears to be targeted and not widespread, we are monitoring the issue and are working with our MSRA partners to monitor and help protect customers," Stone said.