A flaw in Microsoft's Domain Name System (DNS) Server Service is serious enough to warrant an out of cycle patch,...
according to security experts.
Vulnerability researchers are calling the flaw very serious. DNS servers are a critical piece of the Internet, as they convert domain names (such as "www.searchsecurity.com") into IP addresses.
A stack-based buffer overrun exists in the Windows DNS Server's remote procedure call (RPC) interface implementation on Windows 2000 Server and Windows Server 2003. An attacker can send a RPC packet to the interface and run malicious code on the system.
Christopher Budd, a security program manager for the Microsoft Security Response Center (MSRC), said Sunday in the Microsoft Security Response Center blog that proof of concept code to exploit the flaw is now publicly available for the flaw.
"Our ongoing monitoring of attacks in conjunction with our MSRA partners indicates that attacks are still limited," Budd said. "We continue to urge customers to deploy the workarounds in their environments as quickly as possible."
Microsoft also updated its 935964 security advisorygiving additional information about workarounds on systems with 15 character, or longer, system names.
The vulnerability is reported in Microsoft Windows 2000 Service Pack 4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2. Microsoft said Windows XP Service Pack 2, and Windows Vista does not contain the vulnerable code.
Nearly every company with a Website has a DNS server and most are running Windows 2000 or Windows 2003, said Amol Sarwate, director of the vulnerability research lab at Redwood Shores, Calif.-based network security vendor Qualys Inc. Sarwate believes Microsoft may rush out an out of cycle patch to address the issue.
The workaround suggested by Microsoft would turn off remote management of an affected server. Most servers are managed by system administrators remotely, Sarwate said.
"This flaw affects the remote management part of the DNS server, but if someone is able to exploit it, they could change anything or impact the core functionality," he said.
An attacker could ultimately tweak the IP address translation, forwarding potential victims to a malicious Web site.
In its 935964 security advisory Microsoft said there have been reports of the flaw being exploited in the wild.
Adrian Stone, a Microsoft researcher, explained in the Microsoft Security Response Center blog the workaround needed for customers to protect themselves. The workaround involves disabling remote management over RPC capability for DNS Servers through the registry key setting. Users can also block unsolicited inbound traffic on ports between 1024 to 5000 and enable advanced TCP/IP filtering on systems.