Microsoft Investigates DNS Attacks

 
 
By Brian Prince  |  Posted 2007-04-13
 
 
 

Microsoft is investigating attacks exploiting a vulnerability in the Windows Server Domain Name System Service, as well as two types of hacks targeting Vistas OEM BIOS activation feature.

A company spokesperson said a very limited number of attacks exploiting the flaw in the Windows Server DNS Service have been seen in the wild.

"Our investigation reveals that this vulnerability could allow a criminal to run code in the security context of the Domain Name System Server Service, which by default runs as Local SYSTEM," a Microsoft spokesperson said.

The problem stems from a stack-based buffer overrun in the Windows DNS Servers RPC (remote procedure call) interface implementation. RPC is a protocol a program can use to request a service from a program on another computer in a network. An attacker could try to exploit the vulnerability by sending a specially crafted RPC packet to an affected system.

The flaw affects Windows Server 2000 and Windows Server 2003 running the DNS Server Service, Microsoft officials stated in an advisory. Microsoft Windows 2000 Professional Service Pack 4, Windows XP Service Pack 2, and Windows Vista are not affected as these versions do not contain the vulnerable code. The name resolution functionality of the DNS service exposed over port 53 is not vulnerable to this attack.

According to the advisory, Microsoft is in the process of developing a security update for Windows that addresses the vulnerability. Company officials are advising users to disable remote management over RPC capability for DNS Servers through the registry key setting, and to use a firewall to block all unsolicited inbound traffic on ports between 1024 and 5000.

"The RPC interface of Windows DNS is bound to a port in this range," the company explained in the advisory.

It has been a busy week for Microsoft on the security front. In addition to Patch Tuesday and subsequent reports of bugs affecting Microsoft Office, security officials at the Redmond, Wash.-based company are also looking into attacks aimed at Windows Vistas OEM BIOS activation feature. According to an April 10 blog post by Microsoft Senior Product Manager Alex Kochis, the OEM attacks have been launched in two ways. The first hack involves editing the BIOS on the motherboard, while the second uses a software-based approach to trick Windows Vista into functioning as if its running on OA 2.0-enabled hardware, Kochis wrote.

IT organizations are being urged to deploy a patch for a bug affecting how Microsoft Windows handles animated cursors. Click here to read more.

Kochis downplayed the threat posed by the hacks somewhat, explaining that the attack on the motherboard was difficult, didnt scale well and could render the motherboard useless if a mistake was made. The second hack, he continued, is easier to detect and respond to than a method that involves directly modifying the BIOS of the motherboard.

"Our first goal is to disrupt the business model of organized counterfeiters and protect users from becoming unknowing victims," he wrote. "This means focusing on responding to hacks that are scalable and can easily be commercialized, thereby making victims out of well-intentioned customers."

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

Rocket Fuel