Zero-Day Fever

Latest zero-day attack hits Microsoft DNS servers, may be abused by botnet operators

Two zero days in two weeks: Spring hasn't been kind to Microsoft so far. The software giant reported today that some attacks have been spotted in the wild that exploit a new vulnerability... in its Domain Name Server Service.

And in case you were on spring break and missed it, the first bug -- for which Microsoft has since issued a patch -- is the Windows Animated Cursor Handling. It's basically a bug in the way Windows handles animated cursor (.ANI) files (those cute little cursor icons).

Critics questioned why Microsoft didn't patch this vulnerability when it first learned of it late last year. Microsoft didn't go public with it until the attacks hit, and then it released a patch outside its monthly Patch Tuesday cycle, along with a few other bugs.

The so-called .ANI bug also affects Vista, and it lets remote attackers run arbitrary code on the victim's machine, or set off a denial-of-service attack.

"The .ANI problem was known, but not thought to be too critical and wasn't prioritized," notes Rob Enderle, president of the Enderle Group. "The DNS bug wasn't known, but coming after the .ANI problem, will clearly get more focus. Both typically require the user to do something to make the attack work, and both can do a lot of damage if they are executed behind firewalls."

Therein lies the problem, especially for the DNS bug.

"Threats to the domain/DNS -- with all the usual dangers therein -- [are] a subset of what this vulnerability could open up," says Mark Jeftovic, founder and president of easyDNS Technologies.

David Maynor, CTO at Errata Security, says the DNS exploit won't manifest itself as a worm, but it'll make good bot ammunition. "It's perfect for bots... And if you [the attacker] are already inside a company, it could be used to extend an attacker's grasp pretty easily."

Microsoft's Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, and Microsoft 2003 Service Pack 2 are all at risk of the attack. And according to published reports today, the bug also is found in Longhorn Server.

Microsoft says it may issue another off-cycle patch for this one, but in the meantime users should disable remote management over RPC for the DNS server using a registry-key setting; block inbound (and unsolicited) traffic on ports 1024-5000 with IPSec or a firewall; and turn on the advanced TCP/IP filtering options on the server.

The catch: Each of these options could "break" some tools.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Microsoft Corp. (Nasdaq: MSFT)
  • Errata Security
  • Enderle Group
  • Editors' Choice
    Evan Schuman, Contributing Writer, Dark Reading
    Tara Seals, Managing Editor, News, Dark Reading
    Jeffrey Schwartz, Contributing Writer, Dark Reading