Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:02 AM
Connect Directly

Zero-Day Fever

Latest zero-day attack hits Microsoft DNS servers, may be abused by botnet operators

Two zero days in two weeks: Spring hasn't been kind to Microsoft so far. The software giant reported today that some attacks have been spotted in the wild that exploit a new vulnerability... in its Domain Name Server Service.

And in case you were on spring break and missed it, the first bug -- for which Microsoft has since issued a patch -- is the Windows Animated Cursor Handling. It's basically a bug in the way Windows handles animated cursor (.ANI) files (those cute little cursor icons).

Critics questioned why Microsoft didn't patch this vulnerability when it first learned of it late last year. Microsoft didn't go public with it until the attacks hit, and then it released a patch outside its monthly Patch Tuesday cycle, along with a few other bugs.

The so-called .ANI bug also affects Vista, and it lets remote attackers run arbitrary code on the victim's machine, or set off a denial-of-service attack.

"The .ANI problem was known, but not thought to be too critical and wasn't prioritized," notes Rob Enderle, president of the Enderle Group. "The DNS bug wasn't known, but coming after the .ANI problem, will clearly get more focus. Both typically require the user to do something to make the attack work, and both can do a lot of damage if they are executed behind firewalls."

Therein lies the problem, especially for the DNS bug.

"Threats to the domain/DNS -- with all the usual dangers therein -- [are] a subset of what this vulnerability could open up," says Mark Jeftovic, founder and president of easyDNS Technologies.

David Maynor, CTO at Errata Security, says the DNS exploit won't manifest itself as a worm, but it'll make good bot ammunition. "It's perfect for bots... And if you [the attacker] are already inside a company, it could be used to extend an attacker's grasp pretty easily."

Microsoft's Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, and Microsoft 2003 Service Pack 2 are all at risk of the attack. And according to published reports today, the bug also is found in Longhorn Server.

Microsoft says it may issue another off-cycle patch for this one, but in the meantime users should disable remote management over RPC for the DNS server using a registry-key setting; block inbound (and unsolicited) traffic on ports 1024-5000 with IPSec or a firewall; and turn on the advanced TCP/IP filtering options on the server.

The catch: Each of these options could "break" some tools.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Microsoft Corp. (Nasdaq: MSFT)
  • Errata Security
  • Enderle Group Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Data Leak Week: Billions of Sensitive Files Exposed Online
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: Our Endpoint Protection system is a little outdated... 
    Current Issue
    The Year in Security: 2019
    This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-12-12
    The Linux kernel before 5.4.2 mishandles ext4_expand_extra_isize, as demonstrated by use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c, aka CID-4ea99936a163.
    PUBLISHED: 2019-12-12
    In the Linux kernel 5.4.0-rc2, there is a use-after-free (read) in the __blk_add_trace function in kernel/trace/blktrace.c (which is used to fill out a blk_io_trace structure and place it in a per-cpu sub-buffer).
    PUBLISHED: 2019-12-12
    In the Linux kernel 5.3.10, there is a use-after-free (read) in the perf_trace_lock_acquire function (related to include/trace/events/lock.h).
    PUBLISHED: 2019-12-12
    In the Linux kernel 4.19.83, there is a use-after-free (read) in the debugfs_remove function in fs/debugfs/inode.c (which is used to remove a file or directory in debugfs that was previously created with a call to another debugfs function such as debugfs_create_file).
    PUBLISHED: 2019-12-12
    The lodahs package 0.0.1 for Node.js is a Trojan horse, and may have been installed by persons who mistyped the lodash package name. In particular, the Trojan horse finds and exfiltrates cryptocurrency wallets.