Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:02 AM
Connect Directly

Zero-Day Fever

Latest zero-day attack hits Microsoft DNS servers, may be abused by botnet operators

Two zero days in two weeks: Spring hasn't been kind to Microsoft so far. The software giant reported today that some attacks have been spotted in the wild that exploit a new vulnerability... in its Domain Name Server Service.

And in case you were on spring break and missed it, the first bug -- for which Microsoft has since issued a patch -- is the Windows Animated Cursor Handling. It's basically a bug in the way Windows handles animated cursor (.ANI) files (those cute little cursor icons).

Critics questioned why Microsoft didn't patch this vulnerability when it first learned of it late last year. Microsoft didn't go public with it until the attacks hit, and then it released a patch outside its monthly Patch Tuesday cycle, along with a few other bugs.

The so-called .ANI bug also affects Vista, and it lets remote attackers run arbitrary code on the victim's machine, or set off a denial-of-service attack.

"The .ANI problem was known, but not thought to be too critical and wasn't prioritized," notes Rob Enderle, president of the Enderle Group. "The DNS bug wasn't known, but coming after the .ANI problem, will clearly get more focus. Both typically require the user to do something to make the attack work, and both can do a lot of damage if they are executed behind firewalls."

Therein lies the problem, especially for the DNS bug.

"Threats to the domain/DNS -- with all the usual dangers therein -- [are] a subset of what this vulnerability could open up," says Mark Jeftovic, founder and president of easyDNS Technologies.

David Maynor, CTO at Errata Security, says the DNS exploit won't manifest itself as a worm, but it'll make good bot ammunition. "It's perfect for bots... And if you [the attacker] are already inside a company, it could be used to extend an attacker's grasp pretty easily."

Microsoft's Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, and Microsoft 2003 Service Pack 2 are all at risk of the attack. And according to published reports today, the bug also is found in Longhorn Server.

Microsoft says it may issue another off-cycle patch for this one, but in the meantime users should disable remote management over RPC for the DNS server using a registry-key setting; block inbound (and unsolicited) traffic on ports 1024-5000 with IPSec or a firewall; and turn on the advanced TCP/IP filtering options on the server.

The catch: Each of these options could "break" some tools.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Microsoft Corp. (Nasdaq: MSFT)
  • Errata Security
  • Enderle Group Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 8/3/2020
    Pen Testers Who Got Arrested Doing Their Jobs Tell All
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
    New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
    Nicole Ferraro, Contributing Writer,  8/3/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    Special Report: Computing's New Normal, a Dark Reading Perspective
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    The Changing Face of Threat Intelligence
    The Changing Face of Threat Intelligence
    This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-08-10
    A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information.
    PUBLISHED: 2020-08-10
    Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack.
    PUBLISHED: 2020-08-10
    Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script.
    PUBLISHED: 2020-08-10
    A security misconfiguration exists in Combodo iTop, which can expose sensitive information.
    PUBLISHED: 2020-08-10
    Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery.