Latest zero-day attack hits Microsoft DNS servers, may be abused by botnet operators

Two zero days in two weeks: Spring hasn't been kind to Microsoft so far. The software giant reported today that some attacks have been spotted in the wild that exploit a new vulnerability... in its Domain Name Server Service.

And in case you were on spring break and missed it, the first bug -- for which Microsoft has since issued a patch -- is the Windows Animated Cursor Handling. It's basically a bug in the way Windows handles animated cursor (.ANI) files (those cute little cursor icons).

Critics questioned why Microsoft didn't patch this vulnerability when it first learned of it late last year. Microsoft didn't go public with it until the attacks hit, and then it released a patch outside its monthly Patch Tuesday cycle, along with a few other bugs.

The so-called .ANI bug also affects Vista, and it lets remote attackers run arbitrary code on the victim's machine, or set off a denial-of-service attack.

"The .ANI problem was known, but not thought to be too critical and wasn't prioritized," notes Rob Enderle, president of the Enderle Group. "The DNS bug wasn't known, but coming after the .ANI problem, will clearly get more focus. Both typically require the user to do something to make the attack work, and both can do a lot of damage if they are executed behind firewalls."

Therein lies the problem, especially for the DNS bug.

"Threats to the domain/DNS -- with all the usual dangers therein -- [are] a subset of what this vulnerability could open up," says Mark Jeftovic, founder and president of easyDNS Technologies.

David Maynor, CTO at Errata Security, says the DNS exploit won't manifest itself as a worm, but it'll make good bot ammunition. "It's perfect for bots... And if you [the attacker] are already inside a company, it could be used to extend an attacker's grasp pretty easily."

Microsoft's Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, and Microsoft 2003 Service Pack 2 are all at risk of the attack. And according to published reports today, the bug also is found in Longhorn Server.

Microsoft says it may issue another off-cycle patch for this one, but in the meantime users should disable remote management over RPC for the DNS server using a registry-key setting; block inbound (and unsolicited) traffic on ports 1024-5000 with IPSec or a firewall; and turn on the advanced TCP/IP filtering options on the server.

The catch: Each of these options could "break" some tools.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights