No Patch Yet for DNS Flaw
Published: April 25, 2007
by Alex Woodie
Microsoft is still working to patch the DNS flaw in Windows Server 2003 and Windows 2000 Server that hackers began exploiting weeks ago. The software giant is committed to delivering a patch by May 8, the date of the next Patch Tuesday event. Meanwhile, Microsoft security researchers have posted a new workaround that administrators can use to disable Windows' vulnerable bits and protect their servers from DNS exploits.
Reports of attacks utilizing a flaw in the DNS Server Service in Windows 2000 Server service pack 4 and Windows Server 2003 SP1 and SP2 started trickling in the first week in April. On April 12, Microsoft published its first security advisory and workarounds for the flaw.
Soon thereafter, the first packaged exploit was discovered on the Web, with several more exploits of the genus Siveras (as Microsoft refers to it) popping up last week (currently, Microsoft counts five Siveras variants circulating the Web). As more information about the flaw was published and workarounds were posted, it enabled hackers and malware writers to find new and creative ways of exploiting the flaw. Such is the modern world of network security.
The good news appears to be that few organizations are being hit with DNS flaw exploits, and instances of DNS exploits on the Web appear to be relatively low. Indeed, according to security researchers, malware writers are still busy developing exploits for the ANI Animated Cursor Flaw, which Microsoft fixed with an out-of-band patch in early April. Microsoft has given the DNS flaw and its associated Siveras exploits a "moderate" severity rating, and says attacks are not common.
Just the same, independent security experts are wary of the flaw, and have put more urgency behind it than Microsoft, which is not uncommon. What's more, security experts are concerned that hackers are exploiting the flaw to build a network of compromised machines, or a botnet army, that could be used to launch other attacks. Hackers could be keeping DNS-exploited machines in their back pockets for the future. Events do not move linearly in the security world, and today's vulnerabilities are likely to be the bases for tomorrow's attacks.
Meanwhile, Microsoft developers are working "around the clock" to fix the flaw and test the patches, according to Microsoft security program manager Christopher Budd's postings to the Microsoft Security Response Center team blog. At first, Budd said Microsoft would release a patch by May 8, the next regularly scheduled Patch Tuesday, if not sooner.
More recent posts hint that the delivery of the patch may be later, not sooner. "As of tonight, the situation remains unchanged," Budd wrote on the MSRC blog Sunday night. "We don't have any new estimates on release timelines. I can say that our ongoing testing so far has not raised any issues that would make us believe we might be looking at a longer timeline." The attacks, Budd wrote for the fourth team in two weeks, "are still not widespread."
So, in the face of a less-than-daunting DNS flaw threat, it appears that Microsoft has chosen to take it's time with the patch. In lieu of mass casualties from the DNS flaw, that may turn out to be a good decision. That's because this patch, when it appears, will likely be a mega-patch. According to Budd, Microsoft is developing and testing 133 separate iterations of the patch, to address all possible versions and languages. Doing quality assurance (QA) on such an update is a tedious, time-consuming task that is easy to mess up.
Perhaps Microsoft is applying a lesson it learned with the patch for the ANI Animated Cursor Flaw, which it delivered as a rare out-of-band patch on April 3, a week before its regularly scheduled Patch Tuesday event. Microsoft didn't do enough testing on the ANI patch and overlooked incompatibilities between the patch and several third-party products, including Realtek HD Audio Control Panel, Suunto Ski Manager, and BMC Software Patrol, among others. Microsoft has since posted updates to those problems, which can be viewed at Knowledge Base article 935448.
Meanwhile, Microsoft has also found other ways that users can mitigate the DNS flaw in lieu of a patch. On Friday, the company posted Knowledge Base article 936263, which details a new way users can protect themselves from the DNS flay by disabling remote management of the DNS Server service. The adjustments are made by changing the registry.
Windows Server DNS Flaw Being Exploited
Microsoft Patches Animated Cursor Flaw in Windows
Post this story to del.icio.us
Post this story to Digg
Post this story to Slashdot