recent posts

Web Fraud 2.0: Distributing Your Malware
Opera Update Plugs Multiple Security Holes
Web Fraud 2.0: Digital Forgeries
Web Fraud 2.0: Validating Your Stolen Goods
Web Fraud 2.0: Cloaking Connections

Stories by Category

Stories By Date

related links

The Archives
Security Fix Live: Web Chats
About This Blog
Password Primer
7 Security Tips
Technology Section

syndicate

About This Blog   |   Archives   |   RSS Feeds RSS Feed   (What's RSS?)

Microsoft Warns of Attacks on Web Service Flaw

Attackers are actively exploiting a newly reported flaw in Microsoft's software that is allowing them to break into vulnerable systems, the software giant warned Thursday.

The vulnerability applies to Windows 2000 Server and Windows Server 2003 running the DNS Server Service. According to Microsoft, the flaw does not affect fully patched versions of Windows 2000, Windows XP or Windows Vista. Microsoft said it has seen "limited" attacks against this flaw, which appears to initially have been sighted on Apr. 7 in an attack on an educational institution.

The company's Redmond, Wash., headquarters says it is working "around the clock" to come up with a patch to plug the hole, but in the meantime affected customers should consider implementing the tweaks documented in the "suggested actions" of its security advisory.

Update, 1:16 p.m.: As a number of people have already noted, it is not necessary for Windows 2000 Server and Windows 2003 Server users to be running a Web site for this to be a security threat. The vulnerability is with the DNS Name Service, and specifically could be a problem for users of the aforementioned systems if they allow remote management of their DNS servers. The above text has been modified.

By Brian Krebs |  April 13, 2007; 1:30 PM ET Latest Warnings , Misc. , Safety Tips
Previous: Uncle Sam Earns "C-Minus" in Computer Security | Next: Tax Time Means Fraud Time

Comments

Please email us to report offensive comments.



Web server? DNS isn't required on a web server, it's much more likely to be found as part of an Active Directory implementation.

Posted by: Seth Bokelman | April 13, 2007 11:26 AM

While DNS is certainly required to resolve FQDNs to IP Addresses for the whole "Web" experience this security advisory has nothing to do with IIS or hosting a Website unless they are using MS DNS Server as an NS for the zone.

Posted by: Anonymous | April 13, 2007 11:39 AM

Brian -

This is an RPC attack vector on those systems with Windows DNS server running. I'm confused why the story links Microsoft web services with the DNS server. Also, you may want to clarify that it is Windows 2000 _professional_ which is not vulnerable. XP, Vista and 2000 Pro aren't vulnerable because they aren't Microsoft server class operating systems and hence not running the DNS server component.

Posted by: Andrew Storms | April 13, 2007 12:01 PM

This has nothing to do with IIS and the chance of getting this vuln exploited externally is almost nil. Or if there is a chance of getting exploited externally, you would have much bigger problems, since it would require you to expose RPC to the internet.

This is a much bigger concern internally (where RPC is not blocked), since DNS typically runs on domain controllers, which contain all user information for the entire domain. If someone gets SYSTEM access on a DC, it's game over, and you are likely looking at a complete rebuild of your AD

Posted by: Matt | April 13, 2007 12:40 PM

Hey Brian,

This is not a web server issue as DNS can be running on any Windows Server and IIS is not a requirement. In addition this cannot be exploited over the internet unless people are silly enough to allow rpc traffic from the internet into their networks.

Posted by: Steve | April 13, 2007 1:05 PM

Roflzcopters!!!!!

Posted by: Stephen | April 13, 2007 1:20 PM

SANS has more info on the issue:

More info on the Windows DNS RPC interface vulnerability
http://isc.sans.org/diary.html?storyid=2633

P.S. - not to nitpick, but the title "Microsoft Warns of Attacks on Web Service Flaw" still implies a relation to a web server. DNS is not exclusive to being using on the "web". It is typically used on internal networks in relation to Active Directory domains (thus the RPC interface).

Posted by: TJ | April 13, 2007 8:14 PM

FWIW, this vulnerability doesn't exist on unpatched 2000 pro, XP pro and Vista machines either. This is because you cannot install MS DNS on those OSs.

Posted by: Matt | April 14, 2007 1:08 AM

It is an interesting idea that everyone get knowelege from it.So please keep on it ipand also add some ideas on ur sites.

Posted by: kedir ahmed | April 14, 2007 1:40 PM

HD Moore of Metasploit has released a public exploit for this. I don't care what his reasons were but releasing something like this on a weekend is in VERY BAD TASTE! That takes a notch out of his status as a security professional.

What is most dangerous about this problem is that most Active Directory domains use the vulnerable DNS service. If you hack a Domain Controller you control EVERY computer that is a member of that domain.

This is a very serious problem.

Posted by: David Taylor | April 14, 2007 3:16 PM

The comments to this entry are closed.

 
 

©  The Washington Post Company