Hackers Attacking New Microsoft Zero-Day Bug

Unlike a Microsoft vulnerability on a desktop that affects a single user, this zero-day DNS bug could affect a company's entire roster of employees.

Sharon Gaudin, Contributor

April 13, 2007

3 Min Read

A zero-day vulnerability in several of Microsoft's server products could enable a hacker to divert the Web traffic of not just a single user but of a company's entire roster of employees, the company warned this week.

Microsoft released an advisory late Thursday warning users that it is investigating a "limited" number of attacks that are exploiting a vulnerability in the Domain Name System (DNS) Server Service. The bug could affect servers running Microsoft Windows 2000 Server Service Pack 4, Windows Server 2003 SP 1, and Windows Server 2003 SP 2.

The advisory states that Windows Vista, along with Microsoft Windows 2000 Professional SP 4 and Windows XP SP 2, do not contain the flawed code, and so they are not affected.

The exploits started to appear on the Internet mid-week.

"This is pretty dangerous," said Amol Sarwate, manager of the vulnerability research lab at Qualys, Inc., a security company based in Redwood Shores, Calif. "This is not a desktop problem but a server problem, so it will affect all of the users in a company that use that server."

Sarwate explained in an interview that the flaw affects the DNS server, which translates names into IP addresses. For example, when a user types "www.yahoo.com" into her browser, the DNS server translates that text address into an IP address so the request can be routed through to the correct servers. The buffer overflow bug is in the remote management component of the DNS.

Microsoft noted in its advisory that the bug enables remote code execution, which the company generally ranks as a critical security risk.

"These servers are in data centers so [by exploiting this flaw] an attacker can change a DNS setting so that when I type yahoo.com in, my browser will not go there but it will go to a site the hacker wants me to go to," he said, noting that users would most likely be diverted to a malicious Web site where they would be infected with malware.

The Internet Storm Center noted in its daily diary Friday that Microsoft is offering up a few workarounds, which by definition are not patches, but ways to run the software while mitigating some of the risk. Users can disable remote management for the DNS server. They also can block unsolicited inbound traffic on ports 1024-5000 using IPSec or other firewalls, and they can enable the advanced TCP/IP Filtering options on the appropriate interfaces of the server.

Sarwate said he is recommending that users employ the work-arounds until a patch is released, but noted that applying at least one of them could be tricky. He pointed out that it would be problematic to disable remote management of the DNS server since most of these servers are typically management remotely since they're often located off in a data center.

The U.S.-CERT announced that it too is investigating the vulnerability.

Microsoft customers who believe they've been affected by this exploit can seek information through the company's Security Help Web site.

About the Author(s)

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights