<HTML dir=ltr><HEAD><TITLE>[dns-operations] "Cybercrooks exploiting new Windows DNS flaw"</TITLE>
<META http-equiv=Content-Type content="text/html; charset=unicode">
<META content="MSHTML 6.00.6000.16414" name=GENERATOR></HEAD>
<BODY>
<DIV id=idOWAReplyText95951 dir=ltr>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2>This exploit looks a bit over hyped. Relatively speaking, the exploit is no where near as bad as Code Red and equivalents. Code Red for instance (which used an exploit in IIS) could infect a web server over TCP 80. Since that port is needed to be open to allow visitors to the website, there would be no firewall filtering preventing exploitation. But to be able to exploit this new vulnerability an attacker would need to access the Windows RPC ports (1024-5000) which firewalls located at network perimeters should be blocking. Simply having access via the standard DNS ports (TCP/UDP 53) is not enough. Because of this, the scope of the attack is limited to within LANs only. Since this exploit only affects servers (and servers tend to be very stationary), there is little chance of an infected DNS server being moved into a network and infecting other DNS servers. So the only realistic exploit vector would be a laptop infected with an unrelated virus using this exploit to try to spread to other computers. But even then, on most company networks there are very few DNS servers, so one would presume that a virus would try to utilize a different attack vector that would work on more servers. Also, the simple fact that there are relatively few Windows DNS servers (as compared to total computers running Windows or for that matter IIS) makes using this exploit very time consuming with very little results.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>I think many members of the media are seeing this as the next Code Red. Presuming that this can be exploited from the internet (which it can't; unless the firewall admin is dumber than a door knob). Though it would be nice for Microsoft to release a out-of-cycle patch to fix this issue, I am simply not seeing the need.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2> </FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2>My $0.02,</FONT></DIV>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2>Adam Stasiniewicz<BR></FONT></DIV></DIV>
<DIV dir=ltr><BR>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> dns-operations-bounces@lists.oarci.net on behalf of Paul Vixie<BR><B>Sent:</B> Fri 4/13/2007 12:56 PM<BR><B>To:</B> dns-operations@lists.oarci.net<BR><B>Subject:</B> [dns-operations] "Cybercrooks exploiting new Windows DNS flaw"<BR></FONT><BR></DIV>
<DIV>
<P><FONT size=2>anybody seeing evidence of this?<BR><BR><A href="http://news.com.com/2100-7349_3-6175743.html">http://news.com.com/2100-7349_3-6175743.html</A><BR>_______________________________________________<BR>dns-operations mailing list<BR>dns-operations@lists.oarci.net<BR><A href="http://lists.oarci.net/mailman/listinfo/dns-operations">http://lists.oarci.net/mailman/listinfo/dns-operations</A><BR></FONT></P></DIV></BODY></HTML>