[dns-operations] "Cybercrooks exploiting new Windows DNS flaw"

Stasiniewicz, Adam stasinia at msoe.edu
Fri Apr 13 18:12:42 UTC 2007

This exploit looks a bit over hyped.  Relatively speaking, the exploit is no where near as bad as Code Red and equivalents.  Code Red for instance (which used an exploit in IIS) could infect a web server over TCP 80.  Since that port is needed to be open to allow visitors to the website, there would be no firewall filtering preventing exploitation.  But to be able to exploit this new vulnerability an attacker would need to access the Windows RPC ports (1024-5000) which firewalls located at network perimeters should be blocking.  Simply having access via the standard DNS ports (TCP/UDP 53) is not enough.  Because of this, the scope of the attack is limited to within LANs only.  Since this exploit only affects servers (and servers tend to be very stationary), there is little chance of an infected DNS server being moved into a network and infecting other DNS servers.  So the only realistic exploit vector would be a laptop infected with an unrelated virus using this exploit to try to spread to other computers.  But even then, on most company networks there are very few DNS servers, so one would presume that a virus would try to utilize a different attack vector that would work on more servers.  Also, the simple fact that there are relatively few Windows DNS servers (as compared to total computers running Windows or for that matter IIS) makes using this exploit very time consuming with very little results.
I think many members of the media are seeing this as the next Code Red.  Presuming that this can be exploited from the internet (which it can't; unless the firewall admin is dumber than a door knob).  Though it would be nice for Microsoft to release a out-of-cycle patch to fix this issue, I am simply not seeing the need.
My $0.02,
Adam Stasiniewicz


From: dns-operations-bounces at lists.oarci.net on behalf of Paul Vixie
Sent: Fri 4/13/2007 12:56 PM
To: dns-operations at lists.oarci.net
Subject: [dns-operations] "Cybercrooks exploiting new Windows DNS flaw"

anybody seeing evidence of this?

dns-operations mailing list
dns-operations at lists.oarci.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20070413/67780329/attachment.html>

More information about the dns-operations mailing list