So far, three worms have been detected circulating the Internet that take advantage of a vulnerability in the Windows DNS service to effectively turn a vulnerable system into a member of a botnet. Security solution providers are working to integrate protection against the worms into their various offerings.
Last week Microsoft published a security advisory regarding a serious problem with the DNS service on Windows 2000 Server and Windows Server 2003, including the Small Business Server versions. A vulnerability was discovered that could lead to remote code execution, which in turn could completely compromise the system.
The vulnerability was identified after people reported attacks against their systems. Soon after the vulnerability became public knowledge, working exploit code was published, and at the time of this writing, there are at least three sets of exploit code readily available on the Internet.
Win2K Server SP4 and Windows 2003 SP1 or SP2 are vulnerable in their default configurations, and specific reconfiguration is required in order to defend against attacks. In particular, Microsoft suggests that administrators disable the capabalitiy to remotely manage DNS over RPC by using a registry key setting. Another defensive measure is to block TCP and UDP port 445 and ports higher than 1024 at network borders. Be aware that such blocking could break various services' functionality; for example, it could affect the ability of the server to reach shared folders on other systems on the network.
Microsoft is of course monitoring the situation and working to produce security patches. The company said that it's working on 133 different patches for the problem to cover "every language for every currently supported version of Windows servers." Right now, the company is planning to release the patches during its next monthly update release, currently scheduled for May 8. However, if the situation become worse, the company might release the patches earlier.
