An zero-day vulnerability in the DNS server service in Windows is under attack, Microsoft warned in a security advisory.
The "limited attacks" are exploiting a stack overflow error in the Windows Domain Name System (DNS) Server's RPC interface implementation when processing malformed requests sent to a port between 1024 and 5000.
The flaw allows remote unauthenticated attackers to execute arbitrary code with SYSTEM privileges by sending a specially crafted request to a vulnerable system.Affected Windows versions include:
- Windows 2000 Server Service Pack 4
- Windows Server 2003 Service Pack 1
- Windows Server 2003 Service Pack 2.
Windows 2000 Professional Service Pack 4, Windows XP Service Pack 2, and Windows Vista are not affected as these versions do not contain the vulnerable code.
In its pre-patch advisory, Microsoft has issued the following recommendations:
- Disable remote management over RPC capability for DNS Servers via a registry key setting. Instructions are available in "suggested actions" section of the advisory.
- Block all unsolicited inbound traffic on ports between 1024 to 5000. Because the RPC interface of Windows DNS is bound to a port in this range, locking them at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. (George Ou has more on this, including instructions on firewall filtering).
- Enable advanced TCP/IP filtering on systems to block all unsolicited inbound traffic. For more information about how to configure TCP/IP filtering, see Knowledge Base article 309798.
- Block the affected ports 1024 to 5000 by using IPsec on the affected systems. Detailed information about IPsec and about how to apply filters is available in Knowledge Base article 313190 and Knowledge Base article 813878.
I have not seen public exploit code at any of the usual research Web sites but, as this issue escalates (as it surely will), proof-of-concepts will be made available.