Post Wed Apr 18, 2007 2:10 pm

Microsoft Urges Workaround as Worm Hits Unpatched DNS Flaw

With a worm exploiting the unpatched zero-day vulnerability in Microsoft's Domain Name System Service mere days after it was discovered, Microsoft on Monday urged customers to apply workarounds the company had provided in its earlier security advisory.

The W32/Delbot-AI worm, aka Nirbot or Rinbot, is infecting PCs via a vulnerability in the way the Windows DNS Server's RPC (Remote Procedure Call) interface has been implemented. Attackers are sending a crafted RPC packet to vulnerable PCs, turning them into zombie systems from which attackers can steal information and which they can control as nodes in a botnet.

As of Monday, the MSRC's Christopher Budd was still downplaying the effects of the worm, saying that the attack "does not appear widespread." Regardless, deploying workarounds provided in the security advisory to mitigate this unpatched zero-day attack should be a priority, he said. "By quickly deploying the workarounds customers can mitigate the risk of an effective attack on their networks," he writes. "Once again, we want to strongly advise customers to deploy the workarounds in their environment as soon as possible."

Microsoft in particular is urging customers to deploy a registry key workaround and to deploy the latest signatures for their security products.

Microsoft has updated its advisory three times since it was posted last week, and a spokesperson for the company told eWEEK that another update is coming via the MSRC blog sometime tonight.

The news of the worm attack comes only a week after Microsoft issued patches for critical vulnerabilities on its monthly Patch Tuesday. On top of those patches, subsequent reports of bugs in Microsoft Office appeared, and Microsoft's security team have also been busy investigating attacks aimed at Vista's OEM BIOS activation feature.

"The computer underground appear to be revelling in waiting until Microsoft has released its monthly batch of patches, before unleashing their latest attacks," said Graham Cluley, senior technology consultant for Sophos, in a post. "It's not just businesses who are being affected by this, but Microsoft will not be enjoying having the security of their software brought into question again."

As for the timing of a patch, a Microsoft spokesperson couldn't give eWEEK a timeline. The MSRC's Budd said in his Monday post that teams are working "around the clock" on the update and are monitoring the situation along with the company's MSRA partners.

"As soon as we have any new information, we'll update you through the advisory and the MSRC weblog," he wrote.


For original story:
http://securitywatch.eweek.com/exploits ... _flaw.html

Don
CISSP, MCSE, CSTA, Security+ SME