On Friday, Microsoft Security released a reminder bulletin that the multi-vendor DNS fix posted earlier this
month should be applied and applied now. Usually, Microsoft's bulletin service is used only for news about flaws and fixes for Microsoft products. But in this case, the widely read bulletin format was more or less a finger-wagging at those on the Internet who have published the nitty-gritty details about the proof-of-concept DNS flaw. The bulletin says:
Microsoft released Microsoft Security Bulletin MS08-037 on July 8, 2008, offering security updates to protect customers against Windows Domain Name System (DNS) spoofing attacks. Microsoft released this update in coordination with other DNS vendors who were also similarly impacted. Since the coordinated release of these updates, the threat to DNS systems has increased due to a greater public understanding of the attacks, as well as detailed exploit code being published on the Internet.
Microsoft is not currently aware of active attacks utilizing this exploit code or of customer impact at this time. However, attacks are likely imminent due to the publicly posted proof of concept and Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary. Microsoft’s investigation of this exploit code has verified that it does not affect Microsoft customers who have installed the updates detailed in Microsoft Security Bulletin MS08-037.
Attackers that exploit the flaw gain the ability to perform DNS cache poisoning. The attack code was released Wednesday by developers of the Metasploit hacking toolkit. Prior to Metaspoit's post, the code was briefly released on July 21 when someone at Matasano accidentally posted details of the flaw. Since Microsoft's portion of this historic multi-vendor patch for the DNS flaw was released on July 8, Metasploit hardly jumped the gun in publicizing the flaw. Still, because the hole was only a proof-of-concept and not one that had run rampant in the wild, the patch may not have been a high priority, even for IT organizations or ISPs that are vulnerable. An unverified comment by a Network World reader indicated that at least one large U.S. ISP had not, as of Friday, implemented the patched.
The Microsoft Security bulletin includes another subtle dig. It says that those who allow Microsoft to automatically distribute patches via the Automated Updates features in Windows are of course, protected. For all the grief Microsoft must take over the quality of its security efforts, the team stands in the right on this one. Those that haven't applied the patch, with weeks of warning, are opening the door and inviting attack. If that's the case, you can't say you haven't been warned (and even admonished).
Visit the Microsoft Subnet home page for more news, blogs, podcasts.
More blog post from the Microsoft Subnet posts:
IT jobs hold strong in a weak economy, report says
Cheating is Cheating and the punishment should be the same for those caught!
5 free PowerShell tools to ease your Windows management pain
Users prefer Cisco NAC over Microsoft NAP, researchers say
The Microsoft Subnet blog is the official blog of the Network World's Microsoft Subnet community, and is written by Online Community editor Julie Bort. Microsoft Subnet is the independent voice of Microsoft customers and is your gateway to daily Microsoft news, blogs, opinion, books, prize giveaways and more. Visit the Microsoft Subnet index page daily, and while you are there, subscribe to the Microsoft newsletter. The newsletter includes news generated by the Microsoft Subnet community as well as other Microsoft news stories published by Network World.
The Leader in Network Knowledge
