Is That a Hole in Windows DNS?

On November 13 Microsoft patched a DNS vulnerability that, in the eventuality of a successful exploit would allow for spoofing. It took Microsoft more than a year to plug the hole initially reported by Alla Berzroutchko of Scanit and then by Amit Klein of Trusteer. Still, at this point in time Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2, Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2, Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems are no longer vulnerable following the installing of Microsoft Security Bulletin MS07-062.

The Redmond company labeled the security hole with a maximum severity rating of Important, as there is not any possibility of remote code execution. Still, Rob Keith, Symantec Security Response Engineer made it clear that the flaw allows attackers to perform phishing attacks via DNS redirection. Such attacks do not involve a social engineering scheme, as the users are simply taken to malicious websites instead of legitimate ones. Such a scenario highlights security risks associated with spoofing and phishing - exposing the user to both data and financial loss. But due to the poisoned DNS that takes the "phish" out of the equation and in concordance with malformed SSL Certificate, the user will have no reason to doubt that the website asking for his credential, credit card details, etc. is not legitimate.

"In a nutshell, the vulnerability allows an attacker to poison the DNS cache of a vulnerable server. This enables the attacker to direct unsuspecting victims to an attacker-specified IP address instead of to the expected site. The problem occurs when the server does a recursive lookup for a DNS request. Since DNS requests occur over UDP, they require a method to track and validate responses (a transaction ID). However, attackers can easily guess the transaction ID used on Windows Server 2000 and 2003 systems. A simple mathematical algorithm supplied with two to three previous IDs can reveal the next ID. The attacker can exploit this to impersonate a legitimate response and then poison the DNS cache," Keith explained.