14 DAY TRIAL // April 2007 is a month that has been all but king with Microsoft. And in this context, March, a month in which the Redmond Company did not release a single security update, proved to be the silence before the storm. This month Microsoft was already confronted with two zero-day vulnerabilities.
On April 3, 2007, an out of cycle security update was made available designed to address the .ANI file format handling vulnerability. The Windows Animated Cursor Handling flaw was reported to Microsoft in December 2006, but the company only patched it at the beginning of this month together with other 6 less severe but related flaws.
On April 12, Microsoft Security Advisory (935964) informed of a vulnerability in RPC on Windows DNS Server that could result in remote code execution in the eventuality of a successful attack. According to the company, Windows Vista is not affected by this latest zero-day. Microsoft claimed that it was aware of limited and targeted attacks, and that the situation has not changed.
"Our teams are continuing their work to develop a security update to address this issue. Our ongoing monitoring of attacks in conjunction with our MSRA partners indicates that attacks are still limited. We are aware though of public disclosure of proof of concept code to exploit the vulnerability. We continue to urge customers to deploy the workarounds in their environments as quickly as possible," informed Christopher Budd, Security Product Manager with the MSRC.
As of now, a security patch is not available, but Microsoft has proposed a series of workarounds designed to mitigate the issue:
- Disable remote management over RPC capability for DNS Servers through the registry key setting; - Manage Deployment Scripts; - Block TCP and UDP port 445 as well as all unsolicited inbound traffic on ports greater than 1024; - Enable advanced TCP/IP filtering on systems; - Block TCP and UDP port 445 as well as affected ports greater than 1024 by using IPsec on the affected systems.
"As always, we're continuing to work around the clock to monitor the situation closely, continue our technical investigations and develop a security update to address this issue," Budd added, although he did not provide a release date for a fix. Microsoft's upcoming monthly patch cycle is scheduled for May 8, although, if the situation escalates, an out-of-band update will be delivered.