14 DAY TRIAL // Windows Vista has dodged a fresh vulnerability affecting the Windows platform. According to the Redmond Company, limited and targeted attacks have been detected, being directed at a vulnerability in the Domain Name System (DNS) Server Service. In the wake of the Microsoft April patch cycle, this would have been the third flaw impacting Windows Vista. However, Microsoft claims from the get go that Vista users have nothing to worry about.
"Our investigation has shown that this affects Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, and Microsoft 2003 Service Pack 2. Because this is a server service, Windows 2000 Professional Service Pack 4, Windows XP Service Pack 2, and Windows Vista are not affected as they do not contain the vulnerable code," revealed Adrian Stone with the Microsoft Security response Center.
This newly reported Windows zero-day vulnerability allows, in the eventuality of a successful exploit, for remote arbitrary code execution " in the security context of the Domain Name System Server Service," according to Microsoft's initial analysis. The Redmond Company has warned Windows 2000 Server SP4, Windows Server 2003 SP1, and Microsoft 2003 SP2 customers of the fact that exploits will deliver full privileges on the local system.
At this point in time, Microsoft has not put forward the date at which a resolve for the RPC on Windows DNS Server vulnerability will be made available. The Redmond Company could either tackle the issue with an out-of-cycle security update or via its monthly patch release process. Microsoft will offer its next security bulletins on May 8, 2007.
"We've activated our Software Security Incident Response Process (SSIRP) to investigate and have identified steps customers can take to protect themselves in the workaround section. Our teams are working hard on a security update to address the vulnerability. In the meantime, we encourage customers to review the advisory and implement the workarounds," Stone added.