More information on Microsoft Security Advisory 935964

Hello everyone,

This is Christopher Budd. As Adrian noted last night, we posted Microsoft Security Advisory 935964 with information customers can use to protect themselves against the vulnerability in Windows DNS server. While we have no new information about the situation from last night, I did want to give some additional detail and clarification to customers.

First, though, I want everyone to know that we are actively working around the clock on a security update to address this issue.  

While we’re working on this update we want to encourage customers to deploy the workarounds discussed in the advisory, especially the registry key workaround.  To be clear, the workarounds in the advisory are effective protections against network-based attacks.

We have also made information available to our partners in the Microsoft Security Response Alliance (MSRA) so they can build protections for customers into their products. We expect to see additional protections from these partners soon, so we encourage you to update your security products’ signatures as soon as updates are available.

I wanted to give you some more details today about:

·         Information about the attacks

·         Information about the vulnerability

·         Information on workarounds

·         Conclusion

Information about the attacks

The information we initially got about suspicious behavior on DNS servers was partial, but began with a report from the Computing Services’ Information Security Office at Carnegie Mellon through our Customer Service and Support organization late Friday April 6, 2007. We then contacted the SANS Internet Storm Center on Saturday April 7, 2007 regarding that report and requested additional information. We want to thank everyone that has worked throughout with us on this issue to help protect customers.

We immediately initiated our Software Security Incident Response Process (SSIRP) with this partial information. We worked hard over the next few days to understand the issue and by late Wednesday April 11, 2007, we had been able to determine that there was a new vulnerability affecting Windows DNS Server.

Our teams worked overnight to identify workarounds that could protect customers while we worked on an update. Last night, as soon as we completed testing, we published Microsoft Security Advisory 935964 with that information. Our goal was to have this information available before the weekend for all our customers so they could take action to protect themselves.

As of today, our monitoring indicates that this is a limited attack. We are continuing to monitor and working with our partners in the MSRA to watch this situation closely.

Information about the vulnerability

Our investigation has identified that the vulnerability occurs in the processing of RPC traffic by the Windows DNS server. The DNS service is only installed on Windows server systems, not on client systems. In addition, it’s not enabled by default on all Windows server systems.  The DNS service is usually enabled on systems like dedicated DNS servers, Domain Controllers and Microsoft Small Business Server, among others. When deploying the workarounds, you’ll only need to deploy it to systems running DNS server: not all your Windows server systems.

Even though the vulnerability is in DNS server, it cannot be attacked over standard DNS traffic over port 53. An attempt to exploit the vulnerability has to be made over RPC, which uses traffic on ports greater than 1024. As a best practice, these ports should be blocked at the perimeter. We also call out blocking these ports as one of the workarounds in the advisory.

Information about workarounds

One question has been around the information we provided in our workarounds. We write all our technical information about vulnerabilities with one goal in mind: protecting customers. We always try to provide only the information about vulnerabilities that helps customers determine their risk and protect themselves effectively. We always try to balance that with not providing so much information as to put customers at risk.

For our advisory we developed our workarounds directly in response to the information in the public attack: the level of detail we’ve given makes the workaround fully effective at protecting against the public attacks.

We especially want to encourage people to evaluate the workaround to “Disable remote management over RPC capability for DNS Servers through the registry key setting”. Based on our testing, that’s the best workaround we can recommend at this point in the investigation.  We provided information in the advisory on how you can make a script to deploy the registry key workaround. When the security update is available it will not reset this value but there is information on how to reset this value in the advisory.

Tonight, we have tonight put information in the advisory that you can use to help tailor the registry key workaround to meet your requirements and risk assessment. We have also made a clarification regarding the firewall workaround discussing what ports you should block and added new information on how you can preserve DNS management functionality.


As part of our standard SSIRP Process, we will continue working around the clock to develop an update for this issue. We will also continue to investigate information about the vulnerability and the workarounds. And, we will continue to monitor the situation in conjunction with our MSRA partners. We will continue and provide any updates we have in our advisory and the MSRC weblog.



*This posting is provided “AS IS” with no warranties, and confers no rights.*