Microsoft Patches Major DNS Bug, The Fix Interferes With Firewalls

By Alice Turner
20:55, July 9th 2008

Microsoft released four patches Tuesday, one of which addresses a major DNS spoofing flaw exploited by malware. It's unclear why it was labeled "important" and not "critical", even though the two privately reported vulnerabilities in the Windows Domain Name System (DNS) enabled a remote attacker to redirect network traffic intended for systems on the Internet to another address, usually the attacker’s own systems.

Microsoft found a way around the flaw by using strongly random DNS transaction IDs, using random sockets for UDP queries, and updating the logic used to manage the DNS cache, the company's security bulletin MS08-037 reads. However, Microsoft is not the only company affected by the DNS flaw. Most of networking companies need to also solve this bug, including Cisco, the Internet Software Consortium, Juniper Networks, Microsoft, Nominum, Red Hat and Sun. Other companies which might need to address the issue are Akamai, Apple, Debian/GNU Linux, Fedora, FreeBSD, Gentoo, HP, IBM, Motorola, Nokia and Ubuntu.

However, Microsoft's fix interferes with software firewalls for Windows, because they are not coded to support the newly implemented security measures, which include the randomization of several source ports. The DNS flaw was apparently discovered by Dan Kaminsky of the Seattle-based security firm IOActive Inc.

The issue points out that the current Domain Name System (DNS) is outdated, and switching to the newer Domain Name System Security Extensions (DNSSEC) is imperative. While DNS provides various information associated with domain names, primarily returning the IP address of a certain hostname, DNSSEC does this in a different way, because answers in DNSSEC are digitally signed.

Deploying DNSSEC at the root level of the Internet Domain System will prevent many spam and spoof attacks and force Internet crooks to find other means of attacking users.

Patch Tuesday also saw another three vulnerabilities fixed. The most prominent of the remaining three patches is the one affecting Windows Vista and Windows Vista Service Pack 1, as well as Windows Server 2008. The code injection flaw it fixes enables remote code execution through a code injection flaw. This is the common way of attack for malware. The flaw was not tagged as critical, apparently because it doesn't work without the user first taking some extra actions or adding special software or drivers.

Of the remaining two, one targets the Microsoft SQL Server and one Microsoft Exchange Server.