FAQ: Here's the deal on the Windows DNS bug

Computerworld - If this is how every month in 2007 is going to go, anyone using Windows might want to set up a cot next to the computer right now: You may be working overtime, all the time, patching zero-day vulnerabilities.

Last month, it was the animated cursor bug in Windows; this month it's a hole in Microsoft Corp.'s server software line. What do they have in common? Both are critical flaws, both were being exploited by attackers before the bug was acknowledged by Microsoft -- and attacks ramped up within days -- and both deserve Computerworld's FAQ treatment.

This FAQ spells out the at-risk population, details the bug and ticks off the stopgap measures that are -- until Microsoft actually fixes the flaw -- the only defense.

OK, cut to the chase. Do I need to worry? If you're not running a Windows server or you're not responsible for running one in your workplace, you're home free. The vulnerability affects only Microsoft's server software. End users running Windows 2000, XP or Vista -- or heaven help you, Windows Me -- have nothing to do, and so no worries. It's out of your hands.

I'm running Mac OS X or Linux; what do I do? See above. No mention of Mac or Linux, is there? Sit back, relax. Cue up one of those clever "Hello, I'm a PC. Hello, I'm a Mac" TV commercials yet again. Or slip the DVD of March of the Penguins into the player. Just don't cry when the egg freezes. In other words, you're safe.

Zero days pop up so often my head is spinning. What's this one about? Windows 2000 Server and Windows Server 2003 have a bug in how the DNS Server Service -- the component that lets the server act as a Domain Name System server to route URL requests to the proper destination -- handles remote procedure call (RPC) protocol calls. By sending a malicious RPC packet to a DNS-enabled server, attackers could generate a stack-based buffer overflow. Code executed after that has complete access to the system. They then own the box; game over.

But what does that mean? One end result that several security researchers have put forward as a worst case goes like this: Hacker jacks server, then reconfigures its DNS records so that URL requests are redirected to a malicious site. A user types in "yahoo.com," say, but the cracked DNS record sends the user to youaretoastkiddo.com instead, a malicious site that's serving up broad-based exploits, such as one taking on the animated cursor file Microsoft just patched. Then that client PC is, as the site says, toast -- the hacker has just gained another bot. Multiply that by a fraction of all the traffic that goes through the compromised DNS server, and it could add up to a big boost in the bad guy's botnet. Other scenarios include phishing attacks in which a user types in the URL for his bank but is instead sent to a look-alike where criminals wait for him to enter a username and password.