Microsoft: No patch yet for DNS Server bug

Computerworld - Microsoft Corp.'s security team yesterday said it is still working on a patch for a critical bug in the company's server software.

The vulnerability in the Domain Name System Server Service of Windows 2000 Server SP4, Windows Server 2003 SP1 and Windows Server 2003 SP2, has been exploited since at least April 13, Microsoft acknowledged earlier -- although the company has continued to characterize those attacks as "limited."

"Our teams are continuing to work on developing and testing updates...[but] we don't have any new estimates on release timelines," said Christopher Budd, program manager for the Microsoft Security Response Center (MSRC) on the group's blog. "I can say that our ongoing testing so far has not raised any issues that would make us believe we might be looking at a longer timeline."

Previously, Budd has said that MSRC was shooting for releasing a patch May 8, the date of the next regularly-scheduled update. Security researchers, however, had earlier predicted that Microsoft would release an out-of-cycle fix, as it did April 3 for the Windows animated cursor vulnerability.

Also over the weekend, Microsoft posted a new document on its Knowledge Base support site that spells out how IT administrators can deploy a workaround for the DNS Server bug to all domain controllers in the enterprise. Earlier guidance from Microsoft -- as laid out in the security advisory it first published April 13 -- only gave instructions on how to disable remote administration of the DNS service one machine at a time.

Microsoft's how-to relies on techniques taken from a blog posting by Jesper Johansson, a former Microsoft senior security strategist. "Our PSS [product support services] team took [Johansson's] idea, added some error handling to it, and built it into a KB," said Budd.

Last week, several botworms tried to exploit the vulnerability to hijack servers.

Read more about security in Computerworld's Security Knowledge Center.