Daily cyber threats and internet security news: network security, online safety and latest security alerts
July 8th, 2008

Several Vendors Including Microsoft Patch Multiplatform DNS Vulnerability

Deficiencies in the Domain Name System (DNS) protocol may leave affected systems vulnerable to DNS cache poisoning attacks. If an attacker can successfully conduct a cache poisoning attack, they may be able to cause a nameserver’s clients to contact the incorrect, and possibly malicious, hosts for particular services. This may allow an attacker to obtain sensitive information or mislead users into believing they are visiting a legitimate website.

Microsoft Corp. today patched nine vulnerabilities in Windows, Exchange, SQL Server and the company’s DNS server and client software. All nine flaws were rated “important” by Microsoft, the second-highest threat rating in the company’s four-step scoring system.

One of the Microsoft fixes for Windows DNS was part of a group of patches issued today by software vendors to plug a multiplatform hole. Microsoft patched its iterations of DNS in MS08-037, the security bulletin that called out two DNS bugs in every supported version of Windows except Vista.

Microsoft also issued MS08-039 (two-patch update to Exchange 2003 and 2007) and MS08-040 (four-patch update for Microsoft’s SQL Server software, including the database components bundled with Windows) today. Both are important to patch as soon as possible.

The fix for the DNS cache poisoning vulnerability, which was reported to Microsoft by Dan Kaminsky, a noted researcher and director of penetration testing at Seattle-based IOActive Inc, is part of a larger, coordinated rollout today. The Internet Software Consortium (ISC) has also updated its popular open-source BIND DNS software, which vendors like Red Hat Inc. and Sun Microsystems Inc. will be pushing to their users today.

Share this item with others:

More on CyberInsecure:
  • Researchers Released DNS Attack Code That Exploits Recently Disclosed Flaw
  • Microsoft Patch 14 PowerPoint Vulnerabilities, Adobe Patch Reader And Acrobar 0-day Vulnerability
  • New Windows Arbitrary Code Execution Flaw Disclosed, All Windows Versions Affected
  • MS Windows DNS Client Service Vulnerability
  • Cross-Domain Vulnerability In Microsoft Internet Explorer 6

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Several Vendors Including Microsoft Patch Multiplatform DNS Vulnerability

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.