Microsoft DNS bug long known, familiar to researchers

Problem goes back at least a decade, say security pros

The DNS cache poisoning bug that Microsoft patched last Tuesday stems from a flaw that has been known to researchers for 10 years or more, the two security firms credited with reporting the vulnerability said this week.

Microsoft patched the Domain Name System (DNS) server included with Windows 2000 Server and Windows Server 2003 to fix what it called a spoofing flaw that could be exploited by identity thieves or malware authors to silently redirect users from intended Web destinations to malicious pretenders.

A day later, the two security companies that Microsoft acknowledged for independently reporting the bug -- Scanit NV/SA in Brussels and Belgium and Trusteer in Tel Aviv -- published their analysis. The problem, said Scanit and Trusteer, is that Windows DNS server generates predictable transaction IDs, the security identifiers meant to make spoofing and cache poisoning difficult to impossible. Because the transaction IDs can be predicted, hackers can deceive the name server into thinking that false DNS data is legitimate.

Trusteer, in fact, showed how easy it is to predict transaction IDs by publishing a proof-of-concept script that needs only one valid ID to guess the next eight. "It's a powerful script and will certainly contribute to successful cache poisoning of a number of Microsoft DNS servers that still have the exposure," Symantec said in a warning to customers of its DeepSight threat network.

Scanit weighed in as well with its own proof-of-concept code, which it rolled into a Web-based DNS transaction ID analyzer.

Both Trusteer and Scanit also pointed out that the vulnerability is well known and has been extensively documented for more than a decade. "It is saddening to realize that 10-15 years after the dangers of predictable DNS transaction ID were discovered, still one of the most popular DNS cache servers does not incorporate strong transaction ID generation," Amit Klein, Trusteer's chief technology officer, said in his analysis. "It is particularly surprising that the transaction ID mechanism in use by Microsoft Windows DNS server is not based on industrial-grade cryptographic algorithms."

Meanwhile, Scanit's Alla Bezroutchko, the senior security engineer who wrote her company's analysis, cited research from 1997, 2002 and 2003 on predictable DNS transaction IDs in Berkeley Internet Name Domain (BIND), the most widely used DNS server software, to show that the problem is "common and well researched." Historically, BIND has had problems randomizing transaction IDs. For example, it was patched as recently as June after Klein reported new vulnerabilities. At that time, Internet Systems Consortium Inc., the nonprofit that supports BIND, issued updates and recommended that all name servers be patched.

But while BIND has been updated to make predictions unfeasible, Windows DNS server remains wide open to outdated attacks, said Klein. "The 'classic' DNS poisoning attack is still applicable to Windows DNS server [and] is far more effective than any attack previously described for Windows DNS," he said in his report.

That led other researchers to wonder why Microsoft's DNS server had been left untouched when there was plenty of information to indicate it might have a problem. "There are still questions to be answered," said Andrew Storms, director of security operations at nCircle Inc. "Why is MS DNS susceptible to such a well-known attack going way back to 1997?"

When asked that question, Microsoft's response was oblique. "Microsoft made improvements as Windows matured," a company spokesman said in an e-mail. "In addition, Microsoft has responded to researchers' findings."

Storms was also curious about the timing of the patch, which according to Scanit, came more than a year after it reported the vulnerability. "Why did it take a year?" Storms asked. Scanit notified Microsoft on Oct. 24, 2006, while Trusteer reported its findings more than six months later, on April 30, 2007.

The Microsoft spokesman defended the 12-month stretch, saying that while Scanit "reported behavior that appeared predictable with DNS transaction IDs ... their findings were inconclusive." Only after it received "additional information" -- presumably the report from Trusteer -- did it look into the matter to "re-evaluate the threat environment."

Ironically, the DNS patch was originally slated as one of last month's security updates, but Microsoft pulled the fix several days before the expected Oct. 9 release. Klein's analysis, in fact, listed that as its disclosure date. Microsoft did not give a reason in October for withdrawing the fix.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?