Microsoft: DNS Vulnerability Not in Vista or XP

Microsoft has denied that the critical vulnerability affecting RPC on Windows Domain Name System Server is also found in Windows Vista or Windows XP Service Pack 2. The Microsoft Security response Center has tested this vulnerability against the complete range of current Windows operating systems and has concluded that the issue is limited to Windows 2000 Server SP4, Windows Server 2003 SP1 and Windows Server 2003 SP2. Microsoft continued to monitor the evolution of the problem since the initial report on April 12 and confirmed that attacks are still not widespread. The Redmond Company has also made available a new KB article designed to lend a helping hand to deploy DNS remote RPC block workaround at an enterprise level.

According to Christopher Budd, MSRC Security Program Manager, the DNS Server Service vulnerability only impacts the Windows server operating systems: "We know this because as part of our Software Security Incident Response Process (SSIRP) after we identify a vulnerability one of the first things we do is to establish the scope of affected software. We do this looking at the source code for the affected component in all publicly supported versions of the product. In the case of this vulnerability, the code with the vulnerability is in the DNS server component. That component isn't present in Windows client operating systems." Additionally, Budd pointed at May 8, as the official date for a security update to be released.

View: KB 936263
News source: Softpedia

Report a problem with article
Previous Story

Google beats Microsoft, Coke in brand stakes

Next Story

Lenovo to Cut 1,400 Jobs Worldwide

6 Comments

Commenting is disabled on this article.

I think that would be Linux Lego edition. Remove obviously discoloured block of nasty software and insert properly coloured block of software and publish. What could be easier....

They suck, this is a perfect example of why they suck. If this was a linux vulnerability it would have been patched within 24 hours, how does a self organized group of hippies from around the world manage to implement and test way more than the "133 patches" MS has to release? Did anyone catch their BS about how they had to make 133 patches supposedly, one for each language... OK, does anyone really think that the code is ANY different in ANY of those patches, and if so, ask yourself why they're writing 133 different pieces of code when all they had to change was the text language strings... derp?
Between this is and the 3rd-try on the GDI patch, I think we can safely say MS's "new" security procedure DOES NOT WORK!!!!

Hint to MS: Copy Debian!!!!!!!!!!!!!!!!!!!

So question to myself.

To I trust the OS where a fix is written and rushed out to users throught eh update.

or the OS where the maker releases and emergencey fixm writes the patch, and then takes the time needed to fully test the patch and make sure it doesn't add any bugs, stability issues or other secuiryt issues...


an immediate fix is not a good thing btw, expecially not on a server OS, you need to test and make sure stuff works as intended and doesn't fix one thing and breaks 10 others. This requires way more than half a day of testing.
And seeing as it's a Server thing mostly, the users should be more than capable enoguh to do the emergency fix.

if it was linux... then which version would be patched? as there are so many "non standard" versions it would be hard to know where to start.

Linux trolls ..... gotta love em

Good, then hackers only have two weeks on them to exploit remote administration of the Windows Server 2003 SP2 DNS service. Hopefully many will follow the steps outlined there for an emergency fix, but knowing how things have worked in the past, I wouldn't be overly confident in that.