Microsoft issues critical DNS security updates

Microsoft has issued patches to plug 19 holes, including a critical zero-day DNS Server Service flaw as part of its monthly Patch Tuesday bulletin.

Microsoft has plugged 19 holes on Tuesday, including seven critical updates, addressing a zero-day DNS server flaw, and flaws in Microsoft Exchange, Internet Explorer, Microsoft Excel, Word and Office.

The patches were released on Tuesday as part of its monthly Patch Tuesday update cycle. If exploited, Microsoft said the critical flaws could allow an attacker to take complete control of a system.

The DNS Server Service flaw, which has been attacked on a limited scale in recent weeks, has been troublesome to some IT pros because DNS servers resolve domain names to the actual IP addresses of the Web servers hosting the requested sites.

Rich Linke, a Chicago-based independent security consultant and former global security manager at Kraft Foods said security pros will likely get to work on patching Exchange server and deploying the zero-day DNS server updates. Flaws in Internet Explorer and Excel also could "pose issues from a deployment standpoint," and be a sizeable push to the desktop, Linke said.

"Some of the Exchange vulnerabilities kind of look odd and it's not clear at first glance if it affects the Outlook client and the server," he said. "The DNS noise level calmed down quite a bit over last seven to ten days, so we didn't expect the update to come out of cycle."

Microsoft DNS zero-day:
Microsoft to release DNS patch Tuesday: In addition to a fix for the DNS Server Service flaw, Microsoft plans to patch critical flaws in Windows, Office, Exchange, CAPICOM and BizTalk.

DNS worm strikes at Microsoft flaw: A new worm called Rinbot.BC exploits the Microsoft DNS flaw by installing an IRC bot on infected machines and scanning for other vulnerable servers.

Microsoft investigates DNS server flaw: Attackers could exploit a DNS flaw in Microsoft Windows 2000 Server and Windows Server 2003 and run malicious code on the system. A workaround is suggested until a patch is issued.

A remote code execution vulnerability in Microsoft Exchange affects Multipurpose Internet Mail Extensions. In an advisory issued to customers, Symantec called the vulnerability one of the more critical issues of the month.

"A successful attack could completely compromise the computer hosting the vulnerable Exchange server and has the potential for impacting a large audience," Symantec said.

Microsoft also issued patches plugging four critical vulnerabilities in Internet Explorer that could be exploited by an attacker when a user visits a malicious Web site. The flaws are in IE 6 and 7 and include a Property Type Memory Corruption Vulnerability and HTML Objects Memory Corruption.

"As we reported in the recent Internet Security Threat Report, attackers are continuing to leverage browser and application vulnerabilities and social engineering tactics to gain access to computers in order to execute malicious code," Oliver Friedrichs, director, emerging technologies, Symantec Security Response said in a statement.

Critical Vulnerabilities in Microsoft Word, which included an RTF parsing, a document stream and an array overflow flaw were plugged. Microsoft Word versions 6.0 and earlier were affected. A record vulnerability and set font flaw in Microsoft Excel was also patched. The flaws in both Word and Excel could be exploited by an attacker to gain control of a computer.

"Since the Microsoft Office vulnerability is entrusted in Web applications, like Internet Explorer, these patches are critical and should also be prioritised and deployed quickly," said Paul Zimski, senior director of market and product strategy for PatchLink.

Microsoft also released a non-security, high-priority update for Windows on Windows Update (WU) and Software Update Services (SUS) and non-security, high-priority updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).

For more information, Microsoft held a Webcast about the latest update.

Read more on Operating systems software