ISC has posted new information regarding the MS DNS compromises we saw last week.

http://isc.sans.org/diary.html?storyid=2627

There is a BO in the MS DNS RPC service.

http://www.microsoft.com/technet/security/advisory/935964.mspx

MS is developing a patch. Workarounds are to disable remote management over RPC or block inbound ports 1024 to 5000.

I know I don’t have to say it to the bleeding edge community, but I will anyway in case this gets forwarded on: :)

Don’t ever leave a windows box exposed to the internet! You’ll regret it. Maybe not today, maybe not tomorrow, but soon, and for the rest of your life. [1]

I’ve dropped sigs 2003539 and 2003240. They’re no longer necessary. Many thanks to everyone that reported hits, it was very helpful. We do not have enough information yet to write a signature for the vulnerability. Once we do we’ll post as soon as possible. If anyone happens to talk to MS, or gets hints of information via other sources, please let us know!

Matt

[1] en.wikipedia.org/wiki/Casablanca_(film)

This entry was posted on Friday, April 13th, 2007 at 2:36 pm and is filed under General, New Rules. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.