Multiple vulnerabilities have been identified in Microsoft Windows, which could be exploited to conduct DNS spoofing and cache poisoning attacks.

The first issue is caused due to the DNS server not reusing cached responses when receiving specially crafted queries thereby allowing greater predictability of subsequent transaction IDs used by the DNS server, which could be exploited to insert arbitrary addresses into the DNS cache.

The second vulnerability is caused due to the DNS server not correctly caching specifically crafted DNS responses, which could result in the DNS server making unnecessary lookups and leads to greater predictability of subsequent transaction IDs used by the DNS server.

The third issue is caused due to the DNS server not correctly validating who can register WPAD entries on the DNS server, which could allow any user to create a registration in the DNS database for Web Proxy Auto-Discovery (WPAD) if the name registration does not already exist.

The fourth vulnerability is caused due to the WINS server not correctly validating who can register WPAD or ISATAP entries on the WINS server, which could allow any user to create a registration in the WINS database for WPAD or ISATAP if the name registration does not already exist.

Affected Products

Microsoft Windows 2000 Server Service Pack 4
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 x64 Edition
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Microsoft Windows Server 2003 SP1 (Itanium)
Microsoft Windows Server 2003 SP2 (Itanium)
Microsoft Windows Server 2008 (32-bit)
Microsoft Windows Server 2008 (x64)

Solution

Apply patch for DNS server on Microsoft Windows 2000 Server Service Pack 4 :
http://www.microsoft.com/downloads/details.aspx?familyid=110354f7-5ece-4c4d-b563-3adba6ac0116

Apply patch for WINS server on Microsoft Windows 2000 Server Service Pack 4 :
http://www.microsoft.com/downloads/details.aspx?familyid=4319abb3-1ea2-466a-a815-c0b3b86b4462

Apply patch for DNS server on Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?familyid=6cc42c9e-c34e-4577-8b23-9e07e2369878

Apply patch for WINS server on Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?familyid=049e5db5-7315-4188-99fd-4a54833e6bf2

Apply patch for DNS server on Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?familyid=b1f81fd2-0099-4450-8543-0459561d22d0

Apply patch for WINS server on Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?familyid=4a393c63-eff5-4c8c-9c3f-33ce45c32428

Apply patch for DNS server on Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems :
http://www.microsoft.com/downloads/details.aspx?familyid=d3ed7d9a-d652-4bd0-aecc-5a415bec6c59

Apply patch for WINS server on Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems :
http://www.microsoft.com/downloads/details.aspx?familyid=37e3a75e-0a5d-4df0-881f-cdb87efa4dcf

Apply patch for DNS server on Windows Server 2008 for 32-bit Systems :
http://www.microsoft.com/downloads/details.aspx?familyid=92e89882-d656-4b61-a05c-3afb44895f08

Apply patch for DNS server on Windows Server 2008 for x64-based Systems :
http://www.microsoft.com/downloads/details.aspx?familyid=be068d06-5939-4ad8-8191-e85931ed610f

References

http://www.vupen.com/english/advisories/2009/0661
http://www.microsoft.com/technet/security/Bulletin/MS09-008.mspx

Credits

Vulnerabilities reported by Kevin Day, Dave Dagon and the vendor.

Changelog

2009-03-10 : Initial release

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.