Three critical Windows DNS client vulnerabilities were patched today by Microsoft, closing off an avenue where an attacker could relatively simply respond to DNS queries with malicious code and gain arbitrary code execution on Windows clients or Windows Server installations.
The flaws were discovered and privately disclosed to Microsoft by researcher Nick Freeman at Bishop Fox. An attacker on the local network or in a man-in-the-middle position could insert a malicious payload into a DNS response to a Windows machine’s DNS request and trigger the vulnerability.
Windows admins are advised to patch immediately; the bug affects Windows 8 and Windows 10 clients, and Windows Server 2012 and 2016. Bishop Fox said it is not aware of any public attacks using this vulnerability.
“In the majority of cases, the only requirement would be that an attacker is connected to the same network as their target,” Freeman said.
The bug, CVE-2017-11779, traces back to the introduction of DNSSEC in the Microsoft operating system starting with Windows 8 via the DNSAPI.dll library. A DNS Resource Record called NSEC3 handled by the Nsec3_RecordRead function is at the core of the bug because it unsafely parses NSEC3 resource records, Freeman said. Users are at risk regardless of their interaction with the client or server since DNS requests can be made silently by background processes looking up IP addresses, or more noisily via browsing, email applications or streaming music services, for example.
To read the original article: