Posted on 12/08/2015 10:19:18 PM PST by Utilizer
No workarounds.
Microsoft is warning users runing the Domain Name Service (DNS) look up feature on Windows Server to patch their installations against a critical vulnerability that permits attackers to remotely execute code on affected machines.
The vulnerability has been assigned the common vulnerabilities and exploits index term CVE-2015-6125 and affects 32 and 64-bit versions of Windows Server 2008, 2008 R2, 2012 and 2012 R2, and the stripped-down Server Core variants, Microsoft said.
Windows Server Technical Preview 3 and 4 are also affected
(Excerpt) Read more at itnews.com.au ...
Ping!
Thanks to Utilizer for the ping!!
I have to speak to this at a management meeting this morning. Here are some of the finer points:
1. This is targeted at Internet-facing DNS servers. The likelihood of an external attack against a NATted private network is very small.
2. Server 2012 Active Directory domain controllers require the installation of DNS during promotion, making DCs particularly vulnerable.
3. If you’re running external resolvers on DCs, shame on you.
4. While Microsoft states there are no mitigating controls, blocking TCP 53 on edge firewalls prevents DNS lookups from getting to your servers.
and... again...
5. See #3
This is, again, much ado about nothing if you’re an enterprise-minded system administrator. I’ve never worked for a company that used Windows for edge DNS resolution. That’s usually handled at the ISP or by GTMs in the DMZ.
I can probably guess this is a bigger issue in the third world.
How several thousand self-congratulating and thoroughly egotistical software engineers can accidentally build a back door into everything they write is bewildering.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.
