Microsoft patched a serious Windows DNS Server
vulnerability with a CVE score of 10.0, and the latest indication is that it hasn’t
been used in the wild in any current attacks.
Microsoft issues updates each month, usually fixing a
variety of security issues and other vulnerabilities. There are always a few
critical ones but, unless the vulnerability is used in attacks, Microsoft waits
for patch Tuesday.
Since Windows is such a large ecosystem, odds are that many
vulnerabilities are still undiscovered, not to mention possible vulnerabilities
that have yet to be introduced into the code. What sets the CVE-2020-1350
apart is that it has a CVSS score of 10.0, which is not very common.
It’s a wormable vulnerability in the Windows DNS Server,
allowing bad actors to infect other computers, remotely, without user
interaction.
“This issue results from a flaw in Microsoft’s DNS
server role implementation and affects all Windows Server versions.
Non-Microsoft DNS Servers are not affected,” says
Microsoft. “Wormable vulnerabilities have the potential to spread via
malware between vulnerable computers without user interaction. Windows DNS
Server is a core networking component.”
This type of security issue is the textbook reason why
users should always keep their systems up to date. If installing the update is
not possible, Microsoft offers a registry-based workaround, although that’s not
an ideal situation.
Of course, while it looks like the vulnerability wasn’t
used, bad actors will take the patch and figure out how to exploit it. And
since the vulnerability is present in all Windows Server versions starting with
2003, it’s likely that numerous users will fail to apply the patch, leaving
them exposed to future attacks.
A good example is BleeKeep, a vulnerability found in
Microsoft’s Remote Desktop Protocol and patched more than a year ago. To this
day, there are numerous Windows machines still vulnerable to BlueKeep.