Microsoft has released a patch after researchers from cybersecurity firm Check Point identified a critical security flaw in Windows DNS, the implementation of domain name system (DNS) services provided by Microsoft in Windows operating systems.
Check Point researchers said that the vulnerability had been in Microsoft code for more than 17 years.
Microsoft on Tuesday warned all customers to apply Windows updates to address this vulnerability as soon as possible.
This is because the vulnerability in Windows DNS Server has been classified as a “wormable” vulnerability which has the potential to spread via malware between vulnerable computers without user interaction.
“Windows DNS Server is a core networking component. While this vulnerability is not currently known to be used in active attacks, it is essential that customers apply Windows updates to address this vulnerability as soon as possible,” Mechele Gruhn, Principal Security PM Manager, Microsoft Security Response Center, said in a blog post.
“Today we released an update for CVE-2020-1350, a Critical Remote Code Execution (RCE) vulnerability in Windows DNS Server that is classified as a ‘wormable’ vulnerability and has a CVSS base score of 10.0,” Gruhn said, adding that non-Microsoft DNS Servers are not affected.
Sagi Tzaik, a vulnerability researcher at Check Point, discovered a security flaw that would enable a hacker to craft malicious DNS queries to the Windows DNS server, and achieve arbitrary code execution that could lead to the breach of the entire infrastructure.
The critical vulnerability, named SigRed by Check Point researchers, affects Windows server versions from 2003-2019.
DNS, often referred to as the “phonebook of the Internet”, is part of the global Internet infrastructure that translates the familiar website names that we all use, into the strings of numbers that computers need in order to find that website, or send an email.
It’s the “address book” of the internet.
On May 19, Check Point Research responsibly disclosed its findings to Microsoft.
Microsoft acknowledged the security flaw issued a patch (CVE-2020-1350) on Tuesday.
“A DNS server breach is a very serious thing. Most of the time, it puts the attacker just one inch away from breaching the entire organization. There are only a handful of these vulnerability types ever released,” Omri Herscovici, Check Point’s Vulnerability Research Team Leader, said in a statement.
“Every organization, big or small using Microsoft infrastructure is at major security risk, if left unpatched. The risk would be a complete breach of the entire corporate network,” Herscovici said.
“This vulnerability has been in Microsoft code for more than 17 years; so if we found it, it is not impossible to assume that someone else already found it as well,” Herscovici added.