
Security Update for Microsoft Windows DNS to Address Remote Code Execution - choult
https://technet.microsoft.com/en-us/library/security/ms15-127.aspx
======
jimrandomh
Before we all freak out, this affects Windows DNS _servers_. Those are
relatively rare, and are (hopefully) well maintained with patches, especially
today which is the second Tuesday of the month. Nothing in the advisory
suggests it affects normal Windows desktops.

~~~
0x0
Aren't domain controllers likely to run DNS services?

~~~
madsushi
Very likely, but also typically not exposed to the internet. So there's
definitely plenty of risk here, but an adversary would likely have to be
within your network to query your DC.

~~~
acdha
“Within your network” could include anything from “using the guest wifi” to
“got someone with an account to click on the wrong link / look at the wrong
media file”.

Yes, it's not a worm. That doesn't mean it's not a big deal for a lot of
people, particularly if they've already had a minor compromise by someone
waiting for this kind of exploit to escalate.

~~~
AnthonyMouse
And that's assuming you can't exploit it by controlling an
upstream/authoritative nameserver or via DNS poisoning.

------
hdmoore
This affects 2008 and newer, older versions did not support DNAME[1] records.
It isn't clear whether an existing DNAME record needs to exist in order for
this to be exploitable. Skimming the Sonar FDNS[2] dataset, only 5,581 DNAME
records were identified[3]. A diff has been posted by Greg Linares[4], showing
the addition of a memset(0) to the DNAME merge function.

1\. [https://tools.ietf.org/html/rfc6672](https://tools.ietf.org/html/rfc6672)
2\. [https://scans.io/study/sonar.fdns](https://scans.io/study/sonar.fdns) 3\.
[https://hdm.io/data/20151121_dname.txt.gz](https://hdm.io/data/20151121_dname.txt.gz)
4\.
[https://twitter.com/Laughing_Mantis/status/67430845437942579...](https://twitter.com/Laughing_Mantis/status/674308454379425792)

~~~
rb12345
The older versions are out of support though, aren't they? It's possible that
variants of this might exist in those too if the sibling comment is correct.

~~~
KirinDave
Yes, but there's only so much anyone can reasonably be expected to do if
someone doesn't update their computer for 7 years, I suppose.

------
c0nsumer
This one would have been really fun if it was on the client resolver.

