Microsoft Preps DNS Mega-Patch

Don't look now, but Microsoft Corp. is prepping still another mega-patch, this time for the Windows DNS vulnerability it first disclosed last week.

Don't look now, but Microsoft Corp. is prepping still another mega-patch, this time for the Windows DNS vulnerability it first disclosed last week.

Like another recent patch -- an early April update which patched a bevy of Windows GDI vulnerabilities -- Microsoft could conceivably release its DNS fix as an out-of-band update. As of now, Redmond expects to release the fix as part of its normal May 8 Patch Tuesday update process, but that could change as circumstances develop.

"While we don't have a firm estimate on when we'll complete our development and testing of updates for this issue, we have teams around the world working on it twenty-four hours a day, and hope to have updates no later than May 8, 2007, for the May monthly bulletin release," wrote Christopher Budd on the Microsoft Security Response Center (MSRC) blog. "However, this is a developing situation, and we are constantly evaluating the situation and the status of our development and testing of updates."

If the scope of Microsoft's patching effort is as involved as Budd says, the software giant will probably need every minute between now and May 8 to test and validate its proposed fix. "For this issue, our teams are working on developing and testing 133 separate updates: one in every language for every currently supported version of Windows servers," Budd wrote.

The vulnerability impacts both Windows 2000 Server and Windows Server 2003. Windows 2000 Professional and Windows XP (all versions) aren't susceptible.

"Each of these has to be tested to ensure they effectively protect against the vulnerability. Because DNS is a critical part of the networking infrastructure, they also have to be tested to ensure that changes introduced by the updates don't pose a greater risk than the security issue we're addressing," he wrote.

As of yesterday, Microsoft had confirmed the existence of four separate software exploits, none of which automatically propagates, Budd confirmed. Elsewhere, the software giant added port 139 to the list of ports it recommends that customers block in accordance with its recommended firewall and IPSec workarounds.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.


  • Microsoft Invests $1 Billion in Next-Level AI Research

    Research outfit OpenAI and Microsoft have inked a $1 billion deal around artificial general intelligence (AGI), considered the holy grail of AI research.

  • Microsoft Streamlining Office 365 App Activations

    The Office 365 app installation experience should get a little easier for end users starting as early as next month.

  • The 2019 Microsoft Product Roadmap

    From the next major update to Windows 10 to the next generation of HoloLens, here's what's on tap from Microsoft this year.

  • 2019 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss this year.