Critical Flaw Uncovered In Windows DNS Client


It has been reported that security researchers have advised the patching of a critical vulnerability in the DNS client used in Windows. If ignored, the flaw could allow hackers to gain access to a target system. Josh Mayfield, Platform Specialist at FireMon commented below.

Josh Mayfield, Platform Specialist at FireMon:

 “DNS clients are chatty, making more noise than just about any other system on a given network.  All this chatter can be scooped up and repurposed for malicious takeovers (e.g. man-in-the-middle).  The best way to mitigate this type of attack is by automating policy and risk assessments.

Starting with policy, organisations can quickly identify the types of traffic permitted to-and-from any given asset on the network – including, DNS.  This gives you the kind of visibility and control on what should happen.  Second, leading organisations continue to automate their risk assessments through attack path analysis.  It is a simple exercise to bring policy and rules together with vulnerability scans and assess them in the same interface.

By matching policies with vulnerabilities, organisations can identify risks and likely paths for would-be malicious DNS response.  Then, take action through further automation to enhance their security posture (e.g. modify rules, patch vulnerabilities, block on firewalls, etc).  Organisations do not have the labor force or time for haphazard patching, but using automation for risk assessments and policy controls…that’s something anyone can pursue to prevent these attacks.
From a user perspective, we advise users to make sure all their systems are up-to-date.  But before you gloss over this banal suggestion, let me give you another twist.  The most common tactic for man-in-the-middle is to send a ‘Windows Update’ for the user, trusting the user will assume it is time for another update and execute the malicious code.

However, from an end user point of view…you update your system all the time; why are you being asked to update?  You just did one 3 minutes ago.  This could be a sign that you have a man-in-the-middle relaying malicious content to your computer during its steady engagement with the DNS.

Secondly, often man-in-the-middle attacks make use of protocols that are typically restricted by network policy.  This is yet another benefit of automating policy controls and risk assessments.  By restricting the protocols available, when a denial spike comes from a certain DNS, it is a leading indicator that you may have an issue of man-in-the-middle.  If a protocol violates policy (e.g. SMB, HTTP, UDP) within the DNS’s network segment, then security teams can automate responses to the apparent malicious activity controlling the DNS – disreputable protocols are the closest thing we have to a smoking gun.

By automating the policy management and risk assessments, you can know with greater certainty if DNS’s have been compromised, take appropriate action, and mitigate risks from man-in-the-middle.  All before you have to patch anything.”