Comments
Microsoft on Tuesday released a security update for a critical flaw in its Windows Domain Name System (DNS) Server.
The flaw was a high-risk vulnerability in Microsoft’s DNS server which the tech giant had deemed “wormable.”
“We have released an update for CVE-2020-1350, a Critical Remote Code Execution (RCE) vulnerability in Windows DNS Server that is classified as a ‘wormable’ vulnerability and has a CVSS base score of 10.0. This issue results from a flaw in Microsoft’s DNS server role implementation and affects all Windows Server versions. Non-Microsoft DNS Servers are not affected,” said Mechele Gruhn, Principal Security PM Manager, MSRC.
“Wormable vulnerabilities have the potential to spread via malware between vulnerable computers without user interaction. Windows DNS Server is a core networking component. While this vulnerability is not currently known to be used in active attacks, it is essential that customers apply Windows updates to address this vulnerability as soon as possible,” Gruh explained.
The vulnerability was discovered by researchers at Check Point who had warned against the severity of the bug.
“SIGRed (CVE-2020-1350) is a wormable, critical vulnerability (CVSS base score of 10.0) in the Windows DNS server that affects Windows Server versions 2003 to 2019, and can be triggered by a malicious DNS response,” Check Point said.
The bug was reported to Microsoft in May. As the update was released recently, the flaw had left a lot of devices vulnerable to attack. However, Microsoft had said that it hadn’t found evidence of the flaw being exploited yet.
The vulnerability had been assigned the highest risk score of 10 on the Common Vulnerability Scoring System (CVSS). For comparison, one of the worst cyberattacks on Microsoft devices dubbed ‘WannaCry attack’ was rated at 8.5 on CVSS.
Windows users affected by the vulnerability should install the update as soon as possible. If applying the update is not possible, Microsoft has detailed a registry-based workaround on its website which will not require restarting of servers.
Users who have their automatic updates turned on are not needed to take any additional action.
Comments
COMMENT NOW
Comments
Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.
We have migrated to a new commenting platform. If you are already a registered user of TheHindu Businessline and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.