Computers & Laptops

Microsoft patches a 17-year-old critical flaw in Windows DNS Server

Hemani Sheth Mumbai | Updated on July 15, 2020

Microsoft on Tuesday released a security update for a critical flaw in its Windows Domain Name System (DNS) Server.

The flaw was a high-risk vulnerability in Microsoft’s DNS server which the tech giant had deemed “wormable.”

“We have released an update for CVE-2020-1350, a Critical Remote Code Execution (RCE) vulnerability in Windows DNS Server that is classified as a ‘wormable’ vulnerability and has a CVSS base score of 10.0. This issue results from a flaw in Microsoft’s DNS server role implementation and affects all Windows Server versions. Non-Microsoft DNS Servers are not affected,” said Mechele Gruhn, Principal Security PM Manager, MSRC.

“Wormable vulnerabilities have the potential to spread via malware between vulnerable computers without user interaction. Windows DNS Server is a core networking component. While this vulnerability is not currently known to be used in active attacks, it is essential that customers apply Windows updates to address this vulnerability as soon as possible,” Gruh explained.

 The vulnerability was discovered by researchers at Check Point who had warned against the severity of the bug.

“SIGRed (CVE-2020-1350) is a wormable, critical vulnerability (CVSS base score of 10.0) in the Windows DNS server that affects Windows Server versions 2003 to 2019, and can be triggered by a malicious DNS response,” Check Point said.

The bug was reported to Microsoft in May. As the update was released recently, the flaw had left a lot of devices vulnerable to attack. However, Microsoft had said that it hadn’t found evidence of the flaw being exploited yet.

The vulnerability had been assigned the highest risk score of 10 on the Common Vulnerability Scoring System (CVSS). For comparison, one of the worst cyberattacks on Microsoft devices dubbed ‘WannaCry attack’ was rated at 8.5 on CVSS.

Windows users affected by the vulnerability should install the update as soon as possible. If applying the update is not possible, Microsoft has detailed a registry-based workaround on its website which will not require restarting of servers.

Users who have their automatic updates turned on are not needed to take any additional action.

Follow us on Telegram, Facebook, Twitter, Instagram, YouTube and Linkedin. You can also download our Android App or IOS App.

Published on July 15, 2020
This article is closed for comments.
Please Email the Editor