Microsoft's troubles with its newest operating systems continued Friday as it confirmed that an unpatched vulnerability in its current server software also exists in the still-beta code for Longhorn Server.
"Yes, Longhorn Server is affected," a Microsoft spokeswoman said Friday in an e-mail.
According to a security advisory released late yesterday, a zero-day vulnerability in the DNS Server Service in Windows 2000 Server (SP4) and Windows Server 2003 (SP1 and SP2) is being exploited by attackers, who send malformed RPC packets to the server.
Although Microsoft does not rank vulnerabilities until they are patched, most security companies and organizations have pegged this bug at or near their highest warning levels. Danish vulnerability tracker Secunia, for instance, labelled it "highly critical," while eEye Digital Security tagged it as "critical."
"Utilizing RPC functionality designed for remote management, an attacker is able to anonymously cause a stack-based buffer overflow," according to eEye's advisory. "This code is executed under the context of SYSTEM, allowing for full system compromise." Remote procedure call is used by Windows to call a service from an application on another machine in a network.
Microsoft's advisory omitted Longhorn Server as one of the affected operating systems. "As a rule, Microsoft does not publicly talk about vulnerabilities in nonreleased products and technologies," said the company spokeswoman.
The bug marks the third in the past two weeks to point to problems Microsoft has had in rooting out flaws in old code that it has recycled in its next-generation operating systems, Windows Vista and Longhorn Server. Two recent vulnerabilities that affect Vista -- one in rendering animated cursors, the other in error message processing -- have also been identified in older versions of the operating system.
Since Longhorn Server is still in testing, "time is on their side in this case," said Amol Sarwate, manager of Qualys Inc.'s research lab. "The thing to look for is how much of [the Software Development Lifecycle] has been effective in not allowing bugs to creep in from old code when Longhorn is released -- not now.
"You could say that they should have caught this in testing [Longhorn], but the testing process is also part of SDL," he said.
SDL is the Microsoft secure code initiative that the company used throughout the Vista and Longhorn Server design and development process.
In its advisory, Microsoft recommended several ways to block exploits against the new bug, but did not specify a patch delivery date. It did say, however, that it "is completing development of a security update for Windows that addresses this vulnerability."
Sarwate believes that the patch will be released out-of-cycle -- in other words, before the security updates scheduled for May 8. "I think they will release this out-of-band," he said. "Microsoft has already acknowledged that a few exploits are taking place, and that limited attacks are being made."
Longhorn Server, which is expected to shift into Beta 3 by the end of June, will be patched as well, Microsoft indicated. "Although formal support is not offered for this beta, Microsoft will provide updates that address any impact to Longhorn Server beta customers as needed," the spokeswoman said.
The DNS issue first surfaced publicly a week ago, when the SANS Institute's Internet Storm Center reported exploits that targeted Microsoft's DNS Server and other Windows components.