Hacking

Microsoft’s October Patch Tuesday addresses critical Windows DNS client Zero-Day Flaws tied to DNSSEC

Microsoft’s October Patch Tuesday addresses three critical zero-day security vulnerabilities tied to the DNSSEC protocol.

Microsoft’s October Patch Tuesday addresses three critical security vulnerabilities in the Windows DNS client in Windows 8, Windows 10, and Windows Server 2012 and 2016.

The vulnerabilities affect the Microsoft’s implementation of one of the data record features used in the secure Domain Name System protocol, DNSSEC.

DNSSEC is a set of extensions to DNS that was designed to protect applications from using forged or manipulated DNS data, such as that created by DNS cache poisoning. The answers from DNSSEC protected zones are digitally signed, a DNS resolver can verify the digital signature to check the integrity of the information compared with to the information published by the zone owner and served on an authoritative DNS server.

The heap buffer-overflow flaws, tracked as CVE-2017-11779, were reported by experts at security firm Bishop Fox, The issues are Windows DNSAPI Remote Code Execution flaws that could be exploited by an attacker to gain full control over the victim’s machine without user interaction.

Microsoft fixed the flaw by releasing the KB4042895 security update (OS Build 10240.17643).

According to Nick Freeman, the Bishop Fox researcher who discovered the vulnerabilities, the problem resides in the Microsoft’s implementation of the NSEC3 (Next Secure Record version 3) feature for DNSSEC.

“The Windows DNS client doesn’t do enough sanity checking when it processes a DNS response that contains an NSEC3 record,” Freeman wrote in a report released today. “Malformed NSEC3 records can trigger this vulnerability and corrupt the memory of the DNS client. If this is done carefully, it can result in arbitrary code execution on the target system.”

“Because the record is malformed, it doesn’t make it through the normal DNS system. Servers along the way will drop it because it doesn’t fit the standard for NSEC3 record,” he wrote. “This is a good thing, because otherwise this issue would be easier to exploit and have far more serious implications. So, for an attacker to exploit this issue, they need to be between you and the DNS server you’re using.”

Attackers can use malformed NSEC3 records to trigger the vulnerability and corrupt the memory of the DNS client, it can result in arbitrary code execution on the flawed system.

An attacker can trigger DNSSEC flaws in Windows only if it shares the same physical network as the targeted machine.  An insider or an external attacker is in the condition to run a man-in-the-middle attack to intercept DNS requests from the victim’s machine could exploit the flaw.

“In the majority of cases, the only requirement would be that an attacker is connected to the same network as their target,” Freeman said.

An attacker can trigger the flaws by injecting a malicious payload into a DNS response to a Windows machine’s DNS request.

“If someone was using a corporate laptop at a coffee shop and on WiFi, or hacked your cable router and you got hit … giving the attacker an entry point into the network,” Freeman added. “They could then launch this attack against other systems on that network.”

Bishop Fox confirmed it is not aware of any public attacks exploiting this flaw.

“This is a very traditional vulnerability, so it’s reasonable” for most attackers to be able to exploit it, Freeman concluded.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – DNSSEC, zero-day)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

US Government officials targeted with texts and AI-generated deepfake voice messages impersonating senior U.S. officials

FBI warns ex-officials are targeted with deepfake texts and AI voice messages impersonating senior U.S.…

13 hours ago

Shields up US retailers. Scattered Spider threat actors can target them

Google warns that the cybercrime group Scattered Spider behind UK retailer attacks is now targeting…

16 hours ago

U.S. CISA adds Google Chromium, DrayTek routers, and SAP NetWeaver flaws to its Known Exploited Vulnerabilities catalog<gwmw style="display:none;"></gwmw>

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Google Chromium, DrayTek routers, and SAP NetWeaver…

21 hours ago

Pwn2Own Berlin 2025 Day Two: researcher earned 150K hacking VMware ESXi

On day two of Pwn2Own Berlin 2025, participants earned $435,000 for demonstrating zero-day in SharePoint,…

1 day ago

New botnet HTTPBot targets gaming and tech industries with surgical attacks

New botnet HTTPBot is targeting China's gaming, tech, and education sectors, cybersecurity researchers warn. NSFOCUS …

1 day ago

Meta plans to train AI on EU user data from May 27 without consent

Meta plans to train AI on EU user data from May 27 without consent; privacy…

2 days ago