Microsoft investigating NSlookup.exe flaw, reported attacks

Microsoft investigating new Windows zero-day attackMicrosoft is investigating new public reports of a zero-day Windows vulnerability that’s being exploited in the wild.

According to a this SecurityFocus alert, the attacks are exploiting a remote code-execution vulnerability due to an unspecified error in NSlookup.exe, the command-line administrative tool used for testing and troubleshooting DNS servers.

  • Successfully exploiting this issue would allow the attacker to execute arbitrary code on an affected computer. Failed attacks will cause denial-of-service conditions. Microsoft Windows XP Professional SP2 is vulnerable; other versions and products may also be affected.

According to the alert, the issue is reportedly “being actively exploited” in the wild but details on the attacks are scarce.

A video of a proof-of-concept exploit in action was released by Argentinian researcher Ivan Sanchez.

On its monthly Patch Tuesday Webcast (see transcript), Microsoft’s security response team said it was aware of the flaw report and had started an investigation. The company has not yet issued a security advisory with workarounds or mitigations.

Some other highlights from the Webcast:

  • The Microsoft Access Snapshot Viewer ActiveX control vulnerability was only partially fixed with MS08-041. The standalone Access Snapshot Viewer is still vulnerable and unpatched. There are confirmed in-the-wild exploits for this vulnerability.
  • The reason the massive IE killbit update was done as an advisory instead of a bulletin was because it only included killbits for third-party (Aurigma and HP) ActiveX controls. Microsoft does not provide a security rating for these controls and the company never releases bulletins without severity ratings. “Since there is no severity associated with this release, we decided to release this update via an advisory.”
[Source: zdnet]