Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution

I subscribe to the security flashes and updates.  If you don't, you should.  At about 2am this morning, I received an email about Microsoft Security Advisory (935964).  See for the full text of the update, the Overview Section, the FAQ section, and the Suggested Actions. 

Here's a portion of the webpage:

Microsoft is investigating new public reports of a limited attack exploiting a vulnerability in the Domain Name System (DNS) Server Service in Microsoft Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2. Microsoft Windows 2000 Professional Service Pack 4, Windows XP Service Pack 2, and Windows Vista are not affected as these versions do not contain the vulnerable code.

Microsoft’s initial investigation reveals that the attempts to exploit this vulnerability could allow an attacker to run code in the security context of the Domain Name System Server Service, which by default runs as Local SYSTEM.

Upon completion of this investigation, Microsoft will take appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Customers who believe they are affected can contact Product Support Services. Contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1-866-PCSAFETY). International customers can use any method found at this location:

If you have a DNS server, you need to pay particular attention to this issue.  That means internal or external DNS servers.  Remember, many attacks and thefts occur on the inside of an organization.

For more information, please keep and eye on the Microsoft Security Response blog at  You might want to read Jesper's blog post at  He has some good suggestions on updating a bunch of DC's and DNS servers.

Comments (1)

  1. DrewNamingServer says:

    Hysteria!! If an internal user is an accomplished coder who can manipulate RPC then why is shutting off the DNS remote mgmt server going to keep them from doing harm. Have you enumerated the RPC servers available on a domain controller? There is a large surface for attack.

    If you have external DNS servers that dont have port 135 protected then you get whats coming to ya!

Skip to main content