News

Microsoft's DNS Fix Leads to More Problems

Possible overall weakness of the Domain Name System (DNS) architecture stirs controversy

The blogosphere is awash with talk about the possible overall weakness of the Domain Name System (DNS) architecture. For its part, Microsoft's released a DNS fix in its patch slate for July, but Redmond seems to have problems just getting it to end users. Moreover, some users of the DNS fix have experienced additional difficulties.

So far, since Microsoft's DNS fix was issued on July 10, there have been two separate problems associated with its installation.

The software giant disclosed last week, in a technical posting on its SBS services blog, that some users experienced interruptions in the Exchange Server services component of application stacks sitting on various Windows operating systems.

"Some customers have reported seeing random problems with services after installing MS08-037," the blog stated. MS08-037 is Microsoft's fix designed to stave off DNS cache exploits. Hackers can use this vulnerability to increase their chances of redirecting an unsuspecting user to a malicious Web site.

The blog indicated that notifications for Active Sync -- Microsoft's solution for synchronizing a mobile device with either a PC or server hardware running Exchange -- were failing. Also, Internet Protocol Security (IPsec) services and Internet Authentication Services (IAS) were failing to start.

Reached early Tuesday for comment, Microsoft would only confirm that this issue is separate from another glitch announced on July 10 -- an interoperability snafu associated with the ZoneAlarm security application made by Check Point Software Technologies. In response to the glitch, Check Point provided updates for all of its ZoneAlarm products.

Tyler Reguly, a security engineer for San Francisco-based nCircle, commented that Microsoft should be more transparent about issues like those outlined in the SBS services blog. Such descriptions went relatively under the radar, and could be considered highly technical, bordering on vague.

"It may take users quite a while to diagnose the problem and then they have to find this specific blog post," he said. "Microsoft should really be doing more to make people aware of the issue. The impact isn't as great as the recent WSUS issue, but this should be handled in the same way that was. It should be given its own KB number and a security advisory should be released, especially given that IPsec is potentially affected."

-- Jabulani Leffall

Must Read Articles