Hello BugTraq, The Microsoft Windows DNS stub resolver (the component in Windows that queries the upstream DNS server for address resolutions on behalf of most Windows programs, e.g. browsers) sends predictable DNS queries with respect to DNS transaction ID and source UDP port. This allows some interesting attacks on DNS clients (i.e. desktops), including DNS cache poisoning of the client's local DNS cache (which is maintained by the stub resolver). Affected products: Windows Vista, Windows XP SP2, Windows 2003 and Windows 2000 SP4. Microsoft was informed on April 30th, 2007. Microsoft security bulletin MS08-020 (released today) addresses this issue. For the full details, please read the paper "Microsoft Windows DNS Stub Resolver Cache Poisoning" by yours truly, which you can download in the following URL: http://www.trusteer.com/docs/windowsresolver.html Note that the subject of DNS cache poisoning was widely discussed in the context of caching DNS server. The case of the (caching) stub resolver was very little discussed though, partly due to the belief that this problem is limited to the LAN. However, the paper covers some interesting scenarios which extend beyond the simple LAN attack - e.g. in some cases, this attack can be used to actually poison a caching DNS server, and in another example, multi-homed clients are shown to be particularly vulnerable. Thanks, Amit Klein CTO Trusteer
