Microsoft, Late to the Game on Dangerous DNSSEC Zero-Day Flaw

Microsoft, Late to the Game on Dangerous DNSSEC Zero-Day Flaw

June 13, 2024 at 10:42AM

Microsoft released a patch for a serious denial-of-service (DoS) vulnerability in the Domain Name System Security Extensions (DNSSEC) protocol. The vulnerability (CVE-2023-50868) affects multiple vendors and projects, including Unbound, BIND, dnsmasq, and PowerDNS. Despite patches being released earlier by other vendors, Microsoft issued a fix only recently, making it a zero-day threat from a Microsoft standpoint.

The meeting notes provide an overview of a recently patched DNSSEC vulnerability, identified as CVE-2023-50868, and another significant flaw known as CVE-2023-50387. These two vulnerabilities had potential to cause DNS resolvers to exhaust their resources, leading to a denial-of-service (DoS) situation. It is worth noting that several vendors and projects, including Unbound, BIND, dnsmasq, PowerDNS, various Linux distros, and others, had released patches well before Microsoft. The notes also touch upon the delay in Microsoft’s response to CVE-2023-50868, making it a zero-day threat from a Microsoft standpoint.

The meeting notes emphasize the critical nature of these vulnerabilities and mention that the cross-industry collaboration is vital for addressing and mitigating such foundational Internet technology flaws. The coordination between different vendors and security researchers has generally improved, but there is still significant variation in the speed and efficiency of patching across the industry.

In summary, the meeting notes highlight the importance of timely collaboration and efficient patching to address critical vulnerabilities in foundational Internet technologies, such as the DNSSEC flaws discussed.

Full Article