Microsoft's security team is still working on a patch for a critical bug in the company's server software.
The vulnerability in the Domain Name System Server Service of Windows 2000 Server SP4, Windows Server 2003 SP1 and Windows Server 2003 SP2, has been exploited since at least 13 April, although the company has continued to characterise those attacks as "limited”.
"Our teams are continuing to work on developing and testing updates...[but] we don't have any new estimates on release timelines," said Christopher Budd, program manager for the Microsoft Security Response Center (MSRC) on the group's blog. "I can say that our ongoing testing so far has not raised any issues that would make us believe we might be looking at a longer timeline."
Previously, Budd has said that MSRC was shooting for releasing a patch 8 May, the date of the next regularly-scheduled update. Security researchers, however, had earlier predicted that Microsoft would release an out-of-cycle fix, as it did on 3 April for the Windows animated cursor vulnerability.
Also over the weekend, Microsoft posted a new document on its Knowledge Base support site that spells out how IT administrators can deploy a workaround for the DNS Server bug to all domain controllers in the enterprise. Earlier guidance from Microsoft - as laid out in the security advisory it first published 13 April - only gave instructions on how to disable remote administration of the DNS service one machine at a time.
Microsoft's how-to relies on techniques taken from a blog posting by Jesper Johansson, a former Microsoft senior security strategist. "Our PSS [product support services] team took [Johansson's] idea, added some error handling to it, and built it into a KB," said Budd.
Last week, several botworms tried to exploit the vulnerability to hijack servers.