Microsoft Corporation Affected

Notified:  July 23, 2001 Updated: September 14, 2001

Status

Affected

Vendor Statement

Like [CERT] noted, this issue is addressed by a configuration change in the registry, as noted at: http://support.microsoft.com/support/kb/articles/Q241/3/52.ASP That configuration change addresses the issue that this [note] is reporting. Currently, this is configuration setting is set to disabled by default, based on the performance penalties this introduces. However, we are making performance improvements and we are planning to change this default so that this is enabled by default starting with Service Pack 3 and with Windows .Net Server. We believe that this is a configuration issue rather than a vulnerability. The means to change this behavior is publicly documented and has been available via the KB article. Because there is a performance penalty with this change currently, customers have to make an informed risk assessment of the benefits of enabling this feature and the drawbacks. We're working to improve the performance to a point where we feel comfortable making this enabled by default. However, this change is a change in configuration settings and not a change in the product itself.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see additional information at: http://www.microsoft.com/WINDOWS2000/en/server/help/sag_DNS_pro_SecureCachePollutedNames.htm http://msdn.microsoft.com/library/en-us/regentry/46753.asp