Although a Metasploit module has been released, and other code is available on exploit sites such as Milw0rm, attacks are few because the DNS server is generally not publicly facing, according to Ken Dunham, director of the Rapid Response Team at VeriSign iDefense.

Dunham said in a Saturday email that intranets have the greatest risk of exploitation.

"It is feasible that a bot may (spread through an intranet) to exploit vulnerable computers within the network to help it spread," he said. "For example, a bot may be programmed to spread through the recent ANI exploit to infect clients with bots and then use the zombie to exploit DNS RPS against the local domain controller to gain complete control over the entire network."

Microsoft updated its advisory on Sunday, noting that attackers can access the vulnerability over port 445 if they have valid login credentials.

-- via SC Magazine