Microsoft’s security team has said it is still working on a patch for a critical bug in the company's server software.
The vulnerability in the Domain Name System (DNS) Server service of Windows 2000 Server SP4, Windows Server 2003 SP1 and Windows Server 2003 SP2, has been exploited since at least 13 April, Microsoft has acknowledged, although the company characterised those attacks as "limited".
"Our teams are continuing to work on developing and testing updates...[but] we don't have any new estimates on release timelines," said Christopher Budd, programme manager for the Microsoft Security Response Centre (MSRC) on the group's blog. "I can say that our ongoing testing so far has not raised any issues that would make us believe we might be looking at a longer timeline."
Budd has previously said that MSRC was aiming to release a patch on 8 May, the date of the next scheduled monthly update. But security researchers have predicted that Microsoft would release an out of cycle fix, as it did on 3 April for the Windows animated cursor vulnerability.
Microsoft has also posted a new document on its Knowledge Base support site spelling out how IT administrators can deploy a workaround for the DNS Server bug to all domain controllers in the enterprise. Earlier guidance from Microsoft - laid out in a security advisory on 13 April - only gave instructions on how to disable remote administration of the DNS service one machine at a time.
Last week, several botworms tried to exploit the vulnerability to hijack servers.