The DNS cache poisoning bug that Microsoft Corp. patched last Tuesday stems from a flaw that has been known to researchers for 10 years or more, the two security firms credited with reporting the vulnerability said this week.

Microsoft patched the Domain Name System (DNS) server included with Windows 2000 Server and Windows Server 2003 to fix what it called a spoofing flaw that could be exploited by identity thieves or malware authors to silently redirect users from intended Web destinations to malicious pretenders.

A day later, the two security companies that Microsoft acknowledged for independently reporting the bug -- Scanit NV/SA of Brussels, Belgium, and Trusteer Ltd. of Tel Aviv, Israel -- published their analysis. The problem, said Scanit and Trusteer, is that Windows DNS server generates predictable transaction IDs, the security identifiers meant to make spoofing and cache poisoning difficult to impossible. Because the transaction IDs can be predicted, hackers can deceive the name server into thinking that false DNS data is legitimate.