A dangerous error in the core element of how the Internet runs was patched in a coordinated release of updates issued by the vendors that sell Domain Name System (DNS) servers.
The flaw, discovered by security researcher Dan Kaminsky, director of penetration testing at IOActive Inc., affects virtually every system that connects to the Internet. In a briefing with reporters, Kaminsky said he discovered a fundamental design issue that couldn't be addressed by a single vendor. The flaw could allow an attacker to redirect Internet traffic.
"The severity of the bug is shown by the number of people who we've gotten on board to get this thing fixed," Kaminsky said. "This is not an individual issue. ... The same bug will show up in vendor after vendor after vendor."
Microsoft, Cisco Systems Inc., Internet Systems Consortium Berkeley Internet Name Domain, ISC BIND and other vendors are issuing the patches, which implements port randomization to correct the issue. Instead of randomizing on a transaction ID field of 16 bits, it will now randomize using 27-30 bits. Ultimately the patches will make a system that is already very random a lot more random, Kaminsky said.
Kaminsky said IT administrators need to evaluate their networks and locate their name servers in the next 30 days. Some servers will not be automatically updated by the patch release, he said. Kaminsky also released an automated DNS checker that can assess if a server is affected by the flaw.
The flaw was discovered about six months ago, Kaminsky said. A group of 16 researchers met at a Microsoft summit on March 31 to decide how to handle the issue.
Microsoft called its update a spoofing vulnerability in the way the DNS server handles Internet traffic. It labeled its security bulletin "important," and said the update introduces a new default for DNS port settings for Windows Server 2000 and Windows Server 2003.
Most experts said the flaw should be given a high priority, but some security pros are pointing out that the risk of an attack is low. Eric Schultze, chief security architect at Shavlik Technologies LLC, in Roseville, Minn., said that while the risk is currently low, the attention the flaw is getting could be a motivator for attacks.
"This issue alone doesn't allow you to take over someone box," he said. "Really bad things can happen, but the likelihood of this occurring is probably low."
Kaminsky said he will release details of the flaw at the Black Hat 2008 conference on Aug. 7-8 in Las Vegas.
Rich Mogull, a former Gartner Inc. analyst, now an independent consultant and founder of Securosis LLC, said the severity of the fix can be seen by how a large group of vendors issued a coordinated group of patches.
"It's a very fundamental issue with how the entire addressing scheme for the internet works," Mogull said. "Most users will get this as part of their normal fixes, but it's extremely important for business departments to address this issue."
Wolfgang Kandek, chief technology officer at patching vendor Qualys Inc. called the update a relatively simple fix for IT administrators but said the patches need to be deployed carefully. DNS servers are very old and stable software components but they interact with routers and other company systems, he said.
"If you follow best practices then your DNS server is a dedicated machine and you should be able to deploy the update quickly," Kandek said.
Jerry Dixon, former director of the National Cyber Security Division of the Department of Homeland Security praised Kaminsky for working with vendors to correct the issue privately and manage the coordinated release.
"This is essentially a critical infrastructure for the Internet to function," Dixon said. "This shows the value-add of independent security researchers in the community … and the value of responsible disclosure."