Vendors rally to repair dangerous DNS flaw

By Robert Westervelt, News Editor 08 Jul 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

A dangerous error in the core element of how the Internet runs was patched in a coordinated release of updates issued by the vendors that sell Domain Name System (DNS) servers.

The severity of the bug is shown by the number of people who we've gotten on board to get this thing fixed. Dan Kaminsky, director of penetration testing, IOActive

The flaw, discovered by security researcher Dan Kaminsky, director of penetration testing at IOActive Inc., affects virtually every system that connects to the Internet. In a briefing with reporters, Kaminsky said he discovered a fundamental design issue that couldn't be addressed by a single vendor. The flaw could allow an attacker to redirect Internet traffic.

"The severity of the bug is shown by the number of people who we've gotten on board to get this thing fixed," Kaminsky said. "This is not an individual issue. ... The same bug will show up in vendor after vendor after vendor."

Microsoft, Cisco Systems Inc., Internet Systems Consortium Berkeley Internet Name Domain, ISC BIND and other vendors are issuing the patches, which implements port randomization to correct the issue. Instead of randomizing on a transaction ID field of 16 bits, it will now randomize using 27-30 bits. Ultimately the patches will make a system that is already very random a lot more random, Kaminsky said.

Kaminsky said IT administrators need to evaluate their networks and locate their name servers in the next 30 days. Some servers will not be automatically updated by the patch release, he said. Kaminsky also released an automated DNS checker that can assess if a server is affected by the flaw.

The flaw was discovered about six months ago, Kaminsky said. A group of 16 researchers met at a Microsoft summit on March 31 to decide how to handle the issue.

SearchSecurity radio:

Microsoft called its update a spoofing vulnerability in the way the DNS server handles Internet traffic. It labeled its security bulletin "important," and said the update introduces a new default for DNS port settings for Windows Server 2000 and Windows Server 2003.

Most experts said the flaw should be given a high priority, but some security pros are pointing out that the risk of an attack is low. Eric Schultze, chief security architect at Shavlik Technologies LLC, in Roseville, Minn., said that while the risk is currently low, the attention the flaw is getting could be a motivator for attacks.

"This issue alone doesn't allow you to take over someone box," he said. "Really bad things can happen, but the likelihood of this occurring is probably low."

Kaminsky said he will release details of the flaw at the Black Hat 2008 conference on Aug. 7-8 in Las Vegas.

Rich Mogull, a former Gartner Inc. analyst, now an independent consultant and founder of Securosis LLC, said the severity of the fix can be seen by how a large group of vendors issued a coordinated group of patches.

"It's a very fundamental issue with how the entire addressing scheme for the internet works," Mogull said. "Most users will get this as part of their normal fixes, but it's extremely important for business departments to address this issue."

Wolfgang Kandek, chief technology officer at patching vendor Qualys Inc. called the update a relatively simple fix for IT administrators but said the patches need to be deployed carefully. DNS servers are very old and stable software components but they interact with routers and other company systems, he said.

"If you follow best practices then your DNS server is a dedicated machine and you should be able to deploy the update quickly," Kandek said.

Jerry Dixon, former director of the National Cyber Security Division of the Department of Homeland Security praised Kaminsky for working with vendors to correct the issue privately and manage the coordinated release.

"This is essentially a critical infrastructure for the Internet to function," Dixon said. "This shows the value-add of independent security researchers in the community … and the value of responsible disclosure."

Tags: Emerging Information Security Threats,  Windows Security: Alerts, Updates and Best Practices,  Network Device Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Emerging Information Security Threats New attack code targets Microsoft DirectShow zero-day vulnerability Adobe ColdFusion websites being compromised Antispyware buying guide for Indian enterprises ATM malware lets attackers take over machines FTC shutters rogue ISP for hosting malicious content, botnets The failing war against cybercriminals White House cybersecurity czar faces major hurdles Cybercrime and threat management The Pipe Dream of No More Free Bugs Face-off: Who should be in charge of cybersecurity? Windows Security: Alerts, Updates and Best Practices New attack code targets Microsoft DirectShow zero-day vulnerability When BIOS updates become malware attacks Microsoft patches WebDAV security vulnerability in bevy of updates Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Hackers targeting unpatched Microsoft DirectShow flaw Microsoft warns of IIS zero-day vulnerability Microsoft updates Office to address serious PowerPoint vulnerabilities Microsoft to patch critical PowerPoint zero-day flaw How to perform Microsoft Baseline Security Analyzer (MBSA) scans Microsoft patches serious Excel zero-day, Windows flaws Network Device Management Firewall rule management best practices What are best practices for fiber optic cable security? Enterprise UTM security: The best threat management solution? Making the case for network security configuration management Know when you need IDS, IPS or both SIEM: Not for small business, nor the faint of heart Evaluating MSSP security before taking the plunge Ixia network security tool exposes problems Product Review: Deepdive's DD300 Security services: Fiberlink's MaaS360 Mobility Platform

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary DNS rebinding attack  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) man in the browser  (SearchSecurity.com) phlashing  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary