Vendors rally to repair dangerous DNS flaw

By Robert Westervelt, News Editor 08 Jul 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

A dangerous error in the core element of how the Internet runs was patched in a coordinated release of updates issued by the vendors that sell Domain Name System (DNS) servers.

The severity of the bug is shown by the number of people who we've gotten on board to get this thing fixed. Dan Kaminsky, director of penetration testing, IOActive

The flaw, discovered by security researcher Dan Kaminsky, director of penetration testing at IOActive Inc., affects virtually every system that connects to the Internet. In a briefing with reporters, Kaminsky said he discovered a fundamental design issue that couldn't be addressed by a single vendor. The flaw could allow an attacker to redirect Internet traffic.

"The severity of the bug is shown by the number of people who we've gotten on board to get this thing fixed," Kaminsky said. "This is not an individual issue. ... The same bug will show up in vendor after vendor after vendor."

Microsoft, Cisco Systems Inc., Internet Systems Consortium Berkeley Internet Name Domain, ISC BIND and other vendors are issuing the patches, which implements port randomization to correct the issue. Instead of randomizing on a transaction ID field of 16 bits, it will now randomize using 27-30 bits. Ultimately the patches will make a system that is already very random a lot more random, Kaminsky said.

Kaminsky said IT administrators need to evaluate their networks and locate their name servers in the next 30 days. Some servers will not be automatically updated by the patch release, he said. Kaminsky also released an automated DNS checker that can assess if a server is affected by the flaw.

The flaw was discovered about six months ago, Kaminsky said. A group of 16 researchers met at a Microsoft summit on March 31 to decide how to handle the issue.

SearchSecurity radio:

Microsoft called its update a spoofing vulnerability in the way the DNS server handles Internet traffic. It labeled its security bulletin "important," and said the update introduces a new default for DNS port settings for Windows Server 2000 and Windows Server 2003.

Most experts said the flaw should be given a high priority, but some security pros are pointing out that the risk of an attack is low. Eric Schultze, chief security architect at Shavlik Technologies LLC, in Roseville, Minn., said that while the risk is currently low, the attention the flaw is getting could be a motivator for attacks.

"This issue alone doesn't allow you to take over someone box," he said. "Really bad things can happen, but the likelihood of this occurring is probably low."

Kaminsky said he will release details of the flaw at the Black Hat 2008 conference on Aug. 7-8 in Las Vegas.

Rich Mogull, a former Gartner Inc. analyst, now an independent consultant and founder of Securosis LLC, said the severity of the fix can be seen by how a large group of vendors issued a coordinated group of patches.

"It's a very fundamental issue with how the entire addressing scheme for the internet works," Mogull said. "Most users will get this as part of their normal fixes, but it's extremely important for business departments to address this issue."

Wolfgang Kandek, chief technology officer at patching vendor Qualys Inc. called the update a relatively simple fix for IT administrators but said the patches need to be deployed carefully. DNS servers are very old and stable software components but they interact with routers and other company systems, he said.

"If you follow best practices then your DNS server is a dedicated machine and you should be able to deploy the update quickly," Kandek said.

Jerry Dixon, former director of the National Cyber Security Division of the Department of Homeland Security praised Kaminsky for working with vendors to correct the issue privately and manage the coordinated release.

"This is essentially a critical infrastructure for the Internet to function," Dixon said. "This shows the value-add of independent security researchers in the community … and the value of responsible disclosure."

Tags: Emerging Information Security Threats,  Windows Security: Alerts, Updates and Best Practices,  Network Device Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Emerging Information Security Threats Hackers to sharpen malware, malicious software in 2010 Modern malware, stealthy botnets, adapt quickly, expert says New ransomware Trojan pushes victims to buy software Bruce Schneier on outsourcing, awareness training US-CERT warns of BlackBerry snooping software Marcus Ranum on cyberwarfare, infosec careers Researchers find thousands of flawed embedded devices Enterprise botnets contain thousands of malware variants Nuke and pave to eradicate botnets Rand study urges caution on cyberwarfare attacks Windows Security: Alerts, Updates and Best Practices Exploit code targets Internet Explorer zero-day display flaw Windows 7 DoS flaw allows hackers to freeze Microsoft's newest OS Microsoft patches serious Windows kernel flaws Microsoft to address flaws in Windows, Office for Mac Microsoft fixes security update that breaks Internet Explorer What is the best database patch management process? Microsoft addresses critical SMBv2 flaw, fixes record number of flaws Microsoft to address SMB zero-day, IIS FTP Service vulnerabilities Microsoft releases temporary fix for SMB2 zero-day vulnerability Microsoft issues SMB vulnerability advisory, patch pending Network Device Management How to prepare for a secure network hardware upgrade Researchers find thousands of flawed embedded devices Is there a way to block iPhone widgets that bypass Web filters? Will an application usage policy best control network bandwidth? What is the difference between static and dynamic network validation? How to manage network bandwidth with distributed ISP bandwidth DNSSEC deployments gain momentum since Kaminsky DNS bug Firewall rule management best practices What are best practices for fiber optic cable security? The requirements for being a PCI DSS-compliant service provider

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary DNS rebinding attack  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) man in the browser  (SearchSecurity.com) phlashing  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) pulsing zombie  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary