DNS hole prompts synchronized patching effort by IT vendors

Computerworld - In a rare synchronized security move, Microsoft Corp., Cisco Systems Inc. and other IT vendors today released software patches aimed at addressing a fundamental design flaw in the Domain Name System (DNS) protocol used to direct traffic on the Internet.

The so-called DNS cache-poisoning flaw was discovered earlier this year by Dan Kaminsky, a researcher at security services firm IOActive Inc., but it wasn't publicized until today. The vulnerability could allow attackers to redirect Web traffic and e-mails to systems under their control, according to Kaminsky, who said in an interview that the flaw exists at the DNS protocol level and affects numerous products from multiple vendors.

Virtually every domain name server that resolves IP addresses on the Internet is vulnerable to the flaw and needs to be patched against it as quickly as possible to avoid potentially serious problems, such as companies having all of their network traffic rerouted to malicious Web sites or having employee e-mails captured by attackers, Kaminsky said.

Because of the seriousness of the issue, Kaminsky first communicated news of the flaw to the U.S. Computer Emergency Readiness Team (US-CERT) and to multiple vendors, all of which agreed to keep the discovery under wraps until they had patches ready. Kaminsky said that security researchers from 16 companies met at Microsoft's Redmond, Wash., campus in March to discuss a fix for the problem as well as a strategy for minimizing the potential damage that could result once the vulnerability's existence was disclosed.

Microsoft released a patch for the DNS flaw as part of its monthly Patch Tuesday set of software updates. Among the other organizations that issued patches today were Cisco and the Internet Systems Consortium Inc., which maintains the widely used Berkeley Internet Name Domain technology.

BIND, an implementation of the DNS protocol that includes a DNS server and resolver library, is used on most domain name servers and distributed by vendors such as Sun Microsystems Inc. and Red Hat Inc., which both also issued advisories about the security flaw.

Despite the potential seriousness of the DNS cache-poisoning problem, there is no indication that it has been discovered by malicious hackers yet, according to Kaminsky. And he said that with patches available for the flaw, much of the immediate risk has been mitigated. Kaminsky noted that the patches have been designed in such a way as to minimize the chances of them being reverse-engineered in order to exploit the vulnerability.

An advisory issued by the US-CERT said the flaw could make domain name servers vulnerable to attacks in which forged data is introduced into the systems. Such attacks aren't new in concept, the advisory said, noting that several security researchers in the past have described cache-poisoning vulnerabilities similar to the one discovered by Kaminsky. Such vulnerabilities basically give attackers a way to predictably spoof DNS traffic along with "extremely effective exploitation techniques," the US-CERT advisory said.