DNS hole prompts synchronized patching effort by IT vendors
Microsoft, Cisco, others coordinate response to discovery of cache-poisoning flaw in protocol
Computerworld - In a rare synchronized security move, Microsoft Corp., Cisco Systems Inc. and other IT vendors today released software patches aimed at addressing a fundamental design flaw in the Domain Name System (DNS) protocol used to direct traffic on the Internet.
The so-called DNS cache-poisoning flaw was discovered earlier this year by Dan Kaminsky, a researcher at security services firm IOActive Inc., but it wasn't publicized until today. The vulnerability could allow attackers to redirect Web traffic and e-mails to systems under their control, according to Kaminsky, who said in an interview that the flaw exists at the DNS protocol level and affects numerous products from multiple vendors.
Virtually every domain name server that resolves IP addresses on the Internet is vulnerable to the flaw and needs to be patched against it as quickly as possible to avoid potentially serious problems, such as companies having all of their network traffic rerouted to malicious Web sites or having employee e-mails captured by attackers, Kaminsky said.
Because of the seriousness of the issue, Kaminsky first communicated news of the flaw to the U.S. Computer Emergency Readiness Team (US-CERT) and to multiple vendors, all of which agreed to keep the discovery under wraps until they had patches ready. Kaminsky said that security researchers from 16 companies met at Microsoft's Redmond, Wash., campus in March to discuss a fix for the problem as well as a strategy for minimizing the potential damage that could result once the vulnerability's existence was disclosed.
Microsoft released a patch for the DNS flaw as part of its monthly Patch Tuesday set of software updates. Among the other organizations that issued patches today were Cisco and the Internet Systems Consortium Inc., which maintains the widely used Berkeley Internet Name Domain technology.
BIND, an implementation of the DNS protocol that includes a DNS server and resolver library, is used on most domain name servers and distributed by vendors such as Sun Microsystems Inc. and Red Hat Inc., which both also issued advisories about the security flaw.
Despite the potential seriousness of the DNS cache-poisoning problem, there is no indication that it has been discovered by malicious hackers yet, according to Kaminsky. And he said that with patches available for the flaw, much of the immediate risk has been mitigated. Kaminsky noted that the patches have been designed in such a way as to minimize the chances of them being reverse-engineered in order to exploit the vulnerability.
An advisory issued by the US-CERT said the flaw could make domain name servers vulnerable to attacks in which forged data is introduced into the systems. Such attacks aren't new in concept, the advisory said, noting that several security researchers in the past have described cache-poisoning vulnerabilities similar to the one discovered by Kaminsky. Such vulnerabilities basically give attackers a way to predictably spoof DNS traffic along with "extremely effective exploitation techniques," the US-CERT advisory said.
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Why You Need a Next-Generation Firewall This white paper explores the reasons for implementing next-generation (NG) firewalls and lays out a path to success for overburdened IT organizations.
- Why Projects Fail CIOs are expected to deliver more projects that transform business, and do so on time, on budget and with limited resources.
- The New Business Case for Video Conferencing: 7 Real-World Benefits Beyond Cost-Savings This whitepaper provides insight into the value of video conferencing in today's business environment, and how organizations are using visual collaboration to find...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Malware and Vulnerabilities White Papers | Webcasts