DNS hole prompts synchronized patching effort by IT vendors
Microsoft, Cisco, others coordinate response to discovery of cache-poisoning flaw in protocol
Computerworld - In a rare synchronized security move, Microsoft Corp., Cisco Systems Inc. and other IT vendors today released software patches aimed at addressing a fundamental design flaw in the Domain Name System (DNS) protocol used to direct traffic on the Internet.
The so-called DNS cache-poisoning flaw was discovered earlier this year by Dan Kaminsky, a researcher at security services firm IOActive Inc., but it wasn't publicized until today. The vulnerability could allow attackers to redirect Web traffic and e-mails to systems under their control, according to Kaminsky, who said in an interview that the flaw exists at the DNS protocol level and affects numerous products from multiple vendors.
Virtually every domain name server that resolves IP addresses on the Internet is vulnerable to the flaw and needs to be patched against it as quickly as possible to avoid potentially serious problems, such as companies having all of their network traffic rerouted to malicious Web sites or having employee e-mails captured by attackers, Kaminsky said.
Because of the seriousness of the issue, Kaminsky first communicated news of the flaw to the U.S. Computer Emergency Readiness Team (US-CERT) and to multiple vendors, all of which agreed to keep the discovery under wraps until they had patches ready. Kaminsky said that security researchers from 16 companies met at Microsoft's Redmond, Wash., campus in March to discuss a fix for the problem as well as a strategy for minimizing the potential damage that could result once the vulnerability's existence was disclosed.
Microsoft released a patch for the DNS flaw as part of its monthly Patch Tuesday set of software updates. Among the other organizations that issued patches today were Cisco and the Internet Systems Consortium Inc., which maintains the widely used Berkeley Internet Name Domain technology.
BIND, an implementation of the DNS protocol that includes a DNS server and resolver library, is used on most domain name servers and distributed by vendors such as Sun Microsystems Inc. and Red Hat Inc., which both also issued advisories about the security flaw.
Despite the potential seriousness of the DNS cache-poisoning problem, there is no indication that it has been discovered by malicious hackers yet, according to Kaminsky. And he said that with patches available for the flaw, much of the immediate risk has been mitigated. Kaminsky noted that the patches have been designed in such a way as to minimize the chances of them being reverse-engineered in order to exploit the vulnerability.
An advisory issued by the US-CERT said the flaw could make domain name servers vulnerable to attacks in which forged data is introduced into the systems. Such attacks aren't new in concept, the advisory said, noting that several security researchers in the past have described cache-poisoning vulnerabilities similar to the one discovered by Kaminsky. Such vulnerabilities basically give attackers a way to predictably spoof DNS traffic along with "extremely effective exploitation techniques," the US-CERT advisory said.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Is Your Big Data Solution Production-Ready? Read "Is Your Big Data Solution Production-Ready?" now, and discover best practices and actionable steps to implementing a production-ready big data solution.
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Malware and Vulnerabilities White Papers | Webcasts