Wednesday, July 9, 2008

Fundemental DNS Flaw

Yesterday, Dan Kaminsky, a security researcher disclosed a fundamental flaw with the Domain Name System (DNS), the mechanism that translates URLs into IP addresses and visa versa. This flaw makes it possible to guess values in advance and assert a malicious server as the authoritative DNS server for a any site, including bank and e-commerce sites.

Dan Kaminsky, director of penetration testing services for IO Active, found the DNS flaw earlier this year. Dan proactively worked with the affected parties prior to his public announcement. Although he did not disclose any technical details, he said, "the severity is shown by the number of people who've gotten onboard with this patch."

Back in March, Kaminsky said 16 researchers gathered at Microsoft to see whether they understood what was going on, as well as what would be a fix to affect the greatest number of people worldwide, and when they would issue this fix.

In a unified response to address the flaw, Kaminsky said the researchers all decided to conduct a synchronized, multivendor release. Accordingly, Microsoft in its July Patch Tuesday released MS08-037. Cisco Systems, Sun Microsystems, and BIND were expected to roll out patches on Tuesday as well.

The coordinated release covers a wide variety of vendors with DNS servers and DNS clients. Not all of the DNS client vendors have announced patches. Most systems will be patched automatically. Those that require a manual patch will have 30 days to patch their systems before additional details are made public.

This issue also affects Internet service providers used by home users, but hardware routers used by home users should not be affected.

Kaminsky intends to release details before Black Hat 2008, on August 7 and 8 in Las Vegas.

Not a day goes by without a new revelation of how malicious attackers can compromise your systems. Although this most recent security alert is far reaching and could potentially affect huge numbers of users, there are hundreds of other known vulnerabilities lurking in business systems. This is just more reinforcement to invest in ongoing vulnerability assessments.

To check to see if your system is vulnerable, Kaminsky has provided a DNS checker

No comments: