On Tuesday, major vendors released patches to address a flaw in the underpinnings of the Internet, in what researchers say is the largest synchronized security update in the history of the Web. Vendors and security researchers are hoping that their coordinated efforts will get the fix out to most of the systems that need it before attackers are able to identify the flaw and begin to exploit it. Attackers could use the flaw to control Internet traffic, potentially directing users to phishing sites or sites loaded with malicious software.
Discovered six months ago by security researcher Dan Kaminsky, director of penetration testing services at IOActive, the flaw is in the domain name system, a core element of the Web that helps systems connected to the Internet locate each other. Kaminsky likens the domain name system to the telephone company’s 411 system. When a user types in a Web address–technologyreview.com–the domain name system matches it to the numerical address of the corresponding Web server–220.127.116.11. It’s like giving a name to 411 and receiving a phone number, Kaminsky says.
The flaw that Kaminsky found could allow attackers to take control of the system and direct Internet traffic wherever they want it to go. The worst-case scenario, he says, could look pretty bleak. “You’d have the Internet, but it wouldn’t be the Internet you expect,” Kaminsky says. A user might type in the address for the Bank of America website, for example, and be redirected to a phishing site created by an attacker.
Details of the flaw are being kept secret for now. After Kaminsky discovered it, he quietly notified the major vendors of hardware and software for domain name servers. In March, he was one of 16 researchers who met at Microsoft’s Redmond, WA, campus to plan how to deal with the flaw without releasing information that could help attackers. The researchers began working with vendors to release patches simultaneously. Also, since patches are known for giving away information that can help attackers reverse-engineer malicious software, the researchers chose a fix that kept the exact nature of the problem hidden. “We’ve done everything in our power up to and including selecting an obscure fix to provide the good guys with as much of an advantage as possible,” Kaminsky says. “The advantage won’t last forever. We think–we hope–it’ll last a month.”
Since the flaw is in the design of the domain name system itself, it afflicts products made by a variety of vendors, including Microsoft, Cisco, Sun Microsystems, and Red Hat, according to a report released by the U.S. Department of Homeland Security’s Computer Emergency Readiness Team. The flaw also poses more problems for servers than it does for Web surfers, so vendors are focusing on getting patches to Internet service providers and company networks that might be vulnerable. Most home users will be covered by automatic updates to their operating systems.