On Tuesday, major vendors
released patches to address a flaw in the underpinnings of the Internet, in
what researchers say is the largest synchronized security update in the history
of the Web. Vendors and security researchers are hoping that their coordinated
efforts will get the fix out to most of the systems that need it before
attackers are able to identify the flaw and begin to exploit it. Attackers
could use the flaw to control Internet traffic, potentially directing users to
phishing sites or sites loaded with malicious software.
Discovered six months ago by
security researcher Dan Kaminsky,
director of penetration testing services at IOActive,
the flaw is in the domain name system, a core element of the Web that helps
systems connected to the Internet locate each other. Kaminsky likens the domain
name system to the telephone company’s 411 system. When a user types in a Web
address–technologyreview.com–the domain name system matches it to the
numerical address of the corresponding Web server–69.147.160.210. It’s like
giving a name to 411 and receiving a phone number, Kaminsky says.
Advertisement
The flaw that Kaminsky found
could allow attackers to take control of the system and direct Internet traffic
wherever they want it to go. The worst-case scenario, he says, could look
pretty bleak. “You’d have the Internet, but it wouldn’t be the Internet
you expect,” Kaminsky says. A user might type in the address for the Bank
of America
website, for example, and be redirected to a phishing site created by an
attacker.
This story is only available to subscribers.
Don’t settle for half the story.
Get paywall-free access to technology news for the here and now.
Details of the flaw are being
kept secret for now. After Kaminsky discovered it, he quietly notified the major
vendors of hardware and software for domain name servers. In March, he was one
of 16 researchers who met at Microsoft’s
Redmond, WA,
campus to plan how to deal with the flaw without releasing information that
could help attackers. The researchers began working with vendors to release
patches simultaneously. Also, since patches are known for giving away information
that can help attackers reverse-engineer malicious software, the researchers
chose a fix that kept the exact nature of the problem hidden. “We’ve done
everything in our power up to and including selecting an obscure fix to provide
the good guys with as much of an advantage as possible,” Kaminsky says.
“The advantage won’t last forever. We think–we hope–it’ll last a
month.”
Since the flaw is in the design
of the domain name system itself, it afflicts products made by a variety of
vendors, including Microsoft, Cisco, Sun Microsystems, and Red Hat,
according to a report
released by the U.S. Department of Homeland Security’s Computer Emergency Readiness
Team. The flaw also poses more problems for servers than it does for Web
surfers, so vendors are focusing on getting patches to Internet service
providers and company networks that might be vulnerable. Most home users will
be covered by automatic updates to their operating systems.
Rich Mogull,
an analyst with Securosis, says, “This is
something that absolutely affects everyone who uses the Internet today.”
While he notes that most home users won’t have to take action to address the
flaw, he stresses that it’s very important for businesses to make sure that they’ve
covered their bases. “It is an absolutely critical issue that can impede
the ability of any business to carry out their normal operations,” he
says.
Although Kaminsky was careful
to avoid giving out too much information about the flaw that he discovered, he
did say a few things about the nature of the fix. When a domain name server
responds to a request for a website’s location, it provides a confirmation code
that is one of 65,000 numbers, as assurance that the transaction is authentic.
“What has been discovered,” Kaminsky says, “is that, for
undisclosed reasons, 65,000 is just not enough, and we need a source of more
randomness.” The new system will require the initial request to include
two randomly generated identifiers, instead of the one it now contains. Both
identifiers will automatically be returned in the server’s response. Kaminsky likens
this to sending mail. Before the patch, it was possible to send a letter signed
on the inside, but without a return address. After the patch, all
“mail” sent from domain name system servers must include both a
“signature”–the confirmation code–and the “return
address”–the source port information.
Jeff Moss, CEO of Black Hat, a company that organizes
conferences on security, stresses the importance, not only of the
vulnerability, but also of the approach taken to patching it. “I don’t
even want to ask Dan [Kaminsky] how much money he could have gotten for this
bug had he decided to sell it,” Moss says.
Kaminsky says he’s glad that
vendors were willing to work together to address the flaw. “Something of
this scale has not yet happened before,” he says. “It is my hope that
for any issue of this scale, especially design issues of this scale, this is
the sort of thing that we can do in the future.” He plans to release full
details of the vulnerability next month at the Black Hat security conference in
Las Vegas.