On Tuesday, major vendors released patches to address a flaw in the underpinnings of the Internet, in what researchers say is the largest synchronized security update in the history of the Web. Vendors and security researchers are hoping that their coordinated efforts will get the fix out to most of the systems that need it before attackers are able to identify the flaw and begin to exploit it. Attackers could use the flaw to control Internet traffic, potentially directing users to phishing sites or sites loaded with malicious software.
Discovered six months ago by security researcher Dan Kaminsky, director of penetration testing services at IOActive, the flaw is in the domain name system, a core element of the Web that helps systems connected to the Internet locate each other. Kaminsky likens the domain name system to the telephone company’s 411 system. When a user types in a Web address–technologyreview.com–the domain name system matches it to the numerical address of the corresponding Web server–126.96.36.199. It’s like giving a name to 411 and receiving a phone number, Kaminsky says.
The flaw that Kaminsky found could allow attackers to take control of the system and direct Internet traffic wherever they want it to go. The worst-case scenario, he says, could look pretty bleak. “You’d have the Internet, but it wouldn’t be the Internet you expect,” Kaminsky says. A user might type in the address for the Bank of America website, for example, and be redirected to a phishing site created by an attacker.
Details of the flaw are being kept secret for now. After Kaminsky discovered it, he quietly notified the major vendors of hardware and software for domain name servers. In March, he was one of 16 researchers who met at Microsoft’s Redmond, WA, campus to plan how to deal with the flaw without releasing information that could help attackers. The researchers began working with vendors to release patches simultaneously. Also, since patches are known for giving away information that can help attackers reverse-engineer malicious software, the researchers chose a fix that kept the exact nature of the problem hidden. “We’ve done everything in our power up to and including selecting an obscure fix to provide the good guys with as much of an advantage as possible,” Kaminsky says. “The advantage won’t last forever. We think–we hope–it’ll last a month.”
Since the flaw is in the design of the domain name system itself, it afflicts products made by a variety of vendors, including Microsoft, Cisco, Sun Microsystems, and Red Hat, according to a report released by the U.S. Department of Homeland Security’s Computer Emergency Readiness Team. The flaw also poses more problems for servers than it does for Web surfers, so vendors are focusing on getting patches to Internet service providers and company networks that might be vulnerable. Most home users will be covered by automatic updates to their operating systems.
Rich Mogull, an analyst with Securosis, says, “This is something that absolutely affects everyone who uses the Internet today.” While he notes that most home users won’t have to take action to address the flaw, he stresses that it’s very important for businesses to make sure that they’ve covered their bases. “It is an absolutely critical issue that can impede the ability of any business to carry out their normal operations,” he says.
Although Kaminsky was careful to avoid giving out too much information about the flaw that he discovered, he did say a few things about the nature of the fix. When a domain name server responds to a request for a website’s location, it provides a confirmation code that is one of 65,000 numbers, as assurance that the transaction is authentic. “What has been discovered,” Kaminsky says, “is that, for undisclosed reasons, 65,000 is just not enough, and we need a source of more randomness.” The new system will require the initial request to include two randomly generated identifiers, instead of the one it now contains. Both identifiers will automatically be returned in the server’s response. Kaminsky likens this to sending mail. Before the patch, it was possible to send a letter signed on the inside, but without a return address. After the patch, all “mail” sent from domain name system servers must include both a “signature”–the confirmation code–and the “return address”–the source port information.
Jeff Moss, CEO of Black Hat, a company that organizes conferences on security, stresses the importance, not only of the vulnerability, but also of the approach taken to patching it. “I don’t even want to ask Dan [Kaminsky] how much money he could have gotten for this bug had he decided to sell it,” Moss says.
Kaminsky says he’s glad that vendors were willing to work together to address the flaw. “Something of this scale has not yet happened before,” he says. “It is my hope that for any issue of this scale, especially design issues of this scale, this is the sort of thing that we can do in the future.” He plans to release full details of the vulnerability next month at the Black Hat security conference in Las Vegas.