We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

A Patch to Fix the Net

A major flaw in the design of the Internet is being repaired by a large group of vendors.

On Tuesday, major vendors released patches to address a flaw in the underpinnings of the Internet, in what researchers say is the largest synchronized security update in the history of the Web. Vendors and security researchers are hoping that their coordinated efforts will get the fix out to most of the systems that need it before attackers are able to identify the flaw and begin to exploit it. Attackers could use the flaw to control Internet traffic, potentially directing users to phishing sites or sites loaded with malicious software.

Discovered six months ago by security researcher Dan Kaminsky, director of penetration testing services at IOActive, the flaw is in the domain name system, a core element of the Web that helps systems connected to the Internet locate each other. Kaminsky likens the domain name system to the telephone company’s 411 system. When a user types in a Web address–technologyreview.com–the domain name system matches it to the numerical address of the corresponding Web server– It’s like giving a name to 411 and receiving a phone number, Kaminsky says.

The flaw that Kaminsky found could allow attackers to take control of the system and direct Internet traffic wherever they want it to go. The worst-case scenario, he says, could look pretty bleak. “You’d have the Internet, but it wouldn’t be the Internet you expect,” Kaminsky says. A user might type in the address for the Bank of America website, for example, and be redirected to a phishing site created by an attacker.

Details of the flaw are being kept secret for now. After Kaminsky discovered it, he quietly notified the major vendors of hardware and software for domain name servers. In March, he was one of 16 researchers who met at Microsoft’s Redmond, WA, campus to plan how to deal with the flaw without releasing information that could help attackers. The researchers began working with vendors to release patches simultaneously. Also, since patches are known for giving away information that can help attackers reverse-engineer malicious software, the researchers chose a fix that kept the exact nature of the problem hidden. “We’ve done everything in our power up to and including selecting an obscure fix to provide the good guys with as much of an advantage as possible,” Kaminsky says. “The advantage won’t last forever. We think–we hope–it’ll last a month.”

Since the flaw is in the design of the domain name system itself, it afflicts products made by a variety of vendors, including Microsoft, Cisco, Sun Microsystems, and Red Hat, according to a report released by the U.S. Department of Homeland Security’s Computer Emergency Readiness Team. The flaw also poses more problems for servers than it does for Web surfers, so vendors are focusing on getting patches to Internet service providers and company networks that might be vulnerable. Most home users will be covered by automatic updates to their operating systems.

Rich Mogull, an analyst with Securosis, says, “This is something that absolutely affects everyone who uses the Internet today.” While he notes that most home users won’t have to take action to address the flaw, he stresses that it’s very important for businesses to make sure that they’ve covered their bases. “It is an absolutely critical issue that can impede the ability of any business to carry out their normal operations,” he says.

Although Kaminsky was careful to avoid giving out too much information about the flaw that he discovered, he did say a few things about the nature of the fix. When a domain name server responds to a request for a website’s location, it provides a confirmation code that is one of 65,000 numbers, as assurance that the transaction is authentic. “What has been discovered,” Kaminsky says, “is that, for undisclosed reasons, 65,000 is just not enough, and we need a source of more randomness.” The new system will require the initial request to include two randomly generated identifiers, instead of the one it now contains. Both identifiers will automatically be returned in the server’s response. Kaminsky likens this to sending mail. Before the patch, it was possible to send a letter signed on the inside, but without a return address. After the patch, all “mail” sent from domain name system servers must include both a “signature”–the confirmation code–and the “return address”–the source port information.

Jeff Moss, CEO of Black Hat, a company that organizes conferences on security, stresses the importance, not only of the vulnerability, but also of the approach taken to patching it. “I don’t even want to ask Dan [Kaminsky] how much money he could have gotten for this bug had he decided to sell it,” Moss says.

Kaminsky says he’s glad that vendors were willing to work together to address the flaw. “Something of this scale has not yet happened before,” he says. “It is my hope that for any issue of this scale, especially design issues of this scale, this is the sort of thing that we can do in the future.” He plans to release full details of the vulnerability next month at the Black Hat security conference in Las Vegas.

Couldn't get to Cambridge? We brought EmTech MIT to you!

Watch session videos here
Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.