• On The Insider: Tila Tequila Announces Engagement
July 8, 2008 11:41 AM PDT

Massive, coordinated DNS patch released

by Robert Vamosi
  • Font size
  • Print
  • 7 comments

A security researcher has responsibly disclosed a fundamental flaw within the Domain Name System (DNS), the addressing scheme behind the common names used on the Internet. Currently, it may be possible to guess these transaction ID values in advance and assert a malicious server as the authoritative DNS server for a popular bank or e-commerce site. The news was announced Tuesday.

Dan Kaminsky, director of penetration testing services for IO Active, found the DNS flaw earlier this year. Rather than sell the vulnerability, as some researchers have done, Kaminsky decided instead to gather the affected parties and discuss it with them first. Without disclosing any technical details, he said, "the severity is shown by the number of people who've gotten onboard with this patch."

He declined to name the flaw as that would give away details.

On March 31, Kaminsky said 16 researchers gathered at Microsoft to see whether they understood what was going on, as well as what would be a fix to affect the greatest number of people worldwide, and when they would issue this fix.

Toward addressing the flaw, Kaminsky said the researchers all decided to conduct a synchronized, multivendor release. As part of that, Microsoft in its July Patch Tuesday released MS08-037. Cisco Systems, Sun Microsystems, and BIND are also expected to roll out patches later on Tuesday.

The coordinated release covers a wide variety of vendors. Art Manion of US-CERT (United States Computer Emergency Readiness Team) said vendors with DNS servers have been contacted, and there's a longer list of additional vendors that have DNS clients. That list includes AT&T, Akamai, Juniper Networks, Netgear, Nortel, and ZyXEL. Not all of the DNS client vendors have announced patches or updates. Manion also confirmed that other nations with CERTs have also been informed of this vulnerability.

Dan Kaminsky has provided a free DNS checker on his Web site.

(Credit: Doxpara.com)

Most systems will be patched automatically. However, those that are not will have 30 days to be patched manually before additional details are made public.

This issue also affects Internet service providers used by home users. In the coming days, ISPs are expected to apply the patch to their systems. Hardware routers used by home users should not be affected.

Kaminsky said he will release details in time for Black Hat 2008, on August 7 and 8 in Las Vegas. However, Microsoft in its security bulletin said its patch uses strongly random DNS transaction IDs, random sockets for UDP (User Datagram Protocol) queries, and updates the logic used to manage the DNS cache."

Kaminsky did confirm that the patches released today will increase DNS randomness: "Where we had 16-bit before, we now have 32 bits."

To check to see if your system is vulnerable, Kaminsky has provided a DNS checker.

As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments.
Topics:

Security

Tags:

security,

Dan Kaminsky,

IO Active,

DNS patch,

Domain Name System

Share:
Digg
Del.icio.us
Reddit
Recent posts from Defense in Depth
Window Snyder to leave Mozilla
How to handle ID fraud's youngest victims
Is white listing going mainstream?
How Live OneCare changed the antivirus landscape
Express Scripts clients threatened with extortion
Study: DDoS attacks threaten ISP infrastructure
Security expert talks Russian gangs, botnets
Extortion used in Express Scripts database breach
Related
Microsoft plugs zero-day IE hole
Trend Micro forecasts future threats
Adobe to patch zero-day Reader, Acrobat hole
Firefox 3.5.6 patches critical security holes
Apps and ops don't meet--but they will
Crave giveaway of the week: official rules (3)
Crave giveaway of the day: official rules (1)
Digital City Podcast Giveaway: Official Rules
Add a Comment (Log in or register) (7 Comments)
  • prev
  • 1
  • next
by gagahput3ra July 8, 2008 12:31 PM PDT
why does it show "Error establishing a database connection" on the DNS Checker webpage? If the website got attacked in an attempt to protect "the greatest number of people worldwide", this will be the biggest joke of internet security this year.
Reply to this comment
by pencoyd July 8, 2008 3:36 PM PDT
OpenDNS was never vulnerable, so you might want to try their free service. http://www.opendns.com/
Reply to this comment
by Spiderrman July 8, 2008 3:46 PM PDT
Don't know about Vista, but on XP ZoneAlarm ceases to function unless it is turned off or the firewall setting for Internet is set to Medium from High.
Reply to this comment
by dragonstar125 July 9, 2008 12:20 AM PDT
that ture spider but its due to the microsoft update to fix the dns server patch grrrrrr so do set zone alarm to meduim i have sent email to zone alarm about this hope they fix asap :(
Reply to this comment
by portiadacosta July 9, 2008 2:08 AM PDT
Ah, could this be why I couldn't connect to the internet this morning after installing the latest security patch, on my WinXP SP3 system? I use Zone Alarm too.

I uninstalled the security patches for the time being.

I also use Open DNS, would that have any bearing on the problem?
Reply to this comment
by dragonstar125 July 9, 2008 8:09 AM PDT
reinstall the patches but before do so set internet setting in zone alarm to mediuim and your still safe :) it works for me as said above :)
by bt_ July 23, 2008 10:35 AM PDT
"Where we had 16-bit before, we now have 32 bits." ? said Dan Kaminsky welcoming the DNS patches coming out as if we are safe now.

Wrong! We still have the fundamental flaw ? we are still using something (DNS as we use WEP, VLAN, etc) that has not been designed for (security).

New ?finding? did not change the quality to the better ? it just changed the quantity of the feature. It means that when our computing recourses become faster we would be able to ?break? the randomness of 32 bits as easy as we can do it today for 16. Then what?

Poor work, too much fuzz...

We have to focus efforts on the DNS re-architecture and re-design - from scratch and having security requirements put forth for the new development.

/bt_
Reply to this comment
(7 Comments)
  • prev
  • 1
  • next
advertisement

Five New Year's resolutions for Google

Stakes are high as Google attempts to maintain one of the Internet's greatest cash machines while pushing into new and risky markets.
• Android event set for Jan. 5

For eBay sellers, a holiday hamster hangover

The gift frenzy over Zhu Zhu Pets leaves some power sellers feeling like they've just run a marathon--but the steep price tags lead to some impressive profits.

About Defense in Depth

Covering computer viruses and computer crime, Robert Vamosi goes beyond the hype to provide you with expert interviews of the top security researchers, as well as offering the hands-on, nontechnical advice you'll need to stay safe online.

Add this feed to your online news reader

Defense in Depth topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
CES 2010
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET