DNS Flaw Unfixed as Experts Argue Protocol

Speculation continues as to what the ultimate systemic Domain Name System (DNS) flaw could be.

Speculation continues as to what the ultimate systemic Domain Name System (DNS) flaw could be. This flaw apparently allows Web surfers to be spoofed, directing them to fake Web sites to gain passwords and load malware on their computers.

The flaw was first revealed by Dan Kaminsky, a researcher at security firm IOActive Inc., although Kaminsky largely withheld the technical details of the exploit.

In a Friday morning press conference, Kaminsky said that many of the patches released by various IT vendors and security firms reacting to his bug discovery (reported by CNet are at best temporary fixes to a more pervasive problem. Kaminsky added that he would be disclosing further findings at the Black Hat security conference in Las Vegas next month.

Kaminski argued that there should be a blackout date on discourse and research about the vulnerability until then. In contrast, IT security gadfly Halvar Flake, who is also CEO and head of research at Sabre Security, outlined a hypothesis for the DNS flaw in his blog and disagreed with the blackout.

"Let's assume that the DNS problem is sufficiently complicated that an average person that has some background in security, but little idea of protocols or DNS, would take N days to figure out what is problem is. So clearly, the assumption behind the 'discussion blackout' is that no evil person will figure it out before the end of the N days [blackout]," Flake wrote.

Flake's proposed method of finding the vulnerability came about when he ran tests that involved sending spoofed protocol transfer requests to a nameserver, a gate-keeping function for IP language, which converts text domain names into numeric IP addresses. Through this process, an attacker sets up a Web page with tags that are routed to a corrupt nameserver. When a user visits that Web page, the browser may be fooled into associating a legitimate name server with the page.

The DNS vector should be considered a pervasive threat to enterprise systems.

The U.S. Computer Emergency Readiness Team, about two weeks ago -- around the time of Kaminsky's initial announcement -- issued an advisory describing the issue. It listed more than 80 vendors whose products are affected by the vulnerability, including names like Microsoft, Cisco Systems, Sun Microsystems Inc. and Red Hat, among others.

Having a reliable DNS cache exploit in place increases the probability that a hacker can redirect an unsuspecting Web surfer to a malicious Web site, an attack called "phishing."

"Phishing attacks were already on the rise against the increasing number of hosted enterprises services," said Andrew Storms, director of security at San Francisco-based IT security firm nCircle. "I don't think we've seen the last of these problems. The temporary solutions are to immediately patch your system in the meantime because the risk to corporate networks is one of the more serious risks enterprises face."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


  • Microsoft Clarifies Project Cortex's Scope, IT Controls and Product Delivery in Q&A

    Microsoft recently offered a Q&A session on Project Cortex, its emerging "knowledge network" solution for Microsoft 365 users.

  • How To Use .CSV Files with PowerShell, Part 2

    In the second part of this series, Brien shows how to import a .CSV file into a PowerShell array, including two methods for zooming in on just the specific data you need and filtering out the rest.

  • Windows 10 Preview Adds Ability To Display Linux Distro Files

    Microsoft on Wednesday announced Windows 10 preview build 19603, which adds easier access to installed Linux distro files using Windows File Explorer.

  • Microsoft 365 Business To Get Azure Active Directory Premium P1 Perks

    Subscribers to Microsoft 365 Business (which is being renamed this month to "Microsoft 365 Business Premium") will be getting Azure Active Directory Premium P1 licensing at no additional cost.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.