Updated: The patch for critical Internet flaw may be flawed itself

August 9, 2008 | Dean Takahashi | Comments |

A Russian researcher has reported there are holes in the patch for the DNS flaw that threatened the foundations of the Internet.

Just a month ago, Dan Kaminsky told the world that the Internet’s Domain Name Server system for routing Internet users to the proper addresses for web sites could be compromised. He had organized a months-long effort to create a patch to fix the problem. But not it appears the patch doesn’t do the job, according to a story in the New York Times. It confirms Kaminsky’s own warning that the patch was a stopgap measure and that there were worse things coming out.

Evgeniy Polyakov, a physicist, said that he figured out a flaw in the patch for DNS, which is like the Internet’s telephone book, in just ten hours of work. He posted the news on his blog. Kaminsky said at Black Hat this week that the threat of the flaw was wider than he announced on July 8. That’s because there are a series of common Internet functions — such as sending a new password to a user who has forgotten it — that depend on the accuracy of DNS addresses. (Our interview with Kaminsky).

Meanwhile, companies such as Secure64, which makes a secure operating system, are advocating a shift from DNS to a more secure form of the addressing system, dubbed DNSSEC. But it will likely take a long time for such an infrastructure shift to be implemented.

The patch is still better than no patch at all.

“The question is, if you are in a boat, which would you rather have – a gaping hole letting water flood in, or a pinhole?,” said Brian Dickson, a DNS expert, in an email. “Hint: With a pinhole leak, you have the option of bailing water out of your boat until help arrives… with a gaping hole, not so much.”

Update: Kaminsky said today that the hack on the patch isn’t particularly alarming and that he predicted it would be possible in his own talk. He noted that before the patch, it would take 32,000 packets and a very short amount of time to crack DNS addressing systems. The attack used by the Russian researcher took 10 hours with a high-speed link using billions of packets. That risk, Kaminsky said, was an acceptable one and it means that the community should now proceed with implementing a permanent fix.

Next Story: Defcon: Massachussetts transit agency tries to close the barn door on a hack
Previous Story: Maples Investment funds Hyper9’s virtualization management

Bookmark and Share

Photo of Dean Takahashi

About the Author, Dean Takahashi

Dean is lead writer for GamesBeat at VentureBeat. He covers video games, security, chips and a variety of other subjects. Dean previously worked at the San Jose Mercury News, the Wall Street Journal, the Red Herring, the Los Angeles Times, the Orange County Register and the Dallas Times Herald. He is the author of two books, Opening the Xbox and the Xbox 360 Uncloaked. Follow him on Twitter at @deantak, and follow VentureBeat on Twitter at @venturebeat.

  • Andy
    Sorry to be a downer, but that's not a "gaping hole" and this isn't news. When the patch was released, Kaminsky and the others said that their strategy (port randomization) doesn't fix the problem, it just makes it harder to exploit. This guy got his box's cache poisoned in half a day - pre-patch, it would take ten minutes. So the patch isn't flawed - the people who came up with it knew that it had these limits.
  • abercrombie622
    Why tiffany jewellery is your best choice?Compared with other jewellerys,tiffany jewellery have many advantages.
    http://www.tiffanyjewelleryshop.co.uk