The entire underpinnings of the Internet are vulnerable to a major bug in how Internet addresses are managed, security researchers announced today. The problem is so big that dozens of companies and government organizations have secretly synchronized an effort to fix it.
The companies — from Microsoft to Cisco to AT&T — are all releasing patches today or in the next few days to eliminate the major vulnerability, which was discovered early this year by security researcher Dan Kaminsky. He kept it a secret until a conference call with the press today. (His site has a tool to test for the vulnerability, but the site at doxpara.com has been overwhelmed with traffic).
“The severity of this bug is shown by the number of those who are on board with the patches,” Kaminsky said.
The researchers say they will fully describe the vulnerability in 30 days, after companies that operate web sites or Internet service providers can put the patches in place. The risks were so big that Kaminsky and the companies involved brought in government agencies such as the Department of Homeland Security and the U.S. Computer Emergency Response Team.
“If a bad guy had found this before Dan did, it would have been very bad,” said Rich Mogull, a former Gartner analyst and independent security research at Securosis. Mogul has a description of the problem at his site. He added, “Computers use the equivalent of address books to figure out where they need to go on the web. This attack could compromise that by attacking the servers that give out the addresses and tracking people to go to a web site where they don’t want to go.”
In an unprecedented effort, the agencies and companies began working on a coordinated fix. In March, 16 engineers from major organizations converged at Microsoft’s campus to work out how to fix the problem. They determinted that a coordinated response on the fix was the only way to prevent the vulnerability from begin exploited by spammers, virus writers and others.
The companies plan on distributing the patch during the next month as widely as possible. Most home users will receive automatic updates that protect them. All businesses will have to update their networks.
“This is the largest synchronized security update in the history of the Internet, and is the result of hard work and dedication across dozens of organizations,” Kaminsky said in a statement.
The bug is in the Domain Name System, or DNS, which is the system for translating the locations of network computers into Internet addresses. The flaw is in the design of the DNS protocol itself and is thus not limited to any single product that uses it. If someone hijacks a DNS server, they can redirect an unsuspecting Internet surfer to a malicious web site. A hacker targeting an Internet Service Provider, or ISP, could replace the entire Web (as accessible through that ISP) — search engines, social networks, banks — with their own malicious content. DNS is used by every computer on the Internet to know where to find other computers. Those attacking corporations could reroute network traffic and capture emails and other sensitive business data.
CERT issued a bulletin saying that deficiencies in the DNS protocol make it possible for hackers to create “DNS cache poisoning attacks.” The precise name of the flaw hasn’t been released yet, since the accuracy of the name would give too many clues to hackers. CERT says such cache poisoning is not a new phenomenon in itself but the new information creates a much bigger risk of successful attacks.
So far, Kaminsky said there is no evidence that any hackers are exploiting the vulnerability. He also said that the good news is that it’s hard to figure out what the flaw is simply by analyzing the patches being distributed. That’s a common hacker technique. But researchers say that the vulnerability is likely to become public within a few weeks, which means companies have to patch their networks as rapidly as possible.
Kaminsky is going to publish details of the flaw at the Black Hat security conference in Las Vegas on Aug. 6. He said he found the flaw by a “complete accident.”Jeff Moss, organizer of Black Hat, said that the patching of the flaw will take away a “fantastic tool” for spammers and virus writers, who could have used it to steal the identities of Internet surfers.
Kaminsky was praised by officials on the call for delaying the disclosure of the flaw until everybody could get a response in place. Asked what the worst-case scenario would have been if the bad guys found the flaw first, Kaminsky said, “The Internet wouldn’t be the Internet you’d expect.”
“Dan followed the responsible disclosure process,” said Jerry Dixon, director of analysis at the security firm Cymru and former director of the cyber security division at the Department of Homeland Security. “If you disclose too early, the victim count goes up. This could have been huge, if you think about adversaries out there like organized crime that would have exploited this.”
Dixon said that he was surprised that no one leaked the information about the bug, given the large numbers of agencies and companies involved.
[photo credit: Flickr: Lancust]