Home > Patch (The Entire Internet) Tuesday
Patch (The Entire Internet) Tuesday
Security experts are scrambling to patch a newly-discovered security flaw in a key component of the Internet infrastructure that could expose consumers and businesses to increased risk of attack by scam artists and virus writers.
Yesterday, computer software and hardware industry leaders, including Cisco, Microsoft, and Sun Microsystems, coordinated the release of software updates to plug the security hole, which involves a fundamental design flaw in the domain name system. DNS is the communications standard that acts as a kind of telephone book for the Internet, translating human-friendly Web site names like example.com into numeric addresses that are easier for networking equipment to handle and route.
Dan Kaminsky, director of penetration testing for Seattle-based security firm IOActive and the discoverer of the vulnerability, said attackers could use the flaw to "poison" the DNS records of network providers. In such an attack scenario, when customers of a targeted ISP try to visit a banking Web site with their browser, their browsers might instead be silently redirected to a counterfeit bank site controlled by the attackers.
The updates Microsoft released Tuesday fix the problem in computers powered by its Windows operating system. But Kaminsky said the larger issue lies at the Internet service provider and corporate level, as many businesses who run DNS servers have yet to update their systems to guard against the vulnerability.
In fact, even regular home users who apply the Microsoft updates could still be vulnerable if their ISP hasn’t yet addressed the problem. (Kaminsky has a tool up his Web site that allows visitors to tell if their ISP or employer is vulnerable to the flaw. Visiting that site from my home PC indicates that my provider — Cox Communications — in Northern Virginia has not yet fixed this flaw on their end.)
Kaminsky said while end users should be concerned about this flaw, they shouldn’t panic, and there is no evidence to date that hackers have figured out how to exploit the DNS vulnerability.
"No one needs to ring up their ISP’s call centers saying ’Why isn’t this patched yet?’" he said.
Another way to protect your computer is to use a free DNS security service I have recommended in the past — OpenDNS. This service should protect your system and network against this vulnerability, regardless of whether your ISP has addressed the problem on their end.
Kaminsky said he discovered the flaw about six months ago "by complete accident," but quickly realized it had the potential to affect the behavior of almost any device connected to the Internet. On March 31, he met with 16 different researchers from around the world at Microsoft’s headquarters in Redmond to strategize about how to inform all of the affected companies and coordinate a patch release.
"Design bugs are interesting in that they don’t just constrain themselves to one implementation or company," Kaminsky said. "Because they’re behaving as designed, the same bug will show up in vendor after vendor. So this affects not just Cisco and Microsoft, but everyone."
The researchers also reached out to U.S. government officials and those of several other nations, said Art Manion, who heads a vulnerability analysis team at the U.S. Computer Emergency Response Team. The group released an advisory listing more than 90 software and network equipment makers whose products may be affected by the flaw.
Kaminsky declined to offer specific details about the flaw, saying he didn’t want to give criminals any help in figuring out how to exploit the security hole before a critical mass of Internet providers have had enough time to address it. But he promised to divulge more next month at the annual Black Hat hacker convention, which Security Fix will be attending again this year.
Black Hat founder Jeff Moss praised Kaminsky for helping to coordinate the fixing of the flaw, instead of merely turning it over to a vulnerability auction house or to a growing number of entities that purchase security flaws for competitive reasons.
"What Dan has done is significant for the stability of the entire Internet and takes away a vital tool that I’m sure if spammers and virus writers knew about they would use to great effect," Moss said. "Dan could have sold this bug for hundreds of thousands of dollars. There’s so much money involved [in the vulnerability research space] now that it gets harder for someone to just altruistically give something like this away."
One final note: It appears that the Microsoft patch for this DNS vulnerability (KB951748/MS08-037) is already creating problems for some Zone Alarm Firewall users. ZoneAlarm advises users who are experiencing problems after installing the update to uninstall the Microsoft patch for the time being.
http://blog.washingtonpost.com/secu...
Solutions for Kb951748 and Zone Alarm Incompatibility Issue
New DNS Security Update from Microsoft Renders Computers Unable to Reach the Internet
Computers around the world have been shut off from the internet by Microsoft’s latest security update kb951748. Microsoft has issued kb951748 as an update to fix a DNS (Domain Name System) security flaw on computers running Windows XP, Windows Server 2003, and the client side of Windows 2000 Server. However, Microsoft security update kb951748 does not play nicely with the popular firewall security program Zone Alarm. Zone Alarm is a highly regarded internet security program designed to protect computers from unauthorized access, viruses, and other malware that may be encountered on the web. Zone Alarm has become popular in part because ZoneLabs, its creator, offers a basic version for free at zonealarm.com.
Makers of Zone Alarm say uninstall kb951748
ZoneLabs, the maker of Zone Alarm, recommends completely uninstalling Microsoft’s kb951748 until the problem is corrected. Unfortunately, if you have this problem, you have no internet access to find out about this solution. Other users report that shifting their Zone Alarm firewall setting from High to Medium restores access to the internet. However, lowering the security setting on the Zone Alarm firewall increases the chances of your computer being subjected to a security breach.
Microsoft to gain Firewall Marketshare?
Windows does have its own built-in firewall and computers running the Windows firewall instead of the one from Zone Alarm, have not had similar issues with the kb951748 update. As a result, Microsoft may end up damaging an important internet security competitor through this inadvertent compatibility issue between the Windows DNS update and Zone Alarm’s firewall program. If users remove the Zone Alarm firewall and start using the built-in windows firewall, then Microsoft stands to gain market share at Zone Alarm’s expense.