In a rare synchronized security move, Microsoft, Cisco Systems and other IT vendors Wednesday released software patches aimed at addressing a fundamental design flaw in the Domain Name System (DNS) protocol used to direct traffic on the Internet.
The so-called DNS cache poisoning flaw was discovered earlier this year by Dan Kaminsky, a researcher at security services firm IOActive, but it wasn't publicized until Wednesday. The vulnerability could allow attackers to redirect Web traffic and e-mails to systems under their control, according to Kaminsky, who said in an interview that the flaw exists at the DNS protocol level and affects numerous products from multiple vendors.
Virtually every domain name server that resolves IP addresses on the Internet is vulnerable to the flaw and needs to be patched against it as quickly as possible to avoid potentially serious problems, such as companies having all of their network traffic re-routed to malicious Web sites or having employee e-mails captured by attackers, Kaminsky said.
Because of the seriousness of the issue, Kaminsky first communicated news of the flaw to the US Computer Emergency Readiness Team (US-CERT) and to multiple vendors, all of which agreed to keep the discovery under wraps until they had patches ready. Kaminsky said that security researchers from 16 companies met at Microsoft's Redmond campus in March to discuss a fix for the problem as well as a strategy for minimizing the potential damage that could result once the vulnerability's existence was disclosed.
Microsoft released a patch for the DNS flaw as part of its monthly "Patch Tuesday" set of software updates. Among the other organizations that issued patches today were Cisco and the Internet Systems Consortium, which maintains the widely used Berkeley Internet Name Domain technology.
BIND, an implementation of the DNS protocol that includes a DNS server and resolver library, is used on most domain name servers and distributed by vendors such as Sun Microsystems and Red Hat, which both also issued advisories about the security flaw.
Despite the potential seriousness of the DNS cache poisoning problem, there is no indication that it has been discovered by malicious hackers yet, according to Kaminsky. And he said that with patches available for the flaw, much of the immediate risk has been mitigated. Kaminsky noted that the patches have been designed in such a way as to minimize the chances of them being reverse-engineered in order to exploit the vulnerability.
An advisory issued by the US-CERT said the flaw could make domain name servers vulnerable to attacks in which forged data is introduced into the systems. Such attacks aren't new in concept, the advisory said, noting that several security researchers in the past have described cache-poisoning vulnerabilities similar to the one discovered by Kaminsky. Such vulnerabilities basically give attackers a way to predictably spoof DNS traffic along with "extremely effective exploitation techniques," the US-CERT advisory said.
Microsoft issued a patch for a separate DNS cache poisoning flaw last November. The software vendor gave the latest DNS vulnerability an "important" severity rating, one step below its top rating of "critical."
Nonetheless, Kaminsky and others said the vulnerability is a bona fide threat to users. "It's not good when the DNS goes bad," Kaminsky said. "At the end of the day, the DNS controls where people go on the Internet. Everything depends on it."