Thursday, August 07, 2008

DNS flaws expose many services (exploit chaining with old defects)

The flaws discovered in DNS recently by Dan Kaminsky have existed for years. He linked several of them together, a concept known as "exploit chaining" to reveal a much more serious flaw. His technique makes it possible to hijack and misdirect a user's web browser to a malicious web site, even in cases where the user types the correct URL. '

That, of course, completely makes a fool of Verisign's Ken Silva, chief technology officer, who's been running around to the press saying irresponsible if not utterly foolish things like:
"We have anticipated these flaws in DNS for many years and we have basically engineered around them."

Kudos to Mr. Kaminsky, for working in private with the major vendors of DNS server software, who had patches ready to go before the flaw was announced. This kept the script kiddies from having a field day with the vulnerabilities, which were endemic to nearly all DNS servers.

Apparently there remain some issues not yet addressed, as the vendors focused initially on HTTP and web browsers.

Net address bug worse than feared

DNS attacks are not new but Mr Kaminsky is credited with discovering a way to link some widely known weaknesses in the system so that the attack now takes seconds instead of days or hours.

"Quite frankly, all the pieces of this have been staring us in the face for decades," said Paul Vixie, president of the Internet Systems Consortium, a non-profit that makes the software run by many of the world's DNS servers.