Network News

X My Profile
View More Activity

Patch (The Entire Internet) Tuesday

Security experts are scrambling to patch a newly-discovered security flaw in a key component of the Internet infrastructure that could expose consumers and businesses to increased risk of attack by scam artists and virus writers.

Yesterday, computer software and hardware industry leaders, including Cisco, Microsoft, and Sun Microsystems, coordinated the release of software updates to plug the security hole, which involves a fundamental design flaw in the domain name system. DNS is the communications standard that acts as a kind of telephone book for the Internet, translating human-friendly Web site names like example.com into numeric addresses that are easier for networking equipment to handle and route.

Dan Kaminsky, director of penetration testing for Seattle-based security firm IOActive and the discoverer of the vulnerability, said attackers could use the flaw to "poison" the DNS records of network providers. In such an attack scenario, when customers of a targeted ISP try to visit a banking Web site with their browser, their browsers might instead be silently redirected to a counterfeit bank site controlled by the attackers.

The updates Microsoft released Tuesday fix the problem in computers powered by its Windows operating system. But Kaminsky said the larger issue lies at the Internet service provider and corporate level, as many businesses who run DNS servers have yet to update their systems to guard against the vulnerability.

In fact, even regular home users who apply the Microsoft updates could still be vulnerable if their ISP hasn't yet addressed the problem. (Kaminsky has a tool up his Web site that allows visitors to tell if their ISP or employer is vulnerable to the flaw. Visiting that site from my home PC indicates that my provider -- Cox Communications -- in Northern Virginia has not yet fixed this flaw on their end.)

Kaminsky said while end users should be concerned about this flaw, they shouldn't panic, and there is no evidence to date that hackers have figured out how to exploit the DNS vulnerability.

"No one needs to ring up their ISP's call centers saying 'Why isn't this patched yet?'" he said.

Another way to protect your computer is to use a free DNS security service I have recommended in the past -- OpenDNS. This service should protect your system and network against this vulnerability, regardless of whether your ISP has addressed the problem on their end.

Kaminsky said he discovered the flaw about six months ago "by complete accident," but quickly realized it had the potential to affect the behavior of almost any device connected to the Internet. On March 31, he met with 16 different researchers from around the world at Microsoft's headquarters in Redmond to strategize about how to inform all of the affected companies and coordinate a patch release.

"Design bugs are interesting in that they don't just constrain themselves to one implementation or company," Kaminsky said. "Because they're behaving as designed, the same bug will show up in vendor after vendor. So this affects not just Cisco and Microsoft, but everyone."

The researchers also reached out to U.S. government officials and those of several other nations, said Art Manion, who heads a vulnerability analysis team at the U.S. Computer Emergency Response Team. The group released an advisory listing more than 90 software and network equipment makers whose products may be affected by the flaw.

Kaminsky declined to offer specific details about the flaw, saying he didn't want to give criminals any help in figuring out how to exploit the security hole before a critical mass of Internet providers have had enough time to address it. But he promised to divulge more next month at the annual Black Hat hacker convention, which Security Fix will be attending again this year.

Black Hat founder Jeff Moss praised Kaminsky for helping to coordinate the fixing of the flaw, instead of merely turning it over to a vulnerability auction house or to a growing number of entities that purchase security flaws for competitive reasons.

"What Dan has done is significant for the stability of the entire Internet and takes away a vital tool that I'm sure if spammers and virus writers knew about they would use to great effect," Moss said. "Dan could have sold this bug for hundreds of thousands of dollars. There's so much money involved [in the vulnerability research space] now that it gets harder for someone to just altruistically give something like this away."

One final note: It appears that the Microsoft patch for this DNS vulnerability (KB951748/MS08-037) is already creating problems for some Zone Alarm Firewall users. ZoneAlarm advises users who are experiencing problems after installing the update to uninstall the Microsoft patch for the time being.

By Brian Krebs  |  July 9, 2008; 12:32 AM ET
Categories:  From the Bunker , Latest Warnings , New Patches , U.S. Government  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft: Hackers Exploiting Unpatched Office Flaw
Next: U.S. Supreme Court Judge Data Exposed Via P2P

Comments

i was trying to post this info on the Apple Remote Exploit entry, but it wouldn't allow the post .... sorry to do it here; maybe you can move it.

there's a free patch for 10.4 and 10.5 available at
http://theiphoneproject.org/index.php/component/content/article/3-releases/86-ard-patcher

download link
http://theiphoneproject.org/index.php/downloads?func=select&id=14

also available to download from VersionTracker and MacUpdate

cheers!

Posted by: free ARD Patch | July 9, 2008 12:35 AM | Report abuse

DNS attacks are not new, but can be very serious. The classic scenerio is one where the attacker cache's bogus answers and bogus data in the tree. The effect is that a trusted ISP's site is spoofed and to the user is re-directed to the attacker's site.

The solution is to
1. Use notify options to restrict zone transfers (TCP).
2. Perform a reverse look-up and get back the name of the trusted host or return the attacker's host. (clever)
3. Perform a double-reverse look-up to look-up "THIS HOST" name.
4. Set up a working decoy DNS server, perhaps in your DMZ.
5. There are many, many more solution e.g. xfernets in unix.

DNS authentication is just one more reason why enterprises, data centers, governments, health care, card processors, and all industries, should consider bringing in a professional to evaluate their security vulnerabilities.

Posted by: George Cox of New York City | July 9, 2008 1:04 AM | Report abuse

Brian,

Please let us know more about people unable to get back online after installing MS update KB951748. Larry Seltzer blogged about a (possible) Zone Alarm conflict blocking DNS? Someone else on a MS board said ZA users aren't the only ones affected.

Glad I never use automatic updates...

Thanks, KW

Posted by: Keith Warner | July 9, 2008 2:17 AM | Report abuse

OOPS! Sorry, Brian. Just caught your final note...

Posted by: Keith Warner | July 9, 2008 2:23 AM | Report abuse

Well, after downloading the provided data link, it seems my server with Earthlink is subject to DNS cache poisoning.

Earthlink has been made aware of this article today and my guess is they will be addressing it ASAP on their servers.

Posted by: brucerealtor | July 9, 2008 5:10 AM | Report abuse

Not just Zone Alarm users. It is causing problems for Ashampoo users too!

Posted by: neil | July 9, 2008 6:25 AM | Report abuse

the article title is misleading. us djbdns users will be drinking beer while the rest of the internet pays for their sins

Posted by: mike | July 9, 2008 10:24 AM | Report abuse

I installed the Microsoft patch (KB 951748) on a couple of machines here, and we encountered problems too -- we use ZoneAlarm. An interesting aspect of the problem we saw was that, while any attempt to retrieve a page with a browser times out (we tried Firefox 3.0, IE 7, and Opera 9.51), we can from a command prompt reach arbitrary sites. For example,
> ping my.yahoo.com
and
> tracert blog.washingtonpost.com
both work as expected.

Uninstalling the patch gets everything working again.

Posted by: Rich Gibbs | July 9, 2008 11:11 AM | Report abuse

is the www.kaspersky.com AV site down? - cannot access this site!

Posted by: ADB | July 9, 2008 11:30 AM | Report abuse

@ADB:
www.kaspersky.com is up and accessible as of 11:43 AM. If you can't get there, or have other problems accessing the Web, you might try uninstalling the KB 951748 update for Windows.

Posted by: Rich Gibbs | July 9, 2008 11:45 AM | Report abuse

Thanks - but why only this site? I can get to evrything else...

Posted by: ADB | July 9, 2008 11:59 AM | Report abuse

The folks at ZoneAlarm have a notice up about the update problem, which may be helpful to folks who need to work around it:

http://download.zonealarm.com/bin/free/pressReleases/2008/LossOfInternetAccessIssue.html

Posted by: Rich Gibbs | July 9, 2008 12:01 PM | Report abuse

Brian,

Thanks for a bright spot in the storm of confusion surrounding data loss. My involvement is in the hands on training of employees in the broader scope of handling non-public information, not specifically IT related.
My blog is;
http://jtidtheftblog.blogspot.com/

Thanks again.

Posted by: John Taylor | July 9, 2008 12:04 PM | Report abuse

I particularly enjoyed Mr. Kaminsky's explanation of how he found the exploit. No mention of Dan Bernstein publically posting on the subject on his web site in 2003, of course.

The version of DNS I use was fixed in 2003. Why did other vendors require public embarrassment to finally fix it now? Because it was no longer "theoretical"?

Posted by: PCP | July 9, 2008 12:29 PM | Report abuse

SANS is reporting that this vulnerability was discovered and reported in 2005.

http://isc.sans.org/diary.html?storyid=4693

I do not know enough about the vulnerability that Kaminsky discovered to confirm or deny SANS' statement.

Posted by: RJ | July 9, 2008 12:36 PM | Report abuse

I also cannot access www.kaspersky.com - but seem to be able to access everything else, what gives?

Posted by: SammyB | July 9, 2008 2:03 PM | Report abuse

Apple's Leopard 10.5.4 tested and it fails. The earlier Tiger, Panther, and Jaguar also tested. Tiger always fails; strangely Panther and Jaguar sometimes pass. No suggestion why.

Posted by: Rick | July 9, 2008 2:04 PM | Report abuse

Unfortunately, installing the security patches from yesterday can disallow any access to the Internet- email or web sites. I had to do a system restore to before the patches were installed to get back on line. I was talking with Comcast while I was doing the restore in case it did not work. After I indicated it was successful is when they told me about the patch problem and that turning off my firewalls and restarting them could also fix the problem. They said they had other customers experiencing the same issue. It is curious they did not mention this up front since they said they had other customers with the problem.

W

Posted by: Persson | July 9, 2008 2:56 PM | Report abuse

General Counsel for Earthlink was referred to this article.

Early thisafternoon legal counsel with Earthlink called me back, thanked me for the referral to this article, read it and will be taking immediate action to secure the entire Earthlink network from this issue.

Thanks Brian for the heads up.

Posted by: brucerealtor | July 9, 2008 3:01 PM | Report abuse

FYI...

DNS Checker:
- http://www.doxpara.com/?page_id=1159
Dan Kaminsky - July 9, 2008

//

Posted by: J. Warren | July 9, 2008 3:19 PM | Report abuse

Is it better to get rid of the Microsoft patches or Zone Alarm? My feeling is that we should get rid of Zone Alarm. I spent a half-hour on the phone to get to my ISP who simply told me to check Zone Alarm, if I had it. Which is better to do? My laptop without Zone Alarm is fine.

Posted by: George11 | July 9, 2008 4:18 PM | Report abuse

While the test results show:
"Your name server, at 209.244.7.133, appears vulnerable to DNS Cache Poisoning."

My ISP replied:
"DNS server addresses are as follows.
*205.152.37.23
*205.152.144.23
*205.152.132.23"

Where is the disconnect?

Posted by: GeorgeM | July 9, 2008 6:24 PM | Report abuse

ZoneAlarm says to use the internet security slider and set it to medium instead of high. That works. But are we at risk when moving the security on Zonealarm to medium?

Posted by: Linda | July 9, 2008 6:31 PM | Report abuse

Sorry it was Microsoft who told me to move my security slider on ZoneAlarm to medium.

Posted by: Anonymous | July 9, 2008 6:32 PM | Report abuse

Sorry it was Microsoft who told me to move my security slider on ZoneAlarm to medium.

Posted by: Linda | July 9, 2008 6:33 PM | Report abuse

ZoneAlarm says to remove the patch

Posted by: Linda | July 9, 2008 6:35 PM | Report abuse

@George11
I would, on balance, remove the Microsoft patch and leave the ZoneAlarm firewall in place. The patch protects against one specific DNS vulnerability. According to SANS [http://isc.sans.org/], there's no evidence of that being exploited in a big way just now. The firewall protects you against a whole class of attacks, so I think it's better to leave it in place, at least in the short term.

I'd expect there to be a fix for this pretty quickly. I plan to monitor what's going on; if we go a week or two and there's still no progress on a fix, then I might start looking for an alternative firewall.

@SammyB, ADB:
I don't know what to suggest w/r/t Kaspersky; I can still get to it fine. You might try accessing by an actual IP address; 85.12.57.107 seems to be one from the following ping, which I just did:

PING www.kaspersky.com (85.12.57.107) 56(84) bytes of data.
64 bytes from kasperskycom9.kaspersky-labs.com (85.12.57.107): icmp_seq=1 ttl=48 time=90.3 ms

Posted by: Rich Gibbs | July 9, 2008 8:33 PM | Report abuse

George,

Excellent question! Your ISP has DNS servers that are either:

1) Multihomed, meaning they have multiple IP addresses, or
2) Set up in a chain. The primary name server that can be compromised is the last link in the chain. Their last link is vulnerable. You're being given the addresses of the first link.

Posted by: Dan Kaminsky | July 9, 2008 9:25 PM | Report abuse

to me the story here is the cure, not the "disease." It is completely ridiculous for microsoft to release a security update that will suddenly throw millions of people offline for no apparent reason and take them hours or days to resolve. Zone Alarm is widely used (because it is easier to use and offers more control than the windows firewalls) and Microsoft knows this. They should have worked with the ISPs to fix the issues at that level before pushing it downstream to end users--this is exactly the kind of arrogance that makes people hate microsoft.

Posted by: nycues | July 9, 2008 11:02 PM | Report abuse

Zone Alarm new versions posted this evening fix the problem -- links on this page:

http://download.zonealarm.com/bin/free/pressReleases/2008/LossOfInternetAccessIssue.html

Be sure to re-install MS security update KB951748 (and any other security updates you may have uninstalled), and turn Windows Automatic Updates back on (through the Security Center, which in turn is accessible in the Control Panel).

Life is back to normal . . .

Posted by: Richard | July 10, 2008 12:40 AM | Report abuse

I had ZA running on three XP machines, all of which had the new patches. I first tried uninstalling ZA, because I'm behind a router and have the XP firewall, but on all three machines the most recent free version of ZA would not uninstall through Add/Remove programs. On one PC, I used the uninstall.exe in Local Settings/User/Temp, and it worked. On another, three tries using the Add/Remove approach finally worked. Both of these attempts were aided by shutting down ZA before trying to uninstall it, but ZA would not let me unselect the option to have it initiate on startup--WTF?? So I had to use msconfig, ensure it was disabled, and then followed the two routes listed above. On the third machine, none of these efforts have worked(including reinstalling using last night's new updates, removing the hotfix, doing a system restore). I don't like having software that won't let me uninstall it, free or not. So on the third PC I'm going to try editing the registry, search for DLLs in System 32 folders, etc, as described at http://forum.zonelabs.org/zonelabs/board/message?board.id=inst&message.id=74826

BTW, Comcast subscribers can download the full Macafee suite for free (firewall, antivirus, etc), as I found out last night, so that's my replacement for this disappointingly buggy zonealarm.

Posted by: ashley | July 10, 2008 9:40 AM | Report abuse

ZoneAlarm now has a patch out that fixes the incompatibility problem.
Go to Zonelabs.com
-click on the support button,
-then select technical support,
-you'll see their banner about the problem
-download the new version (save to hard drive)
-install (no need to uninstall the older version of Zone Alarm first).
-during installation, you can choose either update or clean install -- both will get the job done. The former maintains your current settings, the latter is a clean start

Posted by: Towson | July 10, 2008 11:05 AM | Report abuse

As noted by Richard and Towson, ZoneALarm does have a new version (7.0.483.0) available. I installed it this morning on a couple of XP machines that had experienced the loss-of-access problem (and subsequently had the MS patch removed). Both update installs were without incident. Following the required reboot, I then reinstalled the MS patch [KB 951748], and did *its* required reboot -- and now everything seems to be working fine.

Posted by: Rich Gibbs | July 10, 2008 3:39 PM | Report abuse

Brian Krebs, the loss of Internet access for ZoneAlarm folks should have its own separate blog article. Think of how many unaware people may be calling their broadband provider now.

Posted by: Fairfax, VA | July 11, 2008 4:22 AM | Report abuse

I just downloaded ZoneAlarms patch and, not taking anything for granted, scanned it with ZoneAlarm. I was surprised to find it identified as a virus...

"Exploit.PHP.Userpic.a"

... a google search brings up talk of false positives but surely ZoneAlarm wouldn't release a patch like this only to then identify it as a virus by mistake, or would they?

Maybe it's safe, maybe it's not.
Maybe Microsoft are waging a secret war against ZoneAlarm in preparation for their monopoly on the Firewall market.
I don't know, but I think I'll wait till things play out a little before I install the ZoneAlarm patch and in the meantime uninstall "KB 951748".

Posted by: p00pd00d | July 11, 2008 1:37 PM | Report abuse

Do not perform system restore or uninstll the update kb951748 from add remove programs..
Click start>run>type $ntuninstallkb951748$
open the "Spuninst" folder then execute the spuninst.exe & uninstalll the update
This resolveds the problem
***If u have tried system retore this step will not help***
geo_boy_22@yahoo.co.in

Posted by: Vijayendra | July 12, 2008 10:53 AM | Report abuse

Fiber Optic Pacthpanels Features -- Technical information --
http://fiberoptic-cable.blogspot.com/2008/02/fiber-optic-patch-panel-19-rackmount.html

Posted by: sezer | July 12, 2008 5:00 PM | Report abuse

Emsam. back to top. Description. Selegiline transdermal is used to treat mental depression. This medicine is a monoamine oxidase (MAO) inhibitor . ...

http://www.epinions.com/user-buycelerrex/show_~View_Profile ,buy celebrex , BMS awards Interlink Emsam interactive work from Medical Marketing and Media in Business provided free by Find Articles.

buy celebrex ,

Posted by: Annonethy | July 12, 2008 11:40 PM | Report abuse

The exploit for this dns bug is out. http://www.caughq.org/exploits/CAU-EX-2008-0002.txt

Posted by: Suresh Ramasubramanian | July 23, 2008 9:55 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company