YADV – Yet Another DNS Vulnerability!

Holy crap, our helpdesk has been lit up like a Christmas tree today. Without any warning, CERT (the Computer Emergency Response Team) issued another DNS vulnerability report last night (http://www.kb.cert.org/vuls/id/800113) and many of our customers called in today asking if we have a patch to address it.
 
Essentially the problem is that it is possible for hackers to redirect your web queries to non-legit sites by hacking your ISP’s DNS server using "spoofed" responses. So for instance, when you type in ibank.barclays.co.uk to do your on-line banking, instead of going to the real Barclays internet banking site, you go to a non-legit site that "looks" like the Barclays internet banking site. Then you type in your username and password and hackers use this information to attempt to hack into your account on the real site. Of course it’s not just internet banking, but any site that requires you to enter personal information, such as credit card details. So you might think your typing your credit card details into amazon.com but really it’s a hacker’s web site designed to look just like amazon.com. They then capture your details and go on a spending spree! This is why this DNS problem is so important and why we’ve been inundated with calls today.
 
Unfortunately our DNS vendor has been a bit slow off the mark and will not have a GA "production ready" release available for a few more weeks. This is especially embarrassing when I learnt that one of our main competitors has already released a patch, and in fact have had it available for a month now.
 
So it sounds like the competitor and half the world have subscribed to the ISC’s "BIND forum" (http://www.isc.org/index.pl?/sw/guild/bf/) whereas our vendor does not seem to bother, or ignores everything that is going on and buries their head in the sand. Depressing.
 
Even Microsoft have released a hotfix already that seems to be a bit of a monster (http://support.microsoft.com/kb/953230). Their "consumer friendly" page is here: http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx. It’s fair to say that a lot of work has been going on in the background before CERT went public. I’m pretty annoyed our vendor has been so lackadaisical – it’s like they just don’t care, and yet they have the biggest market share in the IPAM market (not for much longer if they carry on like this).
 
Here’s a summary of the problem from Microsoft:

This security update resolves two privately reported vulnerabilities in the Windows Domain Name System (DNS) that could allow spoofing. These vulnerabilities exist in both the DNS client and DNS server and could allow a remote attacker to redirect network traffic intended for systems on the Internet to the attacker’s own systems.

This security update is rated Important for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, and Windows Server 2008.

The security update addresses the vulnerabilities by using strongly random DNS transaction IDs, using random sockets for UDP queries, and updating the logic used to manage the DNS cache.

Advertisements
This entry was posted in Computers and Internet. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s