funsec mailing list archives
Leaks in Patch for Web Security Hole
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Sat, 9 Aug 2008 10:29:23 -0400
http://www.nytimes.com/2008/08/09/technology/09flaw.html?_r=1&oref=slogin&re f=technology&pagewanted=print August 9, 2008 Leaks in Patch for Web Security Hole By JOHN MARKOFF <http://topics.nytimes.com/top/reference/timestopics/people/m/john_markoff/i ndex.html?inline=nyt-per> SAN FRANCISCO - Faced with the discovery of a serious flaw in the Internet's workings, computer network administrators around the world have been rushing to fix their systems with a cobbled-together patch. Now it appears that the patch has some gaping holes. On Friday, a Russian physicist demonstrated that the emergency fix to the basic Internet address system, known as the Domain Name System, is vulnerable and will almost certainly be exploited by criminals. The flaw could allow Internet traffic to be secretly redirected so thieves could, for example, hijack a bank's Web address and collect customer passwords. In a posting on his blog <http://tservice.net.ru/%7Es0mbre/blog/devel/networking/dns/2008_08_08.html> , the physicist, Evgeniy Polyakov, wrote that he had fooled the software that serves as the Internet's telephone book into returning an incorrect address in just 10 hours, using two standard desktop computers and a high-speed network link. Internet experts who reviewed the posting said the approach appeared to be effective. The basic vulnerability of the network has become a heated controversy since Dan Kaminsky, a Seattle-based researcher at the security firm IOActive, quietly notified a number of companies that distribute Internet addressing software earlier this year. On Wednesday, Mr. Kaminsky described the vulnerability to a packed room at a technical conference in Las Vegas. He said that it could affect not just the Web but also other services like e-mail. The general risk of such a flaw had been known for some years within the insular Internet technical community. But in the last month security engineers have repeatedly stated that it is only a matter of time before financial organizations and others are attacked by computer criminals seeking to exploit the now-public flaw. One expert says this is happening now. "We have already been seeing attacks in the wild for the past two weeks," said Bill Woodcock, research director of the Packet Clearing House, a nonprofit technical organization. Some of the initial attacks focused on distributing malicious software, he said, and more recently there has been evidence of so-called phishing attacks aimed at stealing personal information. .
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Leaks in Patch for Web Security Hole Richard M. Smith (Aug 09)
- Re: Leaks in Patch for Web Security Hole Valdis . Kletnieks (Aug 09)
- Re: Leaks in Patch for Web Security Hole Larry Seltzer (Aug 10)
- Re: Leaks in Patch for Web Security Hole Gadi Evron (Aug 10)
- Re: Leaks in Patch for Web Security Hole Åke Nordin (Aug 10)
- Re: Leaks in Patch for Web Security Hole Paul Vixie (Aug 10)
- Re: Leaks in Patch for Web Security Hole Larry Seltzer (Aug 10)
- Re: Leaks in Patch for Web Security Hole Valdis . Kletnieks (Aug 09)