Microsoft Security Advisory (956187): Increased threat for DNS spoofing vulnerability, and what you should do
As noted in this security advisory on TechNet...
Microsoft released Microsoft Security Bulletin MS08-037 on July 8, 2008, offering security updates to protect customers against Windows Domain Name System (DNS) spoofing attacks.
Microsoft is not currently aware of active attacks utilizing this exploit code or of customer impact at this time. However, attacks are likely imminent due to the publicly posted proof of concept and Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.
Microsoft’s investigation of this exploit code has verified that it does not affect Microsoft customers who have installed the updates detailed in Microsoft Security Bulletin MS08-037. Microsoft continues to recommend that customers apply the updates to the affected products by enabling the Automatic Updates feature in Windows.
As noted in this article over at Redmond Developer News, this "advisory comes almost immediately after H.D. Moore, a hacker and researcher who created the Metasploit vulnerability testing framework, published the attack code in two parts on Wednesday and late Thursday. The code was posted at several security mailing lists and at the Computer Academic Underground Web site."
As Gregg Keizer of Computerworld pointed out in his article today...
"You know a bug is big news when it makes National Public Radio's All Things Considered, the network's afternoon drive-time show. That's what happened on Friday, when Dan Kaminsky, the security researcher who uncovered a critical flaw in the Domain Name System (DNS) software used to direct traffic on the Internet, gave a synopsis of the problem and what has been done to fix it.
"What's all the fuss? A basic flaw in the Domain Name System makes it much easier than originally thought to insert bogus information into the Internet's routing infrastructure. Here's how Kaminsky put it: "A bad guy has a 1-in-65,000 chance of stealing your Internet connection, and he can try a couple thousand times a second.
"By the way, this explanation by Kaminsky is among the few around we think is understandable to the DNS layman. Recommended reading."
Yes, I agree.
As Kaminsky explains, this threat is to the system that maps your common domain name (such as www.myinternetprovider.com) to a specific IP address, the numbers you often see associated with a web site (for example, 184.108.40.206). With this exploit, "malicious people [could] impersonate almost any website on the Internet."
I like the way that Gregg describes the issue and provides suggested actions.
So what should you do? For the most part for consumers and general users, the fixes are handled by your ISP. Gregg provides a list of several tools you can access via the Internet to test that your DNS server has been updated. The simplest way is to visit Kaminsky's blog and click on the "Check My DNS" button under the "DNS Checker" column, as noted at right.
Turns out my "name server appears to be safe..."
That's a relief. ;)
"If the testing tools show that you're vulnerable, you should contact your ISP or network administrator to ask what is being done to plug the hole.
As Kaminsky notes, based on the data collected at his website...
"From July 8th to July 9th, 4242 of 5000 tests actively run by users behind unique name servers showed that server to be vulnerable. That’s about 85%. Today, July 25th, the last 5000 tests (about the last six hours) from unique name servers show only 2503 of 5000 vulnerable — just above 50%. Now, I’m not going to deny. There’s selection bias. It’s a limited sample. There are tons and tons of unpatched ISPs. This is all true.
"You know what? A lot of people did a lot of work to make that number drop. More needs to be done, but 13 days made a difference, and it’s awesome to see it."
But it appears that there is still some work to do...
"Fortunately, noted Mogull, attacks are much more likely against Mac servers than individual Macs, so though the later are technically vulnerable, "there's no need to panic."