On July 31, 2008, Apple released an overdue patch for a major vulnerability in the way Mac OS X Server handles turning the names in Web sites and e-mail addresses into the numeric addresses used for connections. The vulnerability is a fundamental flaw in the Domain Name Service (DNS) protocol and affected all but a handful of DNS servers built into operating systems and released as stand-alone server software packages.

If exploited on an Internet service provider (ISP) or company's DNS server, an attacker would be able to redirect any user of that server to a destination of his or her choosing. Thus, while you might select Macworld.com from your bookmarks or type it into a browser's location field, and the browser shows you www.macworld.com in that Location field, you've actually downloaded the home page of a malicious website hosted by a bad guy who has loaded it with malware and phishing attempts.

Although Apple released a fix for all Macs running OS X 10.4.11 and 10.5.4 (Server and desktop, Intel and PowerPC, Leopard and Tiger), the fix only repaired the most vulnerable part of DNS, the server software, even on systems that don't use it. (The server software is installed, but not turned on, in the regular flavor of Mac OS X, and in OS X Server, DNS service has to be configured and activated.)

Client DNS software, used by an operating system to request a DNS lookup from a full-scale DNS server, is still at risk, but at a lower level and under more limited circumstances.

Understanding the vulnerability
Earlier this year, security researcher Dan Kaminsky accidentally discovered a major vulnerability in DNS--the protocol that translates the domain names we can remember (www.macworld.com) into the Internet Protocol (IP) addresses used by the software that powers the Internet (70.42.185.230). (Note: One of the authors of this article, Rich Mogull, worked with Kaminsky on preparing the announcement.)

To be more accurate, Kaminsky didn't discover a new vulnerability, but a new, lethally effective method to attack a known weakness in DNS. Known as cache poisoning, this class of attack allows an attacker to corrupt the database a DNS server holds in memory, and consults to provide details to users' systems when they request name-to-number lookups.

This flaw lets an attacker replace the valid IP address tied to a domain name with any IP address the attacker wants. In effect, an attacker can hijack users' Web browsers (and other Internet software) by providing the browser with the wrong IP address; the browser shows what the user thinks is the address they typed in, rendering the redirection invisible. Other browser redirection uses tricks like frames and can't be as easily hidden.

If a user is sent to a malicious destination, the bad guys could use a variety of social engineering tricks to fool you into entering sensitive information (like a fake bank site that looks real), or to directly attack you using web browser

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine