Supercritical DNS bug affects nearly all of the Internet and could take years to patch
Security researcher, Dan Kaminsky has reported that an eight-year-old bug in the Internet’s Domain Name Service (DNS) could be used to widely spread malware. In fact, the bug is so critical that a potential hacker could take over the victim’s computer remotely by exploiting it.
Kaminsky says a flaw found in the Gnu C standard library, aka “glibc,” can trick browsers into looking up shady domain names. Servers could then reply with overly-long DNS names, causing a buffer overflow in the victim’s software. That would in turn let hackers execute code remotely and possibly take over a machine.
The bug is new and has been around since May 2008. Kaminsky said “the buggy code has been around for quite some time, so it’s really worked its way across the globe.” In other words, it could ages for the fix to be applied broadly.
Considering how widespread the bug is, it could be rated on the same scale as Heartbleed and others and it could be more widespread than its predecessors. Kaminsky pointed out that the latest hole was coded into Gnu DNS libraries just months after he corrected other serious DNS flaws in 2008. Surprisingly the bug doesnt affect Android devices.
It has not yet been established that the code can be executed remotely nor has it been found to be exploited in the wild.
Redhat, which discovered the vulnerability along with Google, said that “a back of the envelope analysis shows that it should be possible to write correctly formed DNS responses with attacker controlled payloads that will penetrate a DNS cache hierarchy and therefore allow attackers to exploit machines behind such caches.”
Kaminsky says that the bug makes servers vulnerable to man-in-the-middle attacks right now, if hackers gain access to certain servers. Kaminsky calls a “solid critical vulnerability by any normal standard.” Now, the only question is whether things will get much worse.
Click here if you’re a DNS expert and don’t need to be told how DNS works.
Click here if your interests are around security policy implications and not the specific technical flaw in question.