DNS flaw offers attackers 35 options
Posted on 7 Aug 2008 at 12:12
The recently discovered DNS security flaw could be much worse than previously thought, offering attackers 35 ways to exploit cache poisoning, according to the security researcher who found it.
Speaking at the Black Hat hacker conference in Las Vegas, Dan Kaminsky highlighted how the flaw could be used to redirect users to malicious sites, as well as to intercept or edit email.
Kaminsky ran through another scenario in which a website could be tricked into sending a username and password to an email account controlled by a malicious attacker, using a forgotten password reminder.
These attacks are all made possible by the flaw, which allows attackers to poison DNS caches and redirect users to malicious third-party sites, even when they have correctly entered the address of a different, legitimate site.
Because the attack targets a fundamental service that powers the internet there are multiple ways it could be used for nefarious purposes; 35 at Kaminsky's count.
The security vulnerability was first discovered over six months ago, but Kaminsky revealed no details of it to allow an unprecedented collaboration between Microsoft, Sun and Cisco to develop a fix.
Despite only being recently announced, reports suggest that the flaw is already being used. AT&T has announced that it spotted an attempt to redirect users accessing www.google.com to a third-party website hosting advertisements.
Author: Matthew Sparkes
advertisement
- Motorola pays Lucas for its Droid
- Where are the killer apps for Windows?
- Will you hit the Orange iPhone "unlimited" cap?
- USB 3 first benchmark - it's here, and it's fast
- Why Windows 7 has forced me to worry about security
- How Dixons is (under)selling Windows 7
- Do I like Windows 7 because it's so like a Mac?
- No Windows 7 drivers turn Dell M1330 into a doorstop
- Is Windows 7 good looking enough to sway an Apple fan?
- Typekit brings print-like typography to the web
- The bulletproof Dell that costs an arm and a leg
- Microsoft Office 2010 Technical Preview: Q&A
- Lawnmowers, the TyTN II and one odd insurance request
- There'll never be a bulletproof OS
- How far can we trust apps?
- Five nice touches in Outlook 2010
- Building a better Google
- Beware HP's horrendous printer-driver glitch
- Microsoft debuts free Morro antivirus package
- Getting started with Search Server 2008 Express
advertisement

Printed from www.pcpro.co.uk

