News

New Threats Emerge from Once-Trusted Protocols, Services

• By William Jackson
• 08/31/2009

The rapid morphing and bundling of exploits for known vulnerabilities could be the biggest concern for security experts, but that doesn't mean that new threats are not emerging. Two of the most troubling are in the Domain Name System and Secure Sockets Layer, services users have trusted for years.

A zero-day exploit emerged last month for a vulnerability in one of the most commonly used DNS servers, forcing many users to update the software that helps to direct Internet traffic.

"Pretty much any BIND 9 server can be brought down with this script," said Branko Miskov, product manager director at BlueCat Networks. "Our development team was quite surprised at how simple this was."

Also last month, researchers demonstrated exploits using fraudulent X.509 certificates against SSL, the Web protocol for securing sessions between servers and clients. SSL is an almost transparent scheme that underlies many financial and other secure transactions via the Internet.

"That was a system that worked very well and has given us a sense of security for years," said Booz Allen Hamilton Vice President George Schu. Recent developments "indicate that these guys are getting really clever and looking for new ways to do harm."

DNS is a protocol for associating domain names with the numerical IP addresses that are used to direct Internet traffic. DNS underlies almost all Internet activity. BIND -- originally the Berkeley Internet Name Domain -- is a widely used open source DNS software that likely is being used on more than half of the world's public DNS servers. The Internet Systems Consortium, which maintains BIND, announced in July that an exploit already was in wide circulation for a vulnerability, which can cause servers running release 9 of the software to crash.

According to ISC, when most versions of BIND 9 -- the current release of the software -- are configured as a master server, the receipt of a specially crafted dynamic update message can cause the server to crash. "Testing indicates that the attack packet has to be formulated against a zone for which that machine is a master," ISC's alert states. "Launching the attack against slave zones does not trigger" the crash. "This vulnerability affects all servers that are masters for one or more zones -- it is not limited to those that are configured to allow dynamic updates."

In many ways, crashing a DNS server is a less serious attack than cache poisoning, which can redirect traffic to malicious sites. A flaw in the DNS protocols that could allow cache poisoning was announced last summer.

However, the current BIND flaw is serious because it is easy to exploit. ISC rated this vulnerability at high severity, largely because of the existence of a zero-day exploit. The National Institute of Standards and Technology's National Vulnerability Database rates it at medium severity, with a low rating for its impact but a high rating for its exploitability.

Problems with the X.509 digital certificate standard were discussed by two researchers at last month's Black Hat Briefings. Because the X.509 standard is not specific enough and vendors implement it differently in their products, it is possible to fool Web browsers and other clients into accepting certificates that are invalid or are not for the server to which the client is being directed. In separate presentations at the computer security conference, Dan Kaminsky, director of penetration testing at IOActive, and hacker and yachtsman Moxie Marlinspike of Thoughtcrime.org demonstrated similar exploits against SSL.

Kaminsky has been working with vendors who implement the technology, such as Open SSL, Netscape and Microsoft, to patch the problems until a more permanent solution can be put into place. He would like to see X.509 replaced with a scheme built on a Domain Name System using the DNS Security Extensions.

Mozilla already has incorporated the fix in Version 3.5 of its Firefox browser.