Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Microsoft Downplaying Recent DNS Vulnerability

Posted by kdawson on Mon Apr 28, 2008 09:06 PM
from the it's-nothing-really dept.
Security Microsoft IT
Microsoft Watch writes "Microsoft downplays a recent DNS vulnerability in all Microsoft operating systems (XP, Vista, 2000, and 2003), claims Amit Klein, the security researcher who published the original vulnerability description (PDF) earlier this month. According to Klein, the description in Microsoft's Secure Windows Initiative blog entry is misleading, contains disinformation about the DNS transaction ID algorithm, and downplays the severity of the issue. Klein refutes Microsoft's claim that there is no way to reproduce the next transaction ID, given a series of observed transaction IDs. He shows that this is possible in his paper, which Microsoft had before publishing the SWI post, as well as on the series of data provided in the SWI blog itself."
+ -
story

Related Stories

Submission: Microsoft cover-up of recent DNS vulnerability by Anonymous Coward
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Microsoft Downplaying Recent DNS Vulnerability 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.
  • A swing and a miss! Seems pretty fitting in my eyes.

  • Unlikely, but... (Score:4, Interesting)

    by Kinky Bass Junk (880011) on Monday April 28 2008, @09:11PM (#23233170)
    Is it possible that Microsoft was downplaying it to lessen the effects? E.g. reduce the amount of copy-cat attacks, etc.
    • they would fix it.

    • Re:Unlikely, but... (Score:5, Insightful)

      by Uncle Focker (1277658) on Monday April 28 2008, @09:26PM (#23233334)
      Or rather than spending all that effort in trying to downplay it, they could just fix the vulnerability and stop all the would-be attackers in their tracks. Nah, that would make too much sense.
    • I'd bet its partly that but more typical FUD. If they fix it too quickly it'll prove its true so they'll wait 3 months then sneak the fix into some bundle of other updates.

      We have SafeSurf types of plugins for FireFox and various toolbars like the one from NetCraft that warn you about fake/dangerous sites, we even have things like AVG8 with its mildly annoying symbols next to URLs that popup windows when you hover. Isn't it about time somebody created a Bullshit-o-meter site & plugins?? When you googl
      • Considering you can be sued for publishing your opinion that someone else is full of shit, it wouldn't last long... That's called defamation, it's what happened to spamhaus, IIRC.
      • Dude, it was already fixed and fix was released on April 8. RTFA.
    • No. More likely, the dude who screwed up the code had to write up the vulnerability. And so he wrote "yeah I misspelled a few words and accidentally referenced the wrong variables" when the truth is "entering anything except the name of my first pet I had in 1964 causes all the user's files to be deleted - sorry".

      That's what I always think when I see this - how would I write it up if it were mine?
      • Considering it hits the public, I sincerely doubt that any coder would be allowed to publish security vulnerabilities. They would probably send a draft off to PR, who butters it up.

    • Re:Unlikely, but... (Score:5, Funny)

      by Divebus (860563) on Monday April 28 2008, @10:50PM (#23234052)

      Is it possible that Microsoft was downplaying it to lessen the effects?
      Microsoft will certainly take security to the next level:
        "Are you sure you want to poison the DNS stub resolver cache? Allow or Deny."
      That'll fix it.
  • Recently, Microsoft has talked a lot about how secure Vista is when they won't fix known vulnerabilities. Microsoft hasn't been fixing many security issues in Vista because they think it is very secure. They have been focused a lot on fixing how slow the OS runs and the GUI because it has caused bad reviews.
    • "Microsoft hasn't been fixing many security issues in Vista because they think it is very secure."

      I think that Microsoft has not been fixing security issues in Vista because, if they ever deliver a secure operating system, PC customers will never buy another.

      It's not an impossible challenge, making a secure [apple.com] operating system [openbsd.org]. Other organizations have done it. If Microsoft hasn't, that is because it doesn't want to.

      Microsoft exploits the ignorance of its customers. But now the customers are beginning

      • I think that Microsoft has not been fixing security issues in Vista because, if they ever deliver a secure operating system, PC customers will never buy another.

        Yet they HAVE been fixing security issues. Maybe not fast enough, and maybe there are still outstanding issues, but to claim otherwise is wrong. Your belief is apparently that people ONLY upgrade for security fixes? I strongly disagree and would like to see how you could possibly back that statement up.

        It's not an impossible challenge, making a secure [apple.com] operating system [openbsd.org]. Other organizations have done it. If Microsoft hasn't, that is because it doesn't want to.

        Apple has had plenty of security holes, so they should not be held up as your exemplar. OpenBSD is about as good as it gets. They make no bones about going for the SECURE/SAFE option over the fast, userfrie

      • Um, Sure, openBSD is secure, until you install anything other than the limited subset it comes with. and even without that, they have a couple of security fixes a month [openbsd.org] from what I remember when on the mailing list. As for OS-X, I don't see how having a huge hole in safari [engadget.com] can be classed as "secure". Note that in that competition, it took allowing the install of random third party software before the windows box was compromised. The apple one was compromised by just going to a website.

        So, please, hate on Mi

  • la la la la I CAN'T HEAR YOU la la la (Score:4, Informative)

    by v1 (525388) on Monday April 28 2008, @09:14PM (#23233200) Homepage Journal
    Don't you just love it when they do that? Is there a strong enough term for those that go so completely out of their way to ignore facts and reality that it defies belief and leaves the sensible stunned? (reminds me of the Chewbacca Defense in a way)

  • two words (Score:4, Insightful)

    by FudRucker (866063) on Monday April 28 2008, @09:21PM (#23233278)
    damage control.

    • zero credibility

      That's what happens when you lie instead of fixing problems.

      • MODERATORS: Please note (Score:2, Informative)

        by Anonymous Coward
        "gnutoo" is a sockpuppet of well-known troll twitter. He has already posted on this article with four [slashdot.org] different accounts. Please do not reward this type of behavior - the more karma an account has, the more trolling damage it can do.

  • Okay, I don't get the issue here. (Score:5, Informative)

    by ThreeGigs (239452) on Monday April 28 2008, @09:43PM (#23233484)
    Reading TFA and the details on the vulnerability, it seems to me that the attacker must first be able to sniff packets being sent to the DNS server from the desktop PC. This means the attacker apparently must have access to the network the desktop is on.

    Now, forgive me if I'm missing the obvious, but why would an attacker, *who can read an outgoing request to a DNS server in real time*, not simply craft a reply using the outgoing packet data as a model? Why bother figuring out the transaction ID when an attacker, according to the scenarios given, *should already have it*, having gotten it from the sniffed packet.

    I just don't see how being predictable makes this any worse, when you're apparently dealing with someone already on your own network, or on the route between you and your DNS server.

    • Re: (Score:3, Informative)

      by Anonymous Coward
      Why do you have to see requests from the same originating address? From the description it seems like you just inspect _any_ set of replies to _any_ requests, even ones you generate yourself, and you will be able to forge responses to any other requests, even from others users.

      In other words, you do not have to have access to the victim's network or the server's network -- just a network which can query the server.

      • Re:Okay, I don't get the issue here. (Score:5, Interesting)

        by photon317 (208409) on Monday April 28 2008, @11:04PM (#23234156)
        Precisely. If the transaction IDs are secure, then you have to play "man in the middle" to sniff the request and fake a response. But if you can guess the transaction IDs, you can blindly send a spoofed response from elsewhere on the net and fake out the user's DNS resolver. The details of doing this in practice can be tricky, but it's doable. That's why the dnsext working group has been trying to improve this aspect of the protocol. While MS's implementation has flaws that make it more predictable than it otherwise should be, the fundamental problem is with the decades-old DNS protocol to begin with. The transaction IDs are 16-bit numbers, which is very limiting if you need to generate secure sequences of them that can't be guessed. It's not too hard to just spam responses with random response IDs and get some small success rate with only 16 bits to play with.

        One of the current proposals (which I'm not a fan of because of other technical implications for DNS) is that since DNS query names are case-insensitive and copied by the server from the request packet to the response packet, to use the "uppercase bit" of each letter as more bits for the secure transaction ID. The fact that people are willing to consider hacks like these should tell you something about how badly we're backed into a corner on this issue with the DNS protocol. Hopefully soon someone will do something sensible like standardize an EDNS1 with extra transaction ID bits in the OPT RR, and then in like 10 years (if history is any guide) it might actually see wide deployment.
  • In light of the recent anti-MS bull that has got through to the slashdot frontpage, I for one am waiting till somebody at least attempts to read the article, before I condemn Microsoft entirely!

    So please reply with an analysis of the article so I can ignore it and make chair jokes.
    • Dude, this is a technology forum. If you want politics or religion [groklaw.net] then go elsewhere. You see the slams on that company because not only can't it deliver, it goes through great acrobatics and effort to avoid delivering. Brand recognition cuts both ways, and in a technology forum if a company consistently and persistently for decades makes bottom of the line technology and is bad about fixes and causes trouble, then of course you will see 'anti-' view points: it's called experience.
      • Story on friday [slashdot.org] & story today [slashdot.org], are not only dupes but they blame ms for an SQL vulnerability. This is saying microsoft played down a DNS vulnerability, from the comments here [slashdot.org] & here [slashdot.org], from people that actually read the article seam to suggest that while this story is valid, its not what other comments suggest.

        If I've seen lots of baseless articles recently, I will post wait until somebody actually reads the article (as its one that isn't in my area of expertise) and explains weather its baseless o
  • Gates *waves his hand*:"This is not a flaw.." MS Drone user: "This is not a flaw" Gates: *ignore this* MS Drone user "I'll ignore this..." Evil cyber hacker : "WTF!! Another hole! I can't keep up!"

  • Why is this news? (Score:5, Insightful)

    by IchBinEinPenguin (589252) on Monday April 28 2008, @09:51PM (#23233562)
    $DUDE finds vulnerability in $PRODUCT made by $VENDOR.
    $DUDE claims this is really serious and should be fixed at once.
    (optional) $DUDE does the Right Thing and tells $VENDOR about it so they can fix it before he goes public.
    $VENDOR replies that $DUDE's claims are overblown.
    Flamewar on /., lots of page hits, lots of add revenue, PROFIT!!
    (optional, much later) $VENDOR quietly fixes $PRODUCT.
    • You left out the

      if $VENDOR == MS
      switch (DayOfWeek) {
      case M : Deny Deny Deny
      print "no we didn't"
      case T : set $BUG = $FEATURE
    • Actually it went like this, see the bold below

      $DUDE finds vulnerability in $PRODUCT made by $VENDOR.
      $DUDE claims this is really serious and should be fixed at once.
      (optional) $DUDE does the Right Thing and tells $VENDOR about it so they can fix it before he goes public.
      $DUDE finds vulnerability in $PRODUCT made by $VENDOR.
      $DUDE claims this is really serious and should be fixed at once.
      (optional) $DUDE does the Right Thing and tells $VENDOR about it so they can fix it before he goes public.
      $VENDOR fixes the

  • RTFA (Score:5, Informative)

    by magamiako1 (1026318) on Monday April 28 2008, @09:52PM (#23233578)
    Article Conclusion:

    April 30th, 2007 - Microsoft Security Response Center (MSRC) were informed of this issue.

    March 18th, 2008 - Microsoft releases a service pack for Windows Vista (Vista SP1), which includes a fix for this issue.

    April 8th, 2008 - Microsoft issues a fix ([19]) for Windows Vista, Windows XP SP2, Windows 2003 and Windows 2000 SP4. The fix is downloadable at Microsoftâ(TM)s website. Simultaneously, Trusteer discloses the vulnerability to the public (in the form of this document).

    Also, as stated above, the scenarios required to pull this off are pointless. If someone is sniffing your traffic in your switched network, they already have access to your network that could invoke far more problems than simple DNS poisoning.

  • My opinion is Microsoft isn't totally wrong (Score:3, Informative)

    by LostMyBeaver (1226054) on Tuesday April 29 2008, @02:32AM (#23235382)
    I in the past have implemented DNS resolver libraries since UNIX has classically had a terrible problem of either providing only a non-reentrant gethostbyname() or a flaky (blocking) gethostbyname_r() function. In fact, for years programmers have suffered through terrible client side host resolution libraries since it blocking DNS calls were never considered poor taste before programs like web browsers needed to look up entries while rendering.

    Also, since POSIX is entirely unaware of the GUI API, there has never been a good method of communicating events to the application. Ideally, there would have been a system related to select() or poll() which would have allowed host name resolution to be part of the same application loop as other socket communication.

    That being said, Windows has more or less always include host name resolution as part of the application event loop. Even back when Winsock 1.1 was primarily used. When the host name is resolved, an event is passed to the application. But it is not my intention to discuss DNS from an application level, but instead from a protocol level.

    This hack that the reported document is definately a hole in Windows DNS client implementation, Microsoft should fix it, they should treat any vulnerability with respect and diligence. This hack however requires a lot of things to happen at once.

    First of all, it requires that the attacker is in a position where they can reliably observe point to point DNS traffic. Meaning from the workstation to the server and back. When used with switches and dslams, this is not generally possible since unless the switch has a defined observer port (which HP procurve allows, but disables by default) traffic is closed and only broadcast requests will be observable outside the point to point path.

    Second, it requires that the attacker is located in a position on the network where they can respond to DNS requests faster than the server. So, if the edge switch they're connected to puts them physically closer to the target, but the switch has a higher speed uplink to the backbone, there's still little chance the attacker will inject their packets in time.

    Third, it requires making the machine which is being attacked to perform multiple DNS queries. If the attacker gets lucky (another if) the user will be setup for proxy server auto discover which was typically true in earlier versions of IE. Then using a broadcast type situation, they'd be able to configure a proxy server which would inject web pages to the clients computer containing multiple DNS entries. Unfortunately, this would remove the need to perform DNS lookups and they'd have to shut off the proxy and hope the browser falls back to proxyless operation mode.

    Finally, it would require that his math for calculating the next DNS event id, source port, etc... is sound. I haven't checked the math, nor am I inclined to since even if we assume he's 100% correct, requiring it to rain at an angle of 32degs precisely at 12:05.2334 UTC on April the 19th of 2009 while Christopher Columbus rises from his grave to baptise the next baby Jesus is just irrational.

    Hackers, save yourself some time, if you have this kind of access to the network, use a keylogger, much higher chance of success and much easier. Just remember to not hide under the desk of the computer you're trying to log.
  • This is old news, with a new twist.
    1) It was discovered as the cache-poisioning problem.
    2) It Affects MS DNS clients, and IIs Server. ( Clients for their poisoning effects, and IIs Servers for the actual poisioning.
    3) You can fix ANY client by pointing to OpenDNS, ( I have had extensive corrspondance with their technical team. )
    4) Microsoft was suppoed to fix this for All the Clients and servers, they backed off and said it was only for Server 2003, and Vista....
    then only for Vista SP1, then... didnt make V
    • Microsoft downplays security stuff.

      The "Desktop Linux" developers tend to downplay usability stuff ;). For example: Kmail closes an email you are working on, just because you decide to save while still working on it (so you have to save, reopen the draft). And the KDE task bar orders tasks by top to bottom then left to right, rather than left to right then top to bottom. With KDE's approach, if you close one task in the middle, ALL remaining tasks to its left suddenly shift their relative vertical positions

      • Re: (Score:3, Insightful)

        by ozmanjusri (601766)
        Isn't it amazing how often stories about Microsoft's failings get hijacked by drones accusing everyone of being Twitter.

        You'd almost think Microsoft marketing wants tech-savvy people to discuss anything but their defective products and poor support.

        • Isn't it amazing how often threads involving twitter get hijacked by drones accusing everyone of being Twitter.
          Fixed it for you. I think you'll find that it's because twitter shoots for first post on every single Microsoft article.
          • Hello stalker. I was wondering when you'd show up.
            • Of course I stalk you. It's not like you're the ninth post down on the article and modded up.

              Under any other circumstance I would never have spotted your post at all - it must be that I track you around Slashdot, like an animal.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.