Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Microsoft IT

Microsoft Downplaying Recent DNS Vulnerability 93

Microsoft Watch writes "Microsoft downplays a recent DNS vulnerability in all Microsoft operating systems (XP, Vista, 2000, and 2003), claims Amit Klein, the security researcher who published the original vulnerability description (PDF) earlier this month. According to Klein, the description in Microsoft's Secure Windows Initiative blog entry is misleading, contains disinformation about the DNS transaction ID algorithm, and downplays the severity of the issue. Klein refutes Microsoft's claim that there is no way to reproduce the next transaction ID, given a series of observed transaction IDs. He shows that this is possible in his paper, which Microsoft had before publishing the SWI post, as well as on the series of data provided in the SWI blog itself."
This discussion has been archived. No new comments can be posted.

Microsoft Downplaying Recent DNS Vulnerability

Comments Filter:
  • A swing and a miss! Seems pretty fitting in my eyes.
  • Unlikely, but... (Score:4, Interesting)

    by Kinky Bass Junk ( 880011 ) on Monday April 28, 2008 @10:11PM (#23233170)
    Is it possible that Microsoft was downplaying it to lessen the effects? E.g. reduce the amount of copy-cat attacks, etc.
    • If they cared (Score:1, Insightful)

      by twitter ( 104583 ) *
      they would fix it.
    • by Uncle Focker ( 1277658 ) on Monday April 28, 2008 @10:26PM (#23233334)
      Or rather than spending all that effort in trying to downplay it, they could just fix the vulnerability and stop all the would-be attackers in their tracks. Nah, that would make too much sense.
      • How much effort can the PR department really put into fixing this vulnerability? The group putting in the effort to downplay this is not the same group that fixes the problem. How about you let the PR department downplaying the issue while the software engineers develop a solution...
        • Even after revising the question in order to conveniently dismiss it, the question is valid. Why doesn't Microsoft spend more for programmers with more practical experience, even if they need to cut their PR budget to do it?
    • I'd bet its partly that but more typical FUD. If they fix it too quickly it'll prove its true so they'll wait 3 months then sneak the fix into some bundle of other updates.

      We have SafeSurf types of plugins for FireFox and various toolbars like the one from NetCraft that warn you about fake/dangerous sites, we even have things like AVG8 with its mildly annoying symbols next to URLs that popup windows when you hover. Isn't it about time somebody created a Bullshit-o-meter site & plugins?? When you googl
      • Considering you can be sued for publishing your opinion that someone else is full of shit, it wouldn't last long... That's called defamation, it's what happened to spamhaus, IIRC.
      • by Chokolad ( 35911 )
        Dude, it was already fixed and fix was released on April 8. RTFA.
    • No. More likely, the dude who screwed up the code had to write up the vulnerability. And so he wrote "yeah I misspelled a few words and accidentally referenced the wrong variables" when the truth is "entering anything except the name of my first pet I had in 1964 causes all the user's files to be deleted - sorry".

      That's what I always think when I see this - how would I write it up if it were mine?
      • Considering it hits the public, I sincerely doubt that any coder would be allowed to publish security vulnerabilities. They would probably send a draft off to PR, who butters it up.
    • by Divebus ( 860563 ) on Monday April 28, 2008 @11:50PM (#23234052)

      Is it possible that Microsoft was downplaying it to lessen the effects?
      Microsoft will certainly take security to the next level:
        "Are you sure you want to poison the DNS stub resolver cache? Allow or Deny."
      That'll fix it.
  • Recently, Microsoft has talked a lot about how secure Vista is when they won't fix known vulnerabilities. Microsoft hasn't been fixing many security issues in Vista because they think it is very secure. They have been focused a lot on fixing how slow the OS runs and the GUI because it has caused bad reviews.
    • "Microsoft hasn't been fixing many security issues in Vista because they think it is very secure."

      I think that Microsoft has not been fixing security issues in Vista because, if they ever deliver a secure operating system, PC customers will never buy another.

      It's not an impossible challenge, making a secure [apple.com] operating system [openbsd.org]. Other organizations have done it. If Microsoft hasn't, that is because it doesn't want to.

      Microsoft exploits the ignorance of its customers. But now the customers are beginning
      • I think that Microsoft has not been fixing security issues in Vista because, if they ever deliver a secure operating system, PC customers will never buy another.

        Yet they HAVE been fixing security issues. Maybe not fast enough, and maybe there are still outstanding issues, but to claim otherwise is wrong. Your belief is apparently that people ONLY upgrade for security fixes? I strongly disagree and would like to see how you could possibly back that statement up.

        It's not an impossible challenge, making a secure [apple.com] operating system [openbsd.org]. Other organizations have done it. If Microsoft hasn't, that is because it doesn't want to.

        Apple has had plenty of security holes, so they should not be held up as your exemplar. OpenBSD is about as good as it gets. They make no bones about going for the SECURE/SAFE option over the fast, userfrie

      • Um, Sure, openBSD is secure, until you install anything other than the limited subset it comes with. and even without that, they have a couple of security fixes a month [openbsd.org] from what I remember when on the mailing list. As for OS-X, I don't see how having a huge hole in safari [engadget.com] can be classed as "secure". Note that in that competition, it took allowing the install of random third party software before the windows box was compromised. The apple one was compromised by just going to a website.

        So, please, hate on Mi
  • by v1 ( 525388 ) on Monday April 28, 2008 @10:14PM (#23233200) Homepage Journal
    Don't you just love it when they do that? Is there a strong enough term for those that go so completely out of their way to ignore facts and reality that it defies belief and leaves the sensible stunned? (reminds me of the Chewbacca Defense in a way)
  • two words (Score:4, Insightful)

    by FudRucker ( 866063 ) on Monday April 28, 2008 @10:21PM (#23233278)
    damage control.
    • two better words (Score:1, Insightful)

      by gnutoo ( 1154137 ) *

      zero credibility

      That's what happens when you lie instead of fixing problems.

      • by Anonymous Coward
        "gnutoo" is a sockpuppet of well-known troll twitter. He has already posted on this article with four [slashdot.org] different accounts. Please do not reward this type of behavior - the more karma an account has, the more trolling damage it can do.
  • by ThreeGigs ( 239452 ) on Monday April 28, 2008 @10:43PM (#23233484)
    Reading TFA and the details on the vulnerability, it seems to me that the attacker must first be able to sniff packets being sent to the DNS server from the desktop PC. This means the attacker apparently must have access to the network the desktop is on.

    Now, forgive me if I'm missing the obvious, but why would an attacker, *who can read an outgoing request to a DNS server in real time*, not simply craft a reply using the outgoing packet data as a model? Why bother figuring out the transaction ID when an attacker, according to the scenarios given, *should already have it*, having gotten it from the sniffed packet.

    I just don't see how being predictable makes this any worse, when you're apparently dealing with someone already on your own network, or on the route between you and your DNS server.
    • Exactly.
    • Re: (Score:3, Informative)

      by Anonymous Coward
      Why do you have to see requests from the same originating address? From the description it seems like you just inspect _any_ set of replies to _any_ requests, even ones you generate yourself, and you will be able to forge responses to any other requests, even from others users.

      In other words, you do not have to have access to the victim's network or the server's network -- just a network which can query the server.
    • Looking at the aticle it would appear that you could set up a malicious website that arranged for a number of dns queries for domains that you control. Once you had enough information then you'd be able to then arrange a query against a domain you wanted to spoof and send back many spoofed replies with guesses for the transaction id that are in the right ballpark with reasonable success. How does this require sniffing the network?
  • In light of the recent anti-MS bull that has got through to the slashdot frontpage, I for one am waiting till somebody at least attempts to read the article, before I condemn Microsoft entirely!

    So please reply with an analysis of the article so I can ignore it and make chair jokes.
    • Re: (Score:3, Insightful)

      Dude, this is a technology forum. If you want politics or religion [groklaw.net] then go elsewhere. You see the slams on that company because not only can't it deliver, it goes through great acrobatics and effort to avoid delivering. Brand recognition cuts both ways, and in a technology forum if a company consistently and persistently for decades makes bottom of the line technology and is bad about fixes and causes trouble, then of course you will see 'anti-' view points: it's called experience.
      • Story on friday [slashdot.org] & story today [slashdot.org], are not only dupes but they blame ms for an SQL vulnerability. This is saying microsoft played down a DNS vulnerability, from the comments here [slashdot.org] & here [slashdot.org], from people that actually read the article seam to suggest that while this story is valid, its not what other comments suggest.

        If I've seen lots of baseless articles recently, I will post wait until somebody actually reads the article (as its one that isn't in my area of expertise) and explains weather its baseless o
      • How is it the parent got modded insightful for claiming M$ "can't deliver" when TFA clearly and unambiguously states that it did in fact deliver a patch to a reported vulnerability. You might think that DNS is bottom of the line tech but you can hardly blame microsoft for that. Bind had a similar vulnerability http://www.kb.cert.org/vuls/id/927905 [cert.org] (bind 8) http://www.kb.cert.org/vuls/id/252735 [cert.org] (bind 9)
  • Gates *waves his hand*:"This is not a flaw.." MS Drone user: "This is not a flaw" Gates: *ignore this* MS Drone user "I'll ignore this..." Evil cyber hacker : "WTF!! Another hole! I can't keep up!"
  • Why is this news? (Score:5, Insightful)

    by IchBinEinPenguin ( 589252 ) on Monday April 28, 2008 @10:51PM (#23233562)
    $DUDE finds vulnerability in $PRODUCT made by $VENDOR.
    $DUDE claims this is really serious and should be fixed at once.
    (optional) $DUDE does the Right Thing and tells $VENDOR about it so they can fix it before he goes public.
    $VENDOR replies that $DUDE's claims are overblown.
    Flamewar on /., lots of page hits, lots of add revenue, PROFIT!!
    (optional, much later) $VENDOR quietly fixes $PRODUCT.
    • You left out the

      if $VENDOR == MS
      switch (DayOfWeek) {
      case M : Deny Deny Deny
      print "no we didn't"
      case T : set $BUG = $FEATURE
    • by Chokolad ( 35911 )
      Actually it went like this, see the bold below

      $DUDE finds vulnerability in $PRODUCT made by $VENDOR.
      $DUDE claims this is really serious and should be fixed at once.
      (optional) $DUDE does the Right Thing and tells $VENDOR about it so they can fix it before he goes public.
      $DUDE finds vulnerability in $PRODUCT made by $VENDOR.
      $DUDE claims this is really serious and should be fixed at once.
      (optional) $DUDE does the Right Thing and tells $VENDOR about it so they can fix it before he goes public.
      $VENDOR fixes the
    • by tokul ( 682258 )

      $VENDOR replies that $DUDE's claims are overblown.
      Flamewar on /., lots of page hits, lots of add revenue, PROFIT!!
      You missed the part when $DUDE proves that claims are not overblown on Bugtraq.
  • RTFA (Score:5, Informative)

    by magamiako1 ( 1026318 ) on Monday April 28, 2008 @10:52PM (#23233578)
    Article Conclusion:

    April 30th, 2007 - Microsoft Security Response Center (MSRC) were informed of this issue.

    March 18th, 2008 - Microsoft releases a service pack for Windows Vista (Vista SP1), which includes a fix for this issue.

    April 8th, 2008 - Microsoft issues a fix ([19]) for Windows Vista, Windows XP SP2, Windows 2003 and Windows 2000 SP4. The fix is downloadable at Microsoftâ(TM)s website. Simultaneously, Trusteer discloses the vulnerability to the public (in the form of this document).

    Also, as stated above, the scenarios required to pull this off are pointless. If someone is sniffing your traffic in your switched network, they already have access to your network that could invoke far more problems than simple DNS poisoning.

  • DNS is broken by design.

    Time for DNSSEC or something equivalent. - Now, if that could be forged, this would be a high priority issue on the other hand.
  • by LostMyBeaver ( 1226054 ) on Tuesday April 29, 2008 @03:32AM (#23235382)
    I in the past have implemented DNS resolver libraries since UNIX has classically had a terrible problem of either providing only a non-reentrant gethostbyname() or a flaky (blocking) gethostbyname_r() function. In fact, for years programmers have suffered through terrible client side host resolution libraries since it blocking DNS calls were never considered poor taste before programs like web browsers needed to look up entries while rendering.

    Also, since POSIX is entirely unaware of the GUI API, there has never been a good method of communicating events to the application. Ideally, there would have been a system related to select() or poll() which would have allowed host name resolution to be part of the same application loop as other socket communication.

    That being said, Windows has more or less always include host name resolution as part of the application event loop. Even back when Winsock 1.1 was primarily used. When the host name is resolved, an event is passed to the application. But it is not my intention to discuss DNS from an application level, but instead from a protocol level.

    This hack that the reported document is definately a hole in Windows DNS client implementation, Microsoft should fix it, they should treat any vulnerability with respect and diligence. This hack however requires a lot of things to happen at once.

    First of all, it requires that the attacker is in a position where they can reliably observe point to point DNS traffic. Meaning from the workstation to the server and back. When used with switches and dslams, this is not generally possible since unless the switch has a defined observer port (which HP procurve allows, but disables by default) traffic is closed and only broadcast requests will be observable outside the point to point path.

    Second, it requires that the attacker is located in a position on the network where they can respond to DNS requests faster than the server. So, if the edge switch they're connected to puts them physically closer to the target, but the switch has a higher speed uplink to the backbone, there's still little chance the attacker will inject their packets in time.

    Third, it requires making the machine which is being attacked to perform multiple DNS queries. If the attacker gets lucky (another if) the user will be setup for proxy server auto discover which was typically true in earlier versions of IE. Then using a broadcast type situation, they'd be able to configure a proxy server which would inject web pages to the clients computer containing multiple DNS entries. Unfortunately, this would remove the need to perform DNS lookups and they'd have to shut off the proxy and hope the browser falls back to proxyless operation mode.

    Finally, it would require that his math for calculating the next DNS event id, source port, etc... is sound. I haven't checked the math, nor am I inclined to since even if we assume he's 100% correct, requiring it to rain at an angle of 32degs precisely at 12:05.2334 UTC on April the 19th of 2009 while Christopher Columbus rises from his grave to baptise the next baby Jesus is just irrational.

    Hackers, save yourself some time, if you have this kind of access to the network, use a keylogger, much higher chance of success and much easier. Just remember to not hide under the desk of the computer you're trying to log.
  • This is old news, with a new twist.
    1) It was discovered as the cache-poisioning problem.
    2) It Affects MS DNS clients, and IIs Server. ( Clients for their poisoning effects, and IIs Servers for the actual poisioning.
    3) You can fix ANY client by pointing to OpenDNS, ( I have had extensive corrspondance with their technical team. )
    4) Microsoft was suppoed to fix this for All the Clients and servers, they backed off and said it was only for Server 2003, and Vista....
    then only for Vista SP1, then... didnt make V

Fast, cheap, good: pick two.

Working...