Security researchers say they have discovered an enormous flaw that could let hackers steer most people using corporate computer networks...
Security researchers say they have discovered an enormous flaw that could let hackers steer most people using corporate computer networks to malicious Web sites of their own devising.
For bad news, that’s pretty impressive. But there are two pieces of good news: First, no bad guys are known to be capitalizing on the flaw yet. And second, in a possibly unprecedented display of industry cooperation, virtually every major software company affected is issuing patches fixing the problem.
System administrators will have 30 days to apply those patches — from the likes of Microsoft, Sun Microsystems, Red Hat and others — before the details of the flaw are disclosed at the Black Hat security conference in Las Vegas.
Security experts — including the man who discovered the flaw, Dan Kaminsky of security outfit IOActive — hope that the patches are broad enough that evil types won’t be able to reverse-engineer them and figure out how to exploit the vulnerability before the details are released next month.
Most Read Business Stories
- Flawed analysis, failed oversight: How Boeing, FAA certified the suspect 737 MAX flight control system | Times Watchdog
- Boeing has 737 MAX software fix ready for airlines as DOT launches new scrutiny of entire FAA certification process
- Belltown penthouse is region’s priciest condo sale ever — and new owners won't even live there
- Amazon finds an alternative workforce through Northwest Center, a Seattle nonprofit helping people with disabilities
- Boeing defends 737 MAX's cockpit add-ons, begins new pilot information sessions
“We got lucky in this particular bug, because it’s a design flaw,” Kaminsky said in an interview. “It shows up in everyone’s network, but the fix is a design fix that doesn’t point directly at what we’re improving.”
US CERT, the Computer Emergency Readiness Team at the U.S. Department of Homeland Security, issued an alert Tuesday on the scope of the problem. CERT didn’t go into all the backroom dealing that brought so many companies together for the patch, but it made the initial discovery seem like child’s play.
“It took a couple of hours to find the bug,” said Kaminsky, “and a couple of months to fix it.”
Kaminsky said he stumbled across the hole in the so-called DNS system for steering people to the Web sites they are seeking “by complete and total accident.” Smaller DNS flaws have been used before to “poison” the servers that send people to the numerical address of the Web site name they type in. But the newest failing is at least one order of magnitude bigger, and perhaps several.
“This is about the integrity of the Web, this is about the integrity of e-mail,” Kaminsky said. “It’s more, but I can’t talk about how much more.”