Reports from IT directors and major IT suppliers indicate that the security hole in Internet Domain Name System servers is being patched -- but not everyone, nor every company, is responding quickly.
News of the flaw in some DNS servers was released to the public early this month and the details were leaked in the middle of the month, catching many server administrators by surprise. The hope was that most servers could be patched and ready before the public became aware of the details. But as a result of the leak, many servers worldwide remain vulnerable to attack.
Although no hacker software has yet been discovered that exploits the vulnerability, the potential exists for hackers to spoof the servers that translate URLs such as www.yourbank.com to an illegitimate location. The flaw could allow malicious programmers to redirect requests for Web sites to bogus sites, potentially capturing personal data such as bank account information and passwords to legitimate Web destinations.
Who Is Patched and Who Isn't
Most American Internet service providers have corrected the problem with the patch, but some have yet to fully fix the problem. There is no concrete number on the servers that are affected, but worldwide estimates are in the hundreds of thousands. Comcast, Verizon, Microsoft and Cisco Systems are a few corporations that have gone on record as completing the vulnerability patch.
According to some reports, PowerDNS, used by AOL and Deutsche Telekom, is immune from the flaw. Developed by a Dutch company of the same name, the software is open source. In a letter posted on the company's Web site, PowerDNS founder Bert Hubert says, "We're being approached from various angles about PowerDNS and the recently discovered DNS vulnerability. To clear up any possible confusion, I'd like to state that since 2006, PowerDNS has not been vulnerable for the issue reported ... In fact, we've been warning the DNS community against these kinds of problems since around that time [2006]. In fact, according to reports, Dan Kaminsky, a security expert, uncovered this flaw in February of 2008, triggering a secret meeting in Redmond, Washington."
Critics are accusing Apple of ignoring the vulnerability, since the company has not released any information on the status of patching its Mac OS X server. According to blogger Rich Mogull, "Apple has yet to patch this vulnerability, which affects both the desktop Mac OS X and the Mac OS X server."
Some observers are speculating that Apple's preoccupation with the iPhone 3G launch this month caused them to drop the ball on the security issue. According to a report by IDC this year, Apple is the 10th largest server vendor worldwide.
A Slow Patch
Patches that have been applied are reportedly running into other problems.
Systems running the BIND (Berkeley Internet Name Domain) DNS software are experiencing performance problems. The highest-volume servers -- receiving tens of thousands of requests per second -- appear to be most affected by the patch.
Experts are advising IT directors to deploy the patch nonetheless, and wait for a fix that will both secure servers and restore performance.
|