Slashdot Mirror
Microsoft Downplaying Recent DNS Vulnerability
Microsoft Watch writes "Microsoft downplays a recent DNS vulnerability in all Microsoft operating systems (XP, Vista, 2000, and 2003), claims Amit Klein, the security researcher who published the original vulnerability description (PDF) earlier this month. According to Klein, the description in Microsoft's Secure Windows Initiative blog entry is misleading, contains disinformation about the DNS transaction ID algorithm, and downplays the severity of the issue. Klein refutes Microsoft's claim that there is no way to reproduce the next transaction ID, given a series of observed transaction IDs. He shows that this is possible in his paper, which Microsoft had before publishing the SWI post, as well as on the series of data provided in the SWI blog itself."
A swing and a miss! Seems pretty fitting in my eyes.
Moved to http://soylentnews.org/. You are invited to join us too!
Is it possible that Microsoft was downplaying it to lessen the effects? E.g. reduce the amount of copy-cat attacks, etc.
Anonymous Coward
Recently, Microsoft has talked a lot about how secure Vista is when they won't fix known vulnerabilities. Microsoft hasn't been fixing many security issues in Vista because they think it is very secure. They have been focused a lot on fixing how slow the OS runs and the GUI because it has caused bad reviews.
Please visit http://www.mederbil.com/ i7, GTX 275, 4 1TB Caviar Green in RAID 0+1 array, EVGA X58 3X SLI Board, Silver
Don't you just love it when they do that? Is there a strong enough term for those that go so completely out of their way to ignore facts and reality that it defies belief and leaves the sensible stunned? (reminds me of the Chewbacca Defense in a way)
I work for the Department of Redundancy Department.
they would fix it.
Friends don't help friends install M$ junk.
damage control.
Politics is Treachery, Religion is Brainwashing
zero credibility
That's what happens when you lie instead of fixing problems.
Reading TFA and the details on the vulnerability, it seems to me that the attacker must first be able to sniff packets being sent to the DNS server from the desktop PC. This means the attacker apparently must have access to the network the desktop is on.
Now, forgive me if I'm missing the obvious, but why would an attacker, *who can read an outgoing request to a DNS server in real time*, not simply craft a reply using the outgoing packet data as a model? Why bother figuring out the transaction ID when an attacker, according to the scenarios given, *should already have it*, having gotten it from the sniffed packet.
I just don't see how being predictable makes this any worse, when you're apparently dealing with someone already on your own network, or on the route between you and your DNS server.
http://slashdot.org/comments.pl?sid=496702&threshold=-1&commentsort=1&mode=nested&cid=22836064
In light of the recent anti-MS bull that has got through to the slashdot frontpage, I for one am waiting till somebody at least attempts to read the article, before I condemn Microsoft entirely!
So please reply with an analysis of the article so I can ignore it and make chair jokes.
IranAir Flight 655 never forget!
"Microsoft hasn't been fixing many security issues in Vista because they think it is very secure."
I think that Microsoft has not been fixing security issues in Vista because, if they ever deliver a secure operating system, PC customers will never buy another.
It's not an impossible challenge, making a secure operating system. Other organizations have done it. If Microsoft hasn't, that is because it doesn't want to.
Microsoft exploits the ignorance of its customers. But now the customers are beginning to be more technically knowledgeable. Many are, for example, rejecting Vista. Eventually Microsoft's abusive practices will have more complete recognition. What will it do then?
Of course, if Microsoft had a good reputation, there is a huge amount of other software that needs to be wriiten. But that is not an option, because Microsoft has never been known for creativity.
Maybe Microsoft's slogan should be, "Making money through doing evil." That's my opinion, but I'm not the only one who thinks that way.
Eventually software's Dr. Death, the Chief of Grief, the Main Chain of Pain, will become much less influential. Until then, the company is putting the world through a lot of hassle and extra expense, and wasting the time of some of the world's most capable people.
Gates *waves his hand*:"This is not a flaw.." MS Drone user: "This is not a flaw" Gates: *ignore this* MS Drone user "I'll ignore this..." Evil cyber hacker : "WTF!! Another hole! I can't keep up!"
Laters Sol "Have you found the secrets of the universe? Asked Zebade "I'm sure I left them here somewhere"
Go fuck yourself.
Nobody gives a shit about Linux on the desktop. Not you, not me, not even Linus Fucking Torvalds. This is a story about a fuckin DNS server that has a (maby.. i dont care. im not a sysadmin..) significant vulnerability.
Lets try to keep to the topic at hand here.
$DUDE finds vulnerability in $PRODUCT made by $VENDOR. /., lots of page hits, lots of add revenue, PROFIT!!
$DUDE claims this is really serious and should be fixed at once.
(optional) $DUDE does the Right Thing and tells $VENDOR about it so they can fix it before he goes public.
$VENDOR replies that $DUDE's claims are overblown.
Flamewar on
(optional, much later) $VENDOR quietly fixes $PRODUCT.
April 30th, 2007 - Microsoft Security Response Center (MSRC) were informed of this issue.
March 18th, 2008 - Microsoft releases a service pack for Windows Vista (Vista SP1), which includes a fix for this issue.
April 8th, 2008 - Microsoft issues a fix ([19]) for Windows Vista, Windows XP SP2, Windows 2003 and Windows 2000 SP4. The fix is downloadable at Microsoftâ(TM)s website. Simultaneously, Trusteer discloses the vulnerability to the public (in the form of this document).
Also, as stated above, the scenarios required to pull this off are pointless. If someone is sniffing your traffic in your switched network, they already have access to your network that could invoke far more problems than simple DNS poisoning.
Microsoft downplays security stuff.
;). For example: Kmail closes an email you are working on, just because you decide to save while still working on it (so you have to save, reopen the draft). And the KDE task bar orders tasks by top to bottom then left to right, rather than left to right then top to bottom. With KDE's approach, if you close one task in the middle, ALL remaining tasks to its left suddenly shift their relative vertical positions! Whereas with Window's approach, only the leftmost (and rightmost) tasks change relative horizontal positions (lot fewer affected tasks). Then there's Linux sound, have they finally got that working properly - all popular apps working with each other at the same time?
The "Desktop Linux" developers tend to downplay usability stuff
Of course with Vista and MS Office 2007, there's now a chance for Desktop Linux.
Things are bad when trolls have to troll themselves simply because nobody will feed them...
Anonymous Coward
Oh, no! I've got to go patch DOS 3.3 right away!
"gnutoo" is a sockpuppet of well-known troll twitter. He has already posted on this article with four different accounts. Please do not reward this type of behavior - the more karma an account has, the more trolling damage it can do.
sniff sniff sniff......... do I smell another class action lawsuit? Please tell me I do. Please.
Isn't it amazing how often one of Twitter's sockpuppets gets first post on articles by kdawson?
Not sayin'. Just sayin'.
Chill willy. It isn't twitter. Do you see the name? Slow down and think for a moment. Now, go to a dictionary site and look up "parody".
There you go!
DNS is broken by design.
Time for DNSSEC or something equivalent. - Now, if that could be forged, this would be a high priority issue on the other hand.
I in the past have implemented DNS resolver libraries since UNIX has classically had a terrible problem of either providing only a non-reentrant gethostbyname() or a flaky (blocking) gethostbyname_r() function. In fact, for years programmers have suffered through terrible client side host resolution libraries since it blocking DNS calls were never considered poor taste before programs like web browsers needed to look up entries while rendering.
Also, since POSIX is entirely unaware of the GUI API, there has never been a good method of communicating events to the application. Ideally, there would have been a system related to select() or poll() which would have allowed host name resolution to be part of the same application loop as other socket communication.
That being said, Windows has more or less always include host name resolution as part of the application event loop. Even back when Winsock 1.1 was primarily used. When the host name is resolved, an event is passed to the application. But it is not my intention to discuss DNS from an application level, but instead from a protocol level.
This hack that the reported document is definately a hole in Windows DNS client implementation, Microsoft should fix it, they should treat any vulnerability with respect and diligence. This hack however requires a lot of things to happen at once.
First of all, it requires that the attacker is in a position where they can reliably observe point to point DNS traffic. Meaning from the workstation to the server and back. When used with switches and dslams, this is not generally possible since unless the switch has a defined observer port (which HP procurve allows, but disables by default) traffic is closed and only broadcast requests will be observable outside the point to point path.
Second, it requires that the attacker is located in a position on the network where they can respond to DNS requests faster than the server. So, if the edge switch they're connected to puts them physically closer to the target, but the switch has a higher speed uplink to the backbone, there's still little chance the attacker will inject their packets in time.
Third, it requires making the machine which is being attacked to perform multiple DNS queries. If the attacker gets lucky (another if) the user will be setup for proxy server auto discover which was typically true in earlier versions of IE. Then using a broadcast type situation, they'd be able to configure a proxy server which would inject web pages to the clients computer containing multiple DNS entries. Unfortunately, this would remove the need to perform DNS lookups and they'd have to shut off the proxy and hope the browser falls back to proxyless operation mode.
Finally, it would require that his math for calculating the next DNS event id, source port, etc... is sound. I haven't checked the math, nor am I inclined to since even if we assume he's 100% correct, requiring it to rain at an angle of 32degs precisely at 12:05.2334 UTC on April the 19th of 2009 while Christopher Columbus rises from his grave to baptise the next baby Jesus is just irrational.
Hackers, save yourself some time, if you have this kind of access to the network, use a keylogger, much higher chance of success and much easier. Just remember to not hide under the desk of the computer you're trying to log.
Jimmie, you know I ain't seen no sign...
You'd almost think Microsoft marketing wants tech-savvy people to discuss anything but their defective products and poor support.
"I've got more toys than Teruhisa Kitahara."
This is old news, with a new twist.
1) It was discovered as the cache-poisioning problem.
2) It Affects MS DNS clients, and IIs Server. ( Clients for their poisoning effects, and IIs Servers for the actual poisioning.
3) You can fix ANY client by pointing to OpenDNS, ( I have had extensive corrspondance with their technical team. )
4) Microsoft was suppoed to fix this for All the Clients and servers, they backed off and said it was only for Server 2003, and Vista....
then only for Vista SP1, then... didnt make Vista SP1...
Its all based upon a POOR choice of random number generator, and It looks like it may not make it into XP SP3 either.
Perhaps... Vista SP2...
yes, to all of the above, most sound does work, but every other criticism still sounds (i havent tried kde4)
"3) You can fix ANY client by pointing to OpenDNS, ( I have had extensive corrspondance with their technical team. )" - by killmofasta (460565) on Tuesday April 29, @05:53AM (#23235942) Man, in cases where it is a stand-alone system (meaning that term loosely, meaning single home user system connected to the internet, & no home LAN/WAN (or, corporate one that uses AD)), it works...
HOWEVER:
Trying to use OpenDNS Servers in an ActiveDirectory (AD) environs (in my case, a corporate LAN) causes problems, mainly w/ Outlook (full outlook)...
Try it sometime, you'll see what I mean here... it even makes sense, because HOW could an external set of DNS servers like OpenDNS resolve internal DHCP type LAN IP addresses (e.g. 172.x.x.x, 10.x.x.x, or even std. DHCP 192.168.1.xxx addresses) properly? Especially if they use DHCP (or, even the 172.x.x.x/10.x.x.x hardcoded static IP's ranges that are NOT PUBLICLY INTERNET ROUTABLE/BROADCASTABLE?)
(I.E./E.G.-> You can put the OpenDNS servers in even as your SECONDARY/ALTERNATE (instead of primary) DNS Server on client machines on a network, & STILL, Outlook will screwup)
There's ways around it supposedly, using VPN's I have heard, but I have not tried it (adding complexity only potentially introduces more problems too)...
APK
P.S.=> Any solutions OR "workarounds" you know, for that little conundrum? If you haven't run into it yourself though, try it, see what I mean... I am a HUGE fan of OpenDNS (& MS products), & I use OpenDNS servers too, as I write this to you @ home prior to going to the job today, & I'd like an answer myself on this little hassle & one that doesn't involve VPN tunnelling etc. et al... thanks! apk
In my opinion, partnering with Microsoft has been ugly. For example, Microsoft knew that Vista had problems before it was released: Suit says Microsoft knew it misled -- E-mails raised Vista doubts.
Windows Vista users suffer a ghastly performance loss (roughly two times, hardware for hardware).
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
Trying to use OpenDNS Servers in an ActiveDirectory (AD) environs (in my case, a corporate LAN) causes problems, mainly w/ Outlook (full outlook)...
That's because OpenDNS is not a good service for that kind of environment. OpenDNS is for the single standalone user at home, when the DNS servers provided by their ISP are even crappier than those provided by OpenDNS.
WTF is "full outlook"? There is outlook, and there are other email programs. Either you use outlook or you don't.
Try it sometime, you'll see what I mean here... it even makes sense, because HOW could an external set of DNS servers like OpenDNS resolve internal DHCP type LAN IP addresses (e.g. 172.x.x.x, 10.x.x.x, or even std. DHCP 192.168.1.xxx addresses) properly? Especially if they use DHCP (or, even the 172.x.x.x/10.x.x.x hardcoded static IP's ranges that are NOT PUBLICLY INTERNET ROUTABLE/BROADCASTABLE?)
OpenDNS can't do that. It is simply not possible. Don't use OpenDNS in that kind of scenario, where you need to resolve internal private IP addresses. You need your own DNS server if you need to resolve internal private IP addresses.
(I.E./E.G.-> You can put the OpenDNS servers in even as your SECONDARY/ALTERNATE (instead of primary) DNS Server on client machines on a network, & STILL, Outlook will screwup)
The problem is not Outlook, the problem is your DNS system, and the IT administrator who doesn't know what they are doing (is that you?).
Outlook needs to find the mail server to connect to. The way to do that is with DNS. If your DNS can't find your mail server, Outlook won't work properly.
If you are using Outlook & Exchange together, outlook needs to find much more than just the mail server. It needs to find a domain controller and a global catalog server in Active Directory. The way to do that is with DNS.
There's ways around it supposedly, using VPN's I have heard, but I have not tried it (adding complexity only potentially introduces more problems too)...
The way around it is to stop using OpenDNS and use a real DNS server that you run yourself.
Active Directory requires the use of a Microsoft DNS server. It's that simple. Some things will work without Microsoft DNS, but not all.
If you don't want to use a Microsoft DNS server, don't use Active Directory. It's your choice.
P.S.=> Any solutions OR "workarounds" you know, for that little conundrum?
You don't need a VPN. You need to use a Microsoft DNS server for your Active Directory installation.
Hello stalker. I was wondering when you'd show up.
"I've got more toys than Teruhisa Kitahara."
And even that's fine. Just don't complain when it backfires. People are fed up with trolls like twitter, and defending him (or projecting his own failings on yourself) when he's crapflooding articles with his sockpuppets is probably not the brightest thing you can do. Why don't you conserve your energy and defend him when he cleans up his act, drops his other seven accounts and starts posting rational things that actually contribute something to Slashdot, instead of "M$ WINDZOES LOLOZORZ" and timeless jewels like "drol spittle".
Of course I stalk you. It's not like you're the ninth post down on the article and modded up.
Under any other circumstance I would never have spotted your post at all - it must be that I track you around Slashdot, like an animal.
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
*bows*
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
Precisely. If the transaction IDs are secure, then you have to play "man in the middle" to sniff the request and fake a response. But if you can guess the transaction IDs, you can blindly send a spoofed response from elsewhere on the net and fake out the user's DNS resolver. The details of doing this in practice can be tricky, but it's doable. That's why the dnsext working group has been trying to improve this aspect of the protocol. While MS's implementation has flaws that make it more predictable than it otherwise should be, the fundamental problem is with the decades-old DNS protocol to begin with. The transaction IDs are 16-bit numbers, which is very limiting if you need to generate secure sequences of them that can't be guessed. It's not too hard to just spam responses with random response IDs and get some small success rate with only 16 bits to play with.One of the current proposals (which I'm not a fan of because of other technical implications for DNS) is that since DNS query names are case-insensitive and copied by the server from the request packet to the response packet, to use the "uppercase bit" of each letter as more bits for the secure transaction ID. The fact that people are willing to consider hacks like these should tell you something about how badly we're backed into a corner on this issue with the DNS protocol. Hopefully soon someone will do something sensible like standardize an EDNS1 with extra transaction ID bits in the OPT RR, and then in like 10 years (if history is any guide) it might actually see wide deployment.
College-Pages.com - Online Colleges, Degrees, and Programs
Even after revising the question in order to conveniently dismiss it, the question is valid. Why doesn't Microsoft spend more for programmers with more practical experience, even if they need to cut their PR budget to do it?
All 19 hijackers were known terrorists 09-10-2001. Lack of FBI intelligence does not justify warrantless wiretaps..