Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Downplaying Recent DNS Vulnerability

Posted by kdawson on from the it's-nothing-really dept.

Microsoft Watch writes "Microsoft downplays a recent DNS vulnerability in all Microsoft operating systems (XP, Vista, 2000, and 2003), claims Amit Klein, the security researcher who published the original vulnerability description (PDF) earlier this month. According to Klein, the description in Microsoft's Secure Windows Initiative blog entry is misleading, contains disinformation about the DNS transaction ID algorithm, and downplays the severity of the issue. Klein refutes Microsoft's claim that there is no way to reproduce the next transaction ID, given a series of observed transaction IDs. He shows that this is possible in his paper, which Microsoft had before publishing the SWI post, as well as on the series of data provided in the SWI blog itself."

3 of 93 comments (clear)

  1. Unlikely, but... by Kinky+Bass+Junk · · Score: 3, Interesting

    Is it possible that Microsoft was downplaying it to lessen the effects? E.g. reduce the amount of copy-cat attacks, etc.

    --
    Anonymous Coward
  2. Read the article? by RiotingPacifist · · Score: 1, Interesting

    In light of the recent anti-MS bull that has got through to the slashdot frontpage, I for one am waiting till somebody at least attempts to read the article, before I condemn Microsoft entirely!

    So please reply with an analysis of the article so I can ignore it and make chair jokes.

    --
    IranAir Flight 655 never forget!
  3. Re:Okay, I don't get the issue here. by photon317 · · Score: 4, Interesting

    Precisely. If the transaction IDs are secure, then you have to play "man in the middle" to sniff the request and fake a response. But if you can guess the transaction IDs, you can blindly send a spoofed response from elsewhere on the net and fake out the user's DNS resolver. The details of doing this in practice can be tricky, but it's doable. That's why the dnsext working group has been trying to improve this aspect of the protocol. While MS's implementation has flaws that make it more predictable than it otherwise should be, the fundamental problem is with the decades-old DNS protocol to begin with. The transaction IDs are 16-bit numbers, which is very limiting if you need to generate secure sequences of them that can't be guessed. It's not too hard to just spam responses with random response IDs and get some small success rate with only 16 bits to play with.

    One of the current proposals (which I'm not a fan of because of other technical implications for DNS) is that since DNS query names are case-insensitive and copied by the server from the request packet to the response packet, to use the "uppercase bit" of each letter as more bits for the secure transaction ID. The fact that people are willing to consider hacks like these should tell you something about how badly we're backed into a corner on this issue with the DNS protocol. Hopefully soon someone will do something sensible like standardize an EDNS1 with extra transaction ID bits in the OPT RR, and then in like 10 years (if history is any guide) it might actually see wide deployment.

    --
    11*43+456^2