Google, Red
Hat discover critical DNS security flaw that enables malware to infect the entire Internet
February 24, 2016 11:58 GMT
Google and Red Hat engineers have
discovered a crucial security flaw in the internet's infrastructure that would
enable attackers to cripple the entire internetiStock
Google
and security firm Red Hat have discovered a critical security flaw in the
Internet's Domain Name System (DNS) that affects a library in a universally
used protocol. This means an attacker could use it to infect almost everything
on the entire internet. With the flawed code spread far and wide, it will
likely take years of effort to patch the bug.
Google engineers
and Red Hat researchers both independently discovered the DNS bug within the
GNU C standard library (glibc) called CVE-2015-7547, and then worked together
to create a patch. The
security vulnerability works by tricking browsers into looking up suspicious
domains, which causes servers to reply with DNS names that are far too long, thus
causing a buffer overflow in the victim's software.
The
buffer overflow would then make it possible for an attacker to remotely execute
code and take over the computer, and they could perform this exact same attack
on machines all over the world, as the code containing the flaw has been in use
since May 2008 and affected all versions of glibc since version 2.9.
Flaw
can affect almost all parts of internet infrastructure
To understand how damaging this flaw
could be, security researcher Dan Kaminsky explains on his blog that
it is far worse than the Heartbleed OpenSSL bug or Shellshock Linux
Bash and Mac OS X bug, which infected things connected to a network, rather
than everything that makes up the internet, such as network tools and even
software.
The
reason it is such a big problem is that most Internet software is built on
Linux, and it is already known that if an attacker were to infiltrate an
enterprise's network, for example, the attacker would then be able to easily
take over all the systems running Linux.
In the same fashion, in order to
connect to the internet, Linux uses the Gnc C standard library to connect to
DNS to resolve domain names to IP addresses, and therefore the attacker would
be able to capitalise on this.
The
last DNS flaw took 10 years to fix
"It's problematic that, a
decade after the last DNS flaw that took a
decade to fix, we have another one. It's time we discover and deploy
architectural mitigations for these sorts of flaws with more assurance than
technologies like ASLR can provide," Kaminsky writes.
"The
hard truth is that if this code was written in JavaScript, it wouldn't have
been vulnerable. We can do better than that. We need to develop and fund the
infrastructure, both technical and organisational, that defends and maintains
the foundations of the global economy."
On
the plus side, although there are millions of DNS caches across the internet,
no researchers have yet to be able to get the glibc DNS bug to work through
caches, and therefore, Kaminsky says that only "some networks are going to
be vulnerable to some cache traversal attacks sometimes".
However,
he says that while this might not be an immediate problem, if this flaw is not
patched soon, it could become a much bigger problem a year or two down the
line.
|
For a great satire on email, please see the following:
https://www.youtube.com/watch?v=HTgYHHKs0Zwscoop_post=bcaa0440-2548-11e5-c1bd-90b11c3d2b20&__scoop_topic=2455618
===============================================
Good Netiquette And A Green Internet To All!
Special Bulletin - My just released book,
"You're Hired. Super Charge our Email Skills in 60 Minutes! (And Get That Job...)
is now on sales at Amazon.com
Great Reasons for Purchasing Netiquette IQ
·
Get more
email opens. Improve 100% or more.
·
Receive
more responses, interviews, appointments, prospects and sales.
·
Be better
understood.
·
Eliminate
indecision.
·
Avoid
being spammed 100% or more.
·
Have
recipient finish reading your email content.
·
Save time
by reducing questions.
·
Increase
your level of clarity.
·
Improve
you time management with your email.
·
Have
quick access to a wealth of relevant email information.
Enjoy
most of what you need for email in a single book.
=================================
**Important note** - contact our company for very powerful solutions for IPmanagement (IPv4 and IPv6, security, firewall and APT solutions:
www.tabularosa.net
==================================================
Another Special Announcement - Tune in to my radio interview, on Rider University's station, www.1077thebronc.com I discuss my recent book, above on "Your Career Is Calling", hosted by Wanda Ellett.
In addition to this blog, Netiquette IQ
has a website with great
assets which are being added to on a regular basis. I have authored the
premiere book on Netiquette, “Netiquette IQ - A Comprehensive Guide to
Improve,
Enhance and Add Power to Your Email". My new book, “You’re Hired! Super
Charge
Your Email Skills in 60 Minutes. . . And Get That Job!” has just been
published and will be followed by a trilogy of books on Netiquette for
young people. You can view my
profile, reviews of the book and content excerpts at:www.amazon.com/author/paulbabicki
In addition to this blog, I maintain a radio show on BlogtalkRadio and an online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and Yahoo. I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ and PSG of Mercer County, NJ.
I am the president of Tabula Rosa Systems,
a “best of breed” reseller of products for communications, email,
network management software, security products and professional
services. Also, I am the president of Netiquette IQ. We are currently developing an email IQ rating system, Netiquette IQ, which promotes the fundamentals outlined in my book.
Over the past twenty-five years, I have enjoyed a dynamic and successful career and have attained an extensive background in IT and electronic communications by selling and marketing within the information technology marketplace.Anyone who would like to review the book and have it posted on my blog or website, please contact me paul@netiquetteiq.com.
=============================================================
No comments:
Post a Comment