Major internet security flaw found
- added July 9, 2008
- 21 responses
-
-
-
-
- merasyad
- added this
-
-
- related topics
-
- News and Politics (31555)
- Not News (25089)
- Random (19624)
- News (13556)
- Tech (6368)
- Internet (1918)
- Current Radio News (1018)
- Security (206)
- Current UK (205)
- Current News USA (196)
- Hackers (108)
- Hacking (86)
- Identity Theft (44)
- World Wide Web (18)
- Internet Security (13)
Security researchers said today they had discovered an enormous flaw that could let hackers steer most people using corporate computers networks to malicious websites of their own devising.
Thankfully every major software company affected is issuing patches fixing the problem.
System administrators will have 30 days to apply those patches before the details of the flaw are disclosed at the Black Hat security conference in Las Vegas.
Security experts hope that the patches are broad enough that hackers won't be able to reverse-engineer them and figure out how to exploit the vulnerability before the details are released next month.
Make sure you download those security patches people.
Thankfully every major software company affected is issuing patches fixing the problem.
System administrators will have 30 days to apply those patches before the details of the flaw are disclosed at the Black Hat security conference in Las Vegas.
Security experts hope that the patches are broad enough that hackers won't be able to reverse-engineer them and figure out how to exploit the vulnerability before the details are released next month.
Make sure you download those security patches people.
-
is work with mac too?
-
Oh, crap, this is scary. Thanks for the info.
-
-
-
-
- SpookyFish
- 1 month ago
-
-
Here's more on Black Hat and what they do.
This might explain the latest security updates I've been getting from Windows.
Thanks for the heads-up. -
More on what self-proclaimed "Hacker", Jeff Moss, founder of Black Hat and Defcon, has been up to... -
What they need is a Certified Ethical Hacker to test their stuff on a daily bases that leads to manifestation of exploits :)
I wish I could do what I do better and get certified.-
-
-
-
- Midnight_DevilX
- 1 month ago
-
-
Switch to Firefox 3.0, it is geared against such things.
-
-
-
-
- Vierotchka
- 1 month ago
-
-
Yes, I think it would be advised to download the patches.
Do you think it's possible this patch was included in my recent Windows Vista update? -
If you are a System, Network Admin. you know to keep up with these things. Since I started to surf the internet these news have been coming up. I am on the Apple Macintosh that it is one step ahead of the hackers anyway. You just have to make sure to check for your security updates from Apple through your system prefs.
-
The above security flaw is in DNS servers.
A huge release of multi vendor patches came out yesterday to resolve this issue.
On the client side there is not much to do.
Anti-phishing filters in Firefox and other browsers may help to guard against this.
If you haven't tried out Firefox 3 now would be a good time.-
-
-
-
- Thomas_Morse
- 1 month ago
-
-
...and we all have to Thank the Mozilla Community for keeping up with the hackers and straightening Firefox's browser.
-
It's going to be interesting to find out what exactly the bug is. There's hinting at DNS poisoning but how much further down will it be?
Since it's a design flaw, I assume that means it's not relegated to Bind, or Windows DNS, et al...
Does it effect all operating systems? Or just certain operating systems that implement queries a certain way?
Answered my own questions:
http://www.linuxworld.com.au/index.php/id;817717169;pp;...
Unless you're running your own DNS server, you're fine.-
-
-
-
- necrotized
- 1 month ago
-
-
Windows DNS bug fix can impair firewalls, including ZoneAlarm
BetaNews has confirmed through its own testing this morning that a critical patch, released yesterday by Microsoft as part of a worldwide DNS bug fix effort, can and does impact the functionality of software firewalls.
Multiple reports from users since yesterday afternoon have complained of systems incapable of contacting the Internet after having implemented patch KB951748. This patch makes a major change to the way the operating system handles DNS requests. Specifically, it implements a system that enables source port randomization -- a way to scramble the address from which a request is placed -- as a security measure to thwart malicious users from being able to craft false DNS responses, and thus "poison" the caches of DNS servers.
It is a very serious fix to what could have been a catastrophic exploit, and it's being implemented not just on Windows but on Linux, and within routers and other network equipment as well. It's a major cooperative effort, but one side effect for now, due to an apparent lack of cooperation among software vendors, is that some software firewalls may need to be disabled, throttled back, or turned off altogether while a fix is under way.
In BetaNews tests, we installed the latest commercial edition of ZoneAlarm Pro (version 7.0.470, not a beta) on a virtual Windows XP Professional SP3 virtual machine, which we verified as having perfect Internet connectivity after the install. We then installed patch KB951748 from Windows Update and rebooted the VM. No Internet utility or browser was able to connect to the Internet afterward. This while the VM was running on a Windows XP SP3 physical system without the patch installed, though with ZoneAlarm Pro and with fully working Internet connectivity. Not even the PING utility would work from the virtual system's command line.
Connectivity between the virtual system and other physical systems in the local network, however, was unimpaired by the patch.
* * * * *
More at link.-
-
-
-
- Vierotchka
- 1 month ago
-
-
I installed the stupid security update and it made all internet browsers on my network stop communication with the internet. It was a Nightmare trying to undo the fix.
-
-
-
-
- Psychedelic
- 1 month ago
-
-
Great that you guys are exposing the issue here. Seems that everyone should wait to install this until it gets fixed or for a better solution to come up.
-
-
-
-
-
- Thomas_Morse
- 1 month ago
-
-
I hope with the new spying laws being passed that the hackers unite and do good by going against and attacking the government websites!! Hackers need to start a union and help the american people and our rights!!
-
Well, since one of my hats it is Network Admin, here is the real news and some solutions. This is only for Server, DNS Admin. Be careful if you do not know about this to adventuring into the patches! If you are a client, do nothing, call your Administrator!
Software companies across the industry have quietly collaborated to
simultaneously release fixes for all affected name servers.
Updates were released on Tuesday by Red Hat:
< https://rhn.redhat.com/errata/RHSA-2008-0533.html>
By Sun:
< http://sunsolve.sun.com/search/document.do?assetkey=1-2...
By Microsoft:
< http://support.microsoft.com/kb/953230#top>
Unfortunately, Apple has not yet released a fix. On a completely up to date
10.5.4 server install, the BIND version is 9.4.1-P1; the current versions
that patch this vulnerability are 9.4.2-P1 and 9.5.0-P1 (plus 9.3.5-P1, but
there's no sense downgrading). So once again admins have to guess when Apple
will release a security update that covers this, and must decide whether to
compile their own copy of the patched version in /usr/local or wait and hope
they don't get exploited before Apple gets around to patching. Not that I'm
bitter....
--
Dave Pooser, ACSA
Manager of Information Services
http://www.alfordmedia.com/
Login/Registration is required to add a response.
