Technology: The business and culture of our digital lives, from the L.A. Times

| Main |

Major computer-security flaw prompts patch mania

5:24 PM, July 8, 2008

Security researcher Dan KaminskySecurity researchers said today they had discovered an enormous flaw that could let hackers steer most people using corporate computers networks to malicious websites of their own devising.

For bad news, that's pretty impressive. But there are two pieces of good news: First, no bad guys are known to be using the flaw yet. And second, in a possibly unprecedented display of industry cooperation, virtually every major software company affected is issuing patches fixing the problem.

System administrators will have 30 days to apply those patches -- from the likes of Microsoft, Sun Microsystems, Red Hat and others -- before the details of the flaw are disclosed at the Black Hat security conference in Las Vegas.

Security experts -- including the man who discovered the flaw, Dan Kaminsky of IOActive -- hope that the patches are broad enough that evil types won't be able to reverse-engineer them and figure out how to exploit the vulnerability before the details are released next month.

"We got lucky in this particular bug, because it's a design flaw," Kaminsky said in an interview. "It shows up in everyone's network, but the fix is a design fix that doesn't point directly at what we're improving."

US CERT, the Computer Emergency Readiness Team at the Department of Homeland Security, issued an alert today on the scope of the problem. CERT didn't go into all the backroom dealing that brought so many companies together for the patch, but it made the initial discovery seem like child's play. "It took a couple of hours to find the bug," said Kaminsky, "and a couple of months to fix it."

Kaminsky said he stumbled across the hole in the so-called DNS system for steering people to the websites they are seeking "by complete and total accident." Smaller DNS flaws have been used before to "poison" the servers that send people to the numerical address of the website name they enter. But this failing is at least one order of magnitude bigger, and perhaps several.

"This is about the integrity of the Web, this is about the integrity of e-mail," Kaminsky said. "It's more, but I can't talk about how much more."

-- Joseph Menn

Photo of Dan Kaminsky by Dave Bullock / eecue

Permalink | Comments (1)

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8341c630a53ef00e553ab33dc8834

Listed below are links to weblogs that reference Major computer-security flaw prompts patch mania :

Comments

hahaha I'm under 13! :-p lol jk But, seriously, no... this sounds pretty manageable. We'll weather the storm together. :-)

Posted by: MacShill (Chris McCaw) | July 09, 2008 at 01:31 AM

Post a comment
If you are under 13 years of age you may read this message board, but you may not participate.
Here are the full legal terms you agree to by using this comment form.

Comments are moderated, and will not appear until they've been approved.

If you have a TypeKey or TypePad account, please Sign In





@latimes Tech, always on...


Follow @latimestech for <140c updates.
Recent Comments
Feature on new iPhone 3GS: battery iDrain
Jailbreak ur phone and use sbsettings fo...
comment by Wolf
Best times for a movie theater bathroom break
Good news: the iPhone app has been appro...
comment by RunPeeCreator
Feature on new iPhone 3GS: battery iDrain
Turn down screen brightness to about 25%...
comment by dmbream
TECHNOLOGY REVIEWS
Turn your iPod into a portable drive
Depending on the model, your device features either a hard drive or flash drive that allows you to read and write files to it just like an external drive.
Learn more »
Archives
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
Categories
More from KTLA.com

Tech News & Blogs

Tech News


Tech Blogs