An eight-year-old bug in the Internet’s Domain Name Service (DNS) could be used to widely spread malware, according to security research Dan Kaminsky. He says a flaw found in the Gnu C standard library, aka “glibc,” can trick browsers into looking up shady domain names. Servers could then reply with overly-long DNS names, causing a buffer overflow in the victim’s software. That would in turn let hackers execute code remotely and possibly take over a machine. While the hole has already been patched, Kaminksy said “the buggy code has been around for quite some time — since May 2008 — so it’s really worked its way across the globe.” In other words, it could ages for the fix to be applied broadly.
Along with Heartbleed and others, the bug is the latest of several serious flaws found in the backbone of the internet. Kaminsky pointed out that ironically, the latest hole was coded into Gnu DNS libraries just months after he corrected other serious DNS flaws in 2008. He’s advising anybody running Linux servers to “patch this bug with extreme prejudice.” (Android devices aren’t affected, by the way.)
Nobody is sure yet if the code can be executed remotely. However, Redhat, which discovered the vulnerability along with Google, said that “a back of the envelope analysis shows that it should be possible to write correctly formed DNS responses with attacker controlled payloads that will penetrate a DNS cache hierarchy and therefore allow attackers to exploit machines behind such caches.” However, the bug makes servers vulnerable to man-in-the-middle attacks right now, if hackers gain access to certain servers. That makes it what Kaminsky calls a “solid critical vulnerability by any normal standard.” Now, the only question is whether things will get much worse.
