One large Australian organisation and a local computer security advisor have played down the importance of a security flaw in the global Domain Name System (DNS) that has led to panic in some security circles around the globe.
(Credit: Kaminsky's blog)
The flaw, which security researcher Dan Kaminsky recently claimed to have discovered, could allow people to re-direct Web browsers to malicious websites in a technique known as "DNS cache poisoning".
The DNS translates host names such as www.example.com to the numerical internet address for systems connected to the internet. It effectively acts as a computer's internet address book. DNS cache poisoning occurs where an attacker is able to introduce fake information into the cache of a DNS name server.
However, Securus Global practice manager, Declan Ingram told ZDNet.com.au today that while the problem was a critical flaw, "the sky is not falling".
"If it's going to be an issue, it's likely to be a consumer one," he said. "Really, it will only affect SSL certificates, but if they are properly authenticated, then this will be done through an authenticated server and not through the DNS."
Critical business systems were unlikely to be affected by the flaw, said Ingram. "Most of the high security systems on the internet don't rely on DNS."
Welfare agency Centrelink was one extremely large Australian organisation that didn't appear today to be worried about the problem, with a spokesperson for the agency saying it was not exposed to the flaw.
"The Centrelink gateway uses a DNS product called "djbdns", which is not vulnerable to the current DNS poisoning exploit," the spokesperson told ZDNet.com.au today.
Despite the sentiments, security experts are still warning businesses to urgently patch numerous products immediately.
Kaminsky had planned to hold back on disclosing the flaw until the Black Hat conference in August in the US. However, after disclosing it to affected vendors, this Monday, Halvar Flake, chief executive of Sabre Security, claimed to have figured out the flaw and published his findings on the company's web site.
While Kamisky did not admit it was the same flaw, he wrote on his blog following the disclosure: "Patch. Today. Now. Yes, stay late."
The flaw however has led to what some believe is the biggest multi-vendor patching exercise in history. Amongst vendors with products containing the DNS vulnerability are Avaya, Blue Coat systems, Cisco, Debian GNU/Linux, F5 Networks, FreeBSD, Fujitsu, Gentoo Linux, HP, IBM, Juniper Networks, Novell, Microsoft, Red Hat, Sun, Ubuntu and Suse Linux. Other vendors' systems may be affected also, according to the United States' Computer Emergency Response Team, which has published a list of affected vendors.