Image via Wikipedia

We’ve been watching this one since the news broke a couple of months ago, and you could say it’s the Internet’s equivalent of the Y2K scenario.

In essence, the DNS system (the fabric of the Internet that routes all traffic) is flawed. Very flawed.

A bug has been discovered that could allow people to hijack entire portions of the Internet and redirect traffic to wherever they want to. So, when you type in www.mybank.com you will get a site that looks and feels exactly as it should - it would even pass all the anti-phishing checks your browser or PC runs - but, and here’s the catch, it would be operated by thieves from a server far, far away from your bank because the DNS flaw has allowed them to trick the Internet into sending all traffic for www.mybank.com legitimately to their server instead of the proper one.

But this flaw does not just extend to www.mybank.com and other websites - because it is a flaw in the underlying fabric of the Internet it allows any web traffic to be redirected - this includes FTP, email, spam filters, SSL, automated software updaters, etc.

“Every network is at risk,” Kaminsky said at the Black Hat conference on Wednesday. “That’s what this flaw has shown.”

Automated software updating systems like those used by Microsoft and Apple could also be subverted, allowing hackers to trick users into installing malicious software disguised as authenticated software updates.

“There are a ton of different paths that lead to doom,” he said.

There is light at the end of the tunnel. Before the details of the DNS flaw were (inadvertently) made public, Kaminsky had been working with the key players in Internet to patch DNS servers to prevent the theft of the web.

Kaminsky said that more than 120 million broadband consumers are now protected by patched DNS servers, which amounts to about 42 percent of broadband internet users. Seventy percent of Fortune 500 companies have also patched, while 15 percent have tried to patch but run up against problems. Another 15 percent have done nothing to fix the hole. [We would guess that these statistics are US-based. Ed.]

He showed a video that mapped DNS servers around the world as they were tested and patched over the last month. Servers that were vulnerable first appeared as red dots on the map then turned green as they patched. The most heavily patched geographical regions were the East Coast of the United States and Western Europe.

We haven’t heard of any major companies being affected by this DNS flaw, but we would advise that any web company that is providing DNS services to its clients ensures that they are patched to avoid becoming part of the domino effect of any future potential exploit (this includes anybody running a dedicated or virtual server which has DNS services operating). Fortunately, small companies are less likely to be targeted by people or organisations looking to exploit the DNS flaw, but unpatched servers represent a hole in the fabric of the web which could allow them to gain a foothold. You have been warned.

Black Hat: DNS Flaw Much Worse Than Previously Reported