Patch for Major Security Flaw Is Ineffective

Widely distributed fix for Internet failing only slows the damage
By Harry Kimball,  Newser Staff
Posted Aug 9, 2008 11:57 AM CDT
Dan Kaminsky, director of penetration testing for Seattle-based computer security consultant IOActive.   (AP Photo)
camera-icon View 2 more images

(Newser) – A fatal flaw in Internet security has a patch, but it’s a leaky one, the New York Times reports. Yesterday, a Russian scientist demonstrated an attack that secretly redirected web traffic. It took him just hours using standard equipment; before the patch, it would have taken seconds. Thieves could use the method to hijack a user’s bank or credit card information.

And it’s not just academic. “We have already been seeing attacks in the wild for the past two weeks,” a clued-in consultant said. Veteran Internet technologists were not surprised. “What makes this so frustrating is that no one has been listening to what we have been saying for the past 17 years,” one professor said. There are at least two domain name systems that are more secure.