"More than a decade after serious holes were discovered in the internet's address lookup system, end users remain vulnerable to so-called domain name system cache poisoning, a security researcher has warned.
Developers of the software that handles DNS lookups have scrambled to patch buggy code that could allow the attacks, but not to the satisfaction of Amit Klein, CTO of security firm Trusteer, who over the past year has uncovered serious new vulnerabilities in multiple DNS products.
Last July, he exposed flaws in Berkeley Internet Name Domain (BIND), the mostly widely used DNS server. The flaws allowed attackers to predict the pseudo-random number transaction number that the software uses when providing the numeric IP address of a requested web page. That, in turn, could allow the attacker to supply a fraudulent address that leads to a malicious destination.
"I'm not too comfortable with the quality of the solution from the security and predictability standpoint," Klein said during a session at last week's RSA security conference in San Francisco."