DNS 'Rebinding' Attack Worries Browser Vendors
Robert Lemos writes on SecurityFocus:
On a summer day seven weeks ago, a small group of software architects and network engineers descended on Stanford University, worried.More here.
The group -- which, according to sources, included representatives from Microsoft, Mozilla, Sun Microsystems and Adobe -- had been summoned by a team of student researchers and professors at Stanford's Security Lab. The researchers had investigated reports that a critical part of browser security could be bypassed, allowing an online attacker to connect to browser-accessible resources on a victim's local network.
While previous attacks using JavaScript could send data to a network, the attack investigated by Stanford -- known as domain-name service (DNS) rebinding -- could send and receive data from the local network, completely bypassing the firewall.
To prove the danger, the Stanford students bought placement for a Flash advertisement on a marketing network and found that, for less than $100, an attacker could have hijacked as many as 100,0000 Internet addresses in three days.
"This turns out to be several orders of magnitude cheaper than renting a bot net," Collin Jackson, a PhD student in computer science at Stanford and a member of the Security Lab, said during an interview at the Black Hat Security Briefings.
posted by Fergie @ 8/06/2007 05:13:00 PM
0 Comments:
Post a Comment
<< Home