The Internet was hit by this attack last night. Parties unknown exploited the MS SQL vulnerability to launch a distributed denial of service attack which took down much of the Internet, as per this post. Meanwhile, I’d been mulling over a recent security alert that discusses a vulnerability close to the heart of the HTTP protocol. Once again, Vernor Vinge got it pretty much right. His future computer nets weren’t something you jacked into, they were a vast network full of legacy code and unexpected consequences. Sounds about right.
3 Comments
Re: the TRACE problem. A quick search showed that this has been addressed for Apache, and it /is/ just a configuration change. But, as the note says, the real source of the problem is the browser being manipulated by a “carefully crafted page” to reveal authentication info – which to me says malicious Java Script, plugin, or similar.
http://www.apacheweek.com/issues/03-01-24#news
Yeah, it’s the interaction between those problems that interests me. The TRACE problem is just a convenient way to get the cookie into the hands of the Javascript; thus, the hole exists because of two overlapping systems. Very Vinge.
Cool. Thanks, muchly, for the details on the virus. I’ve been eyeing the news and other things, and really wanted to know the details of what was attacked and how. It’s good to know the reality of what was going on.