Update: Windows patch leads to web black-out

Internet giants have united to fix a serious flaw in the internet addressing system that might have let hackers hijack web traffic.

The big software and hardware makers worked in secret for months to create a software patch which has now been released to repair the glitch.

The flaw, discovered by accident, would allow criminals to redirect users to fake webpages, even if they typed the correct address into a browser. Dan Kaminsky, a security researcher at IOActive, stumbled upon the vulnerability in the domain name system (DNS) about six months ago and contacted industry giants including Microsoft, Sun Microsystems and Cisco to collaborate on a solution.

DNS is the internet's equivalent of a telephone exchange, linking the web address typed by a user with the website's unique numerical address.

"It's a fundamental issue with how the entire addressing scheme of the internet works," Rich Mogul, an analyst at Securosis, said in a conference call. "You'd have the internet, but it wouldn't be the internet you expect. (Hackers) would control everything."

The flaw would be a boon for "phishing" cons that involve leading people to web pages imitating businesses such as banks or credit card companies to trick them into disclosing account numbers, passwords and other information.

"People should be concerned but they should not be panicking," Mr Kaminsky said. "We have bought you as much time as possible to test and apply the patch. Something of this scale has not happened before."

Mr Kaminsky has built a web page, www.doxpara.com, where people can find out whether their computers have the DNS vulnerability.

Mr Kaminsky was among about 16 researchers from around the world who met in March at Microsoft's campus in Redmond, Washington, to figure out what to do about the flaw.

"I found it completely by accident," Mr Kaminsky said. "I was looking at something that had nothing to do with security. This one issue affected not just Microsoft and Cisco, but everybody."

The software experts created a patch to release simultaneously across all computer software platforms. "This hasn't been done before and it is a massive undertaking," Mr Kaminsky said. "A lot of people really stepped up and showed how collaboration can protect customers."

Microsoft released its patch yesterday as part of it regular patch schedule, and automated updating should protect most personal computers. Businesses and internet service providers are being urged to make sure that their networks are protected.

Technical details of the flaw are being kept secret for a month to give companies time to update computers. It is not thought that the flaw had been exploited prior to its discovery.

"This is a pretty important day," said Jeff Moss, founder of a premier Black Hat computer security conference held annually in Las Vegas. "We are seeing a massive multi-vendor patch for the entire addressing scheme for the internet - the kind of a flaw that would let someone trying to go to Google.com be directed to wherever an attacker wanted."

Despite the scale of the patching operation, web use is not expected to be affected.

Hackers using the vulnerability to attack company computer networks would also be able to capture e-mail and other business data. Mr Kaminsky also alerted US national security agencies to the crack in cyber warfare defenses. "This really shows the value-add of independent security researchers," Jerry Dixon, a former director of the US Department of Homeland Security's national cyber security division, said.

Explore Tech & Web

• Personal Tech

• The Web

• Gadgets & Gaming