Google Patches Open-Source Flaw, Requires TLD Encryption
Google has made a couple of notable moves on the security front this week: One, it has patched flaws in a DNS software package known as Dnsmasq; and two, it said it would start requiring encryption for 45 top-level domains (TLDs) that it controls as a registrar.
Dnsmasq, an open-source package, is widely installed in desktop Linux distributions (like Ubuntu), home routers and IoT devices, and provides functionality for serving DNS, DHCP, router advertisements and network boot. Google discovered seven distinct issues within the kit: three potential remote code executions, one information leak, and three denial of service vulnerabilities affecting the latest version at the project git server as of September 5.
The vulnerabilities could lead to the remote code execution, information exfiltration and denial of service conditions, Google said. For instance, CVE-2017-14493 is a trivial-to-exploit DHCP-based, stack-based buffer overflow vulnerability. In combination with CVE-2017-14494 acting as an info leak, an attacker could bypass ASLR and gain remote code execution.
The company has worked with the maintainer of Dnsmasq, Simon Kelley, to produce patches and mitigate the issue. Android partners have received the patch as well, and it’s included in Android's monthly security update for October.
Meanwhile, the internet giant is furthering its campaign to boost ubiquitous adoption of HTTPS encryption for websites by implementing HTTP Strict Transport Security (HSTS) on 45 top-level domains, including .ads, .fly, .app and others.
HSTS, which is incorporated into all major browsers, offers a method for websites to require that browsers connect using the encrypted HTTPS protocol. This provides greater security because the browser never loads an HTTP-to-HTTPS redirect page, which could be intercepted.
The move is the latest in a long line of HTTPS-promoting moves.
“We began in 2010 by defaulting to HTTPS for Gmail and starting the transition to encrypted search by default,” the company recapped, in a blog. “In 2014, we started encouraging other websites to use HTTPS by giving secure sites a ranking boost in Google Search. In 2016, we became a platinum sponsor of Let’s Encrypt, a service that provides simple and free SSL certificates. Earlier this year we announced that Chrome will start displaying warnings on insecure sites, and we recently introduced fully managed SSL certificates in App Engine.”
Under the new scheme, registrants receive guaranteed protection for themselves and their users simply by choosing a secure TLD for their website and configuring an SSL certificate, without having to add individual domains or subdomains to the HSTS preload list.
Source: Information Security Magazine