It's common wisdom in computer security that fixing a problem can frequently create other, sometimes more serious problems. So it was, when researchers discovered a critical bug that left a whopping 96.6 percent of the internet's top one million sites vulnerable to being hijacked mid-connection.
The bug (which has since been patched) was unwittingly created in 2012 during an attempt to fix a vulnerability in TCP, otherwise known as the crucial system for exchanging packets of data that specifies how 90 percent of communication on the internet works. Basically, the data packets exchanged between computers and websites are numbered in a sequence, and the initial fix was meant to protect against malicious packets by sending "challenges" when the packets received had a sequence number that's slightly off from what was expected.
The problem is, to keep track of these "challenges," the patch created a counter that incremented in a way that's visible to potential attackers, thus allowing outsiders to see the connections, determine the correct packet sequence, and inject data into the stream. In 2012, those changes were adopted into the Linux kernel, which as of last year runs on 96.6 percent of Alexa's top one million sites on the internet.
"In a nutshell, the vulnerability allows a blind off-path attacker to infer if any two arbitrary hosts on the Internet are communicating using a TCP connection," the researchers write in their paper, which was presented earlier this week at the USENIX computer security symposium in Austin.
"Further, if the connection is present, such an off-path attacker can also infer the TCP sequence numbers in use, from both sides of the connection; this in turn allows the attacker to cause connection termination and perform data injection attacks."
Interestingly, the authors also suggest that the vulnerability could be used to target users of the anonymity software Tor. By terminating a user's connection to certain nodes on the anonymity network—which bounces data through a random selection of computers located around the world—the researchers claim their attack can influence the path a user takes to "funnel" them into a malicious Tor exit node.
But as Tor engineer Isis Agora Lovecruft explains in a blog post, the attack doesn't really work against Tor in the way the researchers describe, since a failed connection causes a user's path through the anonymity network to completely reset.
Once that path is reset, she writes, "the client has just as much probability to select the same exit as they did the last time. Therefore, to use this attack to 'funnel' (as the authors describe) Tor users into using a particular exit node is of equal difficulty" to a much more difficult attack targeting the entire Tor network.
"Their attack does work as a general denial-of-service against not just Tor relays, but literally against anything running Linux," writes Lovecruft.