The group -- which, according to sources, included representatives from Microsoft, Mozilla, Sun Microsystems and Adobe -- had been summoned by a team of student researchers and professors at Stanford's Security Lab. The researchers had investigated reports that a critical part of browser security could be bypassed, allowing an online attacker to connect to browser-accessible resources on a victim's local network. While previous attacks using JavaScript could send data to a network, the attack investigated by Stanford -- known as domain-name service (DNS) rebinding -- could send and receive data from the local network, completely bypassing the firewall.

To prove the danger, the Stanford students bought placement for a Flash advertisement on a marketing network and found that, for less than $100, an attacker could have hijacked as many as 100,0000 Internet addresses in three days.

"This turns out to be several orders of magnitude cheaper than renting a bot net," Collin Jackson, a PhD student in computer science at Stanford and a member of the Security Lab, said during an interview at the Black Hat Security Briefings.

The issue, which had been discussed only among experts in the area of browser security, came to prominence this week in Las Vegas. Two security experts -- David Byrne, security architect with EchoStar Satellite, and Dan Kaminsky, director of penetration testing at IOActive -- gave separate presentations on the subject at the Black Hat Security Briefings and then repeated their talks at the DEFCON hacking conference. Their warning: Corporate firewalls and virtual private networks (VPNs) could easily be penetrated using this technique, and any permanent fix will take time.

"If you came to my (hypothetical) Web site, I get to use -- not something like a VPN -- but your VPN into your network," Kaminsky told SecurityFocus after his presentation. "You come to my Web site and it lets me misuse your Web browser like a VPN concentrator."

The attack exploits a flaw in how security in the browser and key browser elements -- such as Flash and Java -- are implemented. At the heart of the problem is the security concept of Same Origin Policy, which restricts -- through sandboxing -- JavaScript from one domain from running in the context, or having access to the resources, of another domain.

The policy, while simple in concept, turns out to be difficult to implement correctly, said EchoStar's Byrne during his presentation.

"The same origin policy is a good idea ... but it is also terribly broken in most implementations," Byrne said.

While security researchers have begun focusing on the issue in earnest, the basic research on the problem is more than a decade old.

In 1996, three researchers from Princeton found a flaw in the implementation of the Same Origin Policy in Java and the Netscape browser. A malicious Web site could register two -- or more -- addresses as valid for its domain, and if one of the addresses was actually part of the network local to the victim's browser, the act would allow the Internet site to access the local resource. A variant of the attack uses low time-to-live (TTL) settings in the DNS record to allow the attacker to update Internet addresses on the fly and reroute requests to the victim's local network.

"This attack is particularly dangerous when the browser is running behind a firewall, because the malicious applet can attack any machine behind the firewall," researchers Drew Dean, Edward Felten and Dan Wallach stated in their May 1996 paper presented at the IEEE Symposium on Security and Privacy in Oakland. "At this point, a rogue applet can exploit a whole legion of known network security problems to break into other nearby machines."

To solve the problem, Java-developer Sun Microsystems and browser vendors adopted a technique known as DNS pinning, where the software does not allow changes to the Internet address associated with a domain for a certain period of time. Pinning the domain name slowed the association of a second network address with the domain, severely restricting such attacks.

However, the domain name eventually has to expire, and vulnerability researchers have searched for ways to speed the process. Such techniques are known as anti-DNS pinning attacks, a subset of DNS rebinding attacks. Moreover, the browsers and common plug-ins, such as Adobe's Flash and Sun's Java, use separate tables of pinned domains and have different implementations and weaknesses, researchers have found.

The latest attack, outlined by Martin Johns of the University of Hamburg a year ago, forces browser software to refresh the DNS entry by making the original Web site inaccessible, using a firewall rule for example.

Both EchoStar's Byrne and IOActive's Kaminsky delved into the impact of the attack, and found that -- with a victim's browser as a proxy -- an attacker could use software usually available to any penetration tester to enumerate and attack a normally protected network.

"Once the attacker has access to the internal network, simple tools can be used to find vulnerabilities," Byrne said.

Browser and plug-in developers are now looking at solutions to the problem.

In mid-June, engineers and programmers from Microsoft, Mozilla, Sun Microsystems and Adobe met with Stanford researchers to discuss the issue. The school's Security Lab has created a Web site to determine if a browser is vulnerable and will present a paper on its findings at the Association for Computing Machinery's Conference on Computer and Communications Securty in October.

"We have definitely been circulating the paper with vendors and trying to agree to a solution," Stanford researcher Jackson said. "They have been responsive."

Representatives of Mozilla attended the Stanford session and, while the browser typically focuses on consumers, the group acknowledged that the problems with DNS pinning are significant.

"There are some scenarios where we are concerned," Window Snyder, chief security officer for Mozilla, said during an interview at the Black Hat Security Briefings.

Microsoft is also aware of the proof-of-concept attacks, a spokesperson for the software giant said in statement sent to SecurityFocus.

"We are doing further investigations into DNS pinning and are working with the industry on potential next steps to address this issue," the spokesperson stated. "We're not aware of any DNS pinning attacks that are affecting customers."

Representatives for Adobe and Sun Microsystems could not immediately be reached for comment.

Other researchers also underscored the seriousness of the problem. Jeremiah Grossman, founder and chief technology officer of WhiteHat Security, and Robert Hansen, the security researcher better known as RSnake, had shown how to scan an intranet using a browser and malicious JavaScript. The researchers said that attacks using JavaScript and anti-DNS pinning techniques are likely to be a threat in the future.

"It's bad, really bad," Grossman said. "But it will be two or three years before the bad guys are using the attack."

Companies worried about the issue could implement policies to not allow Java and JavaScript. However, that is not a good solution for companies or consumers, EchoStar's Byrne said.

"Disabling JavaScript is like driving a car around in first gear," Byrne said. "You can still get around the Internet, but it won't nearly be as useful."

Instead, companies should implement firewall rules that block Internet domains from resolving to internal network addresses, said Stanford researcher Jackson.

"If you are concerned about your network, the way to fix it (right now) is at the firewall," Jackson said.

To permanently fix the problem, several security researchers -- including Byrne, Grossman and Hansen -- recommend that browsers and network hardware implement the ban on letting Internet domains resolve to an internal network address. Still, teaching the browser to discriminate between public and private addresses is not necessarily an easy task, Mozilla's Snyder said.

Like Microsoft, Mozilla could not say when the browser and software makers would agree on a way to fix the problem.

"It is complicated," Snyder said. "All the proposals we have investigated have costs or consequences."

If you have tips or insights on this topic, please contact SecurityFocus.