Browser and plug-in developers are now looking at solutions to the problem.

In mid-June, engineers and programmers from Microsoft, Mozilla, Sun Microsystems and Adobe met with Stanford researchers to discuss the issue. The school's Security Lab has created a Web site to determine if a browser is vulnerable and will present a paper on its findings at the Association for Computing Machinery's Conference on Computer and Communications Securty in October.

"We have definitely been circulating the paper with vendors and trying to agree to a solution," Stanford researcher Jackson said. "They have been responsive."

Representatives of Mozilla attended the Stanford session and, while the browser typically focuses on consumers, the group acknowledged that the problems with DNS pinning are significant.

"There are some scenarios where we are concerned," Window Snyder, chief security officer for Mozilla, said during an interview at the Black Hat Security Briefings.

Microsoft is also aware of the proof-of-concept attacks, a spokesperson for the software giant said in statement sent to SecurityFocus.

"We are doing further investigations into DNS pinning and are working with the industry on potential next steps to address this issue," the spokesperson stated. "We're not aware of any DNS pinning attacks that are affecting customers."

Representatives for Adobe and Sun Microsystems could not immediately be reached for comment.

Other researchers also underscored the seriousness of the problem. Jeremiah Grossman, founder and chief technology officer of WhiteHat Security, and Robert Hansen, the security researcher better known as RSnake, had shown how to scan an intranet using a browser and malicious JavaScript. The researchers said that attacks using JavaScript and anti-DNS pinning techniques are likely to be a threat in the future.

"It's bad, really bad," Grossman said. "But it will be two or three years before the bad guys are using the attack."

Companies worried about the issue could implement policies to not allow Java and JavaScript. However, that is not a good solution for companies or consumers, EchoStar's Byrne said.

"Disabling JavaScript is like driving a car around in first gear," Byrne said. "You can still get around the Internet, but it won't nearly be as useful."

Instead, companies should implement firewall rules that block Internet domains from resolving to internal network addresses, said Stanford researcher Jackson.

"If you are concerned about your network, the way to fix it (right now) is at the firewall," Jackson said.

To permanently fix the problem, several security researchers -- including Byrne, Grossman and Hansen -- recommend that browsers and network hardware implement the ban on letting Internet domains resolve to an internal network address. Still, teaching the browser to discriminate between public and private addresses is not necessarily an easy task, Mozilla's Snyder said.

Like Microsoft, Mozilla could not say when the browser and software makers would agree on a way to fix the problem.

"It is complicated," Snyder said. "All the proposals we have investigated have costs or consequences."

If you have tips or insights on this topic, please contact SecurityFocus.