D-Link fixes the latest flaw in its routers, more patches on the way
You can't fling a rock these days without hitting a security vulnerability somewhere. From the Internet of Things to apps to Windows and even your own router. Yes, that D-Link box sitting on your desk can be a liability to you. That's a problem the company is attempting to clean up, after reports surfaced about the flaws.
The problems were discovered by a Canadian researcher and involve a remote access flaw that can leave users vulnerable. "Due to the nature of the ping.ccp vulnerability, an attacker can gain root access, hijack DNS settings or execute arbitrary commands on these devices [by] the user simply visiting a webpage with a malicious HTTP form embedded (via CSRF)", says Peter Adkins, who discovered the vulnerabilities.
It's the same old story -- researcher discovers and reports flaw and company does nothing. Hence the flaw goes public which usually generates a response and fix.
Now D-Link explains the problems -- "First vulnerability reportedly relates to a malicious user who might be be connected to the LAN-side of the device to use the devices upload utility to load malicious code without authentication. A second vulnerability reportedly relates to the device’s ping utility that might permit command injection without authentication. A third vulnerability reportedly may exploit certain chipset utilities in firmware to potentially permit a malicious user an attack disclosing information about the devices configuration".
The manufacturer, for it's part, has several recommendations for its customers -- check the router history for unauthorized access, encrypt Wi-Fi connections (this should go without saying), and check regularly for firmware updates, which will be listed here.
This is not the first, nor likely the last, flaw to be found in D-Link routers. But before you throw the company under the bus, realize that the alternatives are, in some cases, inferior.