Technical details of a flaw in the Domain Name System that made headlines earlier in July were accidentally posted to a well-read security blog July 21. Dan Kaminsky advises immediate patching.
Details of the DNS flaw uncovered by security researcher Dan Kaminsky have
found their way into the public arena.
Kaminsky, who is the director of penetration testing for the security
company IOActive, had planned on keeping the specifics of his discovery close
to his vest until the Black Hat conference in August in Las Vegas. Now, the
details of his findings appear to have leaked out by accident.
The flaw, which can be exploited to launch DNS (Domain Name System) cache
poisoning attacks against DNS servers and redirect Internet traffic, was
discovered by Kaminsky several months ago and led a number of vendors to
cooperate and coordinate the release of a patch two weeks ago. This is an
important flaw that affects multiple products-basically any recursive DNS
server. If a server is compromised, attackers could redirect traffic from that
server to anywhere they wanted, say, to a fake "google.com" that was
actually a malicious site.
Reverse engineering expert and Zynamics CEO Halvar
Flake posted speculation
about the bug on a blog July 21. In response,
security research and development firm Matasano, which was aware of the true
details of the flaw, posted confirmation of Flake's speculation on the Matasano company blog.
Matasano post has since been taken down, but remains alive courtesy of a Google
"The cat is out of the bag," read the
now-removed Matasano post. "Yes, Halvar Flake figured out the flaw
Dan Kaminsky will announce at Black Hat."
Late the same day, Matasano's Thomas Ptacek apologized on the company blog,
explaining the firm had "dropped the ball."
Ptacek wrote, "Earlier today, a security researcher posted their
hypothesis regarding Dan Kaminsky's DNS finding. Shortly afterwards, when the
story began getting traction, a post appeared on our blog about that
hypothesis. It was posted in error. We regret that it ran. We removed it from
the blog as soon as we saw it. Unfortunately, it takes only seconds for
Internet publications to spread."
Kaminsky's attempts to keep a tight lid on details of the flaw until
Black Hat sparked
among some security professionals who felt details of the
vulnerability should have been released.
For now, IT pros can fall back on the patches vendors have made available,
as well as suggested mitigations.
Kaminsky has posted a tool on his Web site that allows anyone to check to
see if a DNS server is vulnerable. DNSstuff launched a piece
July 16 on its site that does the same.
"Patch," Kaminsky advised on his
blog. "Today. Now."