Tuesday, July 22, 2008

Details on DNS flaw inadvertently leaked; researcher says patch now

The cat is out of the bag before Black Hat. That isn't a passage from a Dr. Seuss children's book, but a description of what happened on Monday when a Web site accidentally posted details about a DNS flaw uncovered by security researcher Dan Kaminsky earlier this month.

Kaminsky, who plans to discuss the flaw at the forthcoming Black Hat security conference in Las Vegas next month, had wanted to keep the details private until then, in hopes of preventing the flaw from being used for malicously redirecting Internet traffic to phony Web sites for large-scale phishing exploits.

But on Monday, Matasano Security, which knew the ins and outs of how the flaw could be used for DNS cache poisoning, inadvertently publicized the details by confirming a complex speculative theory raised in a blog entry by Halvar Flake, a specialist in reverse engineering and the CEO of Zynamics.

"The cat is out of the bag. Yes, Halvar Flake figured out the flaw Dan Kaminsky will announce at Black Hat," responded a post on the Matasano site, since taken down but still residing in Google's cache, at the time of this writing.

Matasono has since apologized for the glitch. "Earlier today, a security researcher posted [a] hypothesis regarding Dan Kaminsky's DNS finding. Shortly afterwards, when the story began getting traction, a post appeared on our blog about that hypothesis. It was posted in error," wrote Thomas Ptacek, principal of Matasano security, on the company's site.

"We regret that it ran. We removed it from the blog as soon as we saw it. Unfortunately, it takes only seconds for Internet publications to spread," according to Ptacek.

"Dan told me about his finding personally, in order to help ensure widespread patching before further details were announced at the upcoming Black Hat conference. We chose to have a story locked and loaded for that presentation, or for any other confirmed public disclosure. On a personal level, I regret this as well."

"Patch. Today. Now. Yes, stay late," Kaminsky warned on his own Web site after the Matasano post.

Kaminsky has added a "DNS checker" to his site, for use in determining whether a server has been patched for the flaw.

"Recently, a significant threat to DNS, the system that translates names you can remember (such as www.doxpara.com) to numbers the Internet can route (66.240.226.139) was discovered, that would allow malicious people to impersonate almost any website on the Internet. Software companies across the industry have quietly collaborated to simultaneously release fixes for all affected name servers," according to a blurb on the site about the tool.



  • Torvalds attacks IT industry ’security circus’
  • Robot lawn mower
  • Adobe Acrobat JavaScript flaw exploit in the wild
  • Next round of Microsoft ‘Patch Tuesday’ addresses Bluetooth problem
  • Next Patch Tuesday has few security updates, big Vista reliability fix
  •