Jul 21 2008

Patch DNS now

Published by at 3:03 pm under Hacking,Malware

I don’t know the details yet, but according to McGrew Security, someone at Matasano let out the details of the DNS vulnerability earlier today. And Dan Kaminsky probably isn’t very happy about it.

If you’re using a vulnerable DNS server, patch now. Not next week or even tomorrow, patch now. Everyone who’s in the know is saying this is a serious issue, and if the vulnerability got released into the wild, don’t expect it to take more than a day, maybe two before we start seeing DNS getting messed with. And I can see this becoming a serious problem by Black Hat.

Update: Thomas Ptacek has issued a public apology for releasing the DNS vulnerability.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

7 responses so far

7 Responses to “Patch DNS now”

  1. Security4allon 21 Jul 2008 at 3:44 pm

    It got published by error. But it’s already cached in Google reader and God knows how many other bots & readers that tune to their RSS feed.

    Matasano has published a public apology:

  2. milanoon 21 Jul 2008 at 6:40 pm

    Verizon Business understood this in their post DNS Vulnerability Is Important, but There’s No Reason to Panic:

  3. Martinon 21 Jul 2008 at 6:46 pm

    Panic? No, you’re right. But it’s also not just another vulnerability that can be ignored for a couple weeks more.

    There’s no reason to panic, but there’s no excuse for not updating immediately either.

  4. milanoon 21 Jul 2008 at 6:52 pm

    Richard Bejtlich is right on the mark with the Kaminisky gaffe!


  5. milanoon 21 Jul 2008 at 6:57 pm

    At the end of the day, the real research community will follow this anonymous blogger at the below sites analysis.

    Anonymous blog reply at http://taosecurity.blogspot.com/2008/07/what-should-dan-have-done.html

    (DK ->”If you remember, my last talk was given with no advance warning, not even a topic for the conference.”)

    Anonymous said…
    Yes, I remember. I remember you talking incessantly about it (and apparently still are). I speak at the same conferences, which is where my comments come from. I won’t even comment on the sombrero, or why it’s yet another perfect case-in-point.

    Five to ten years ago, waiting to “reveal all” details at BH, Defcon, Can/Pac/*Sec, various fledging San Diego sec cons, etc was perfectly normal. Now, the “industry” has changed – noted by “exit letters” issued by various people over time. That change can be contributed to too many reasons to count, but one of the largest include (and before I say it: yes. It’s not perfect, but there’s no comparison between now and 5-10 years ago) a strong undercurrent by vendors to “do right” by customers (altruistic motives debatable), and organizational security units to “do right” by their business units. We intentionally created a “circus” 5-10 years ago, and the results of doing so lead to the _comparatively_ positive climate experienced now by the vast majority of the industry. Stunts like you’ve done with this (turning it into a media frenzy) undermine the entire framework by making security professionals look like complete clowns in front of executives who read the hype you’re generating (but can’t objectively answer their questions). The negative impact on vendors is equal since your hype-engine backs everyone into a corner of responding only one way.

    One of the worst parts of the industry these days (as opposed to 5-10 years ago) is the no-disclosure/for-profit side. You are fueling that fire in so many ways, but the most ironic point of it all (in this thread) is the one oleDB raised (which makes it slightly more funny): “If you really cared about the details this much, why not invest some time into reverse engineering the patches.” Lol… By show of hands, who think that wasn’t done within 24-hours of their release and full details available to anyone who wanted them? And don’t even get me started on the accidental leaks. Yet; Hrmm; No mass-exploitation. Imagine that. Organizations must have patched THAT fast! Either that, or — Well, the jury is still out on the other side of this coin, and (after reversing those patches) you know where I stand on the issue.

    Your “months of hard work” didn’t have to be for not. It would have been interesting to find what you did, take a non-dramatic course of action, then present generically on the fundamentals of potentially similar vulnerabilities, taking a survey of other technologies/protocols/products/processes/etc that could suffer from the same and why. (Check out some of the less-hyped presentations this year. There’s a few examples of this. They probably won’t be wearing sombreros though.)

  6. […] supporting links: http://www.mckeay.net/2008/07/21/patch-dns-now/ http://www.matasano.com/log/mtso/ http://www.doxpara.com/?p=1176 […]

  7. […] supporting links: http://www.mckeay.net/2008/07/21/patch-dns-now/ http://www.matasano.com/log/mtso/ http://www.doxpara.com/?p=1176 […]

%d bloggers like this: