Jul 24 2008
As everyone knows, Matasono accidentally released confirmation of the DNS vulnerability. And rumor has it there’s been unstable code to take advantage of it since last week and stable code since earlier this week. And HD Moore has released a Metasploit plugin for the vulnerability. It’s in the wild, it’s starting to be used, and if you haven’t patched already, you need to get it done ASAP. I’ll be the first to state I’m not a DNS expert, but the people I’ve talked to that are say patch immediately.
I have talked to a number of people about Dan’s DNS vulnerability and even most of the people who initially said this event was being overblown are now starting to say patch as quickly as you can. My employer, Trustwave, takes this event seriously enough to send out an alert to our clients, something I haven’t seen them do before. We have some very talented engineers and if they’re taking this seriously, you should too. So quit reading this post and go patch already!
As an aside, Thomas Ptacek and the crew from Matasano were at ChiSec last night, and they’re feeling, or at least acting, very mollified for their part in this debacle. There are a dozen ways they could have handled this better and they know it. But sometimes stuff happens. I gave Thomas a hard time to his face last night, now I’m done harping on him. As Chris Hoff was Twittering last night, there’s a serious problem with the security researcher community where being the first to discover and disclose an incident like this is more important than getting the problem solved for as many companies as possible. And that’s not likely to change any time soon. It’d be nice if it did, but there are too many people who rely on this sort of publicity to fuel their businesses and their egos. Such is human nature.
If you’re still reading this, you better be patched already. And if you work at AT&T, why haven’t you patched the servers my iPhone uses yet?!