DNS bug reveals the Internet's soft, chewy center
The latest DNS vulnerability shows the importance of keeping every piece of security and infrastructure software up to date -- and the very fragile state of networks that go unpatched.
Follow @rogeragrimesYou've probably been inundated with news about Dan Kaminsky's DNS cache exploit, potentially one of the biggest Internet-wide vulnerabilities ever announced. Unpatched DNS servers can be easily tricked into leading users to bogus Web sites, and literally, without patching the DNS servers (and sometimes the clients) there is little the average end-user can do. Although many Internet security experts believe this flaw is critical, but way overhyped, there is a likely chance that the crimeware industry will be working overtime to utilize this exploit.
It is so potentially damaging that Dan quietly worked with the world's biggest DNS services vendors to make sure they had patches before he went public with the exploit details at the Black Hat Conference on August 6. Even after announcing vendor patch availability, Dan had hoped to give companies and end-users many weeks to patch, or so that was the plan.
Many knowledgeable critics and DNS experts criticized Dan for not practicing full disclosure of the flaw along with the original announcement. Some speculated that they were sure he was overhyping the flaw himself. In a spirit of good faith, Dan released the details to two notable DNS experts after getting promises they would not disclose the details to anyone. Both parties reviewed Dan's exploit and stated that Dan did indeed have a new DNS bug that was critical and easy to exploit.
Unfortunately, one of those parties "unintentionally" leaked the bug early by publicly confirming another researcher's speculation. Within minutes, news went out all over the Internet, and within a few hours public exploit code began appearing. You can pick up the exploit code on more than a dozen Web sites on the Internet including at Metasploit.
