News

Details on DNS flaw inadvertently leaked; researcher says patch now

By Jacqueline Emigh | Published July 22, 2008, 5:00 PM

The cat is out of the bag before Black Hat. That isn't a passage from a Dr. Seuss children's book, but a description of what happened on Monday when a Web site accidentally posted details about a DNS flaw uncovered by security researcher Dan Kaminsky earlier this month.

Kaminsky, who plans to discuss the flaw at the forthcoming Black Hat security conference in Las Vegas next month, had wanted to keep the details private until then, in hopes of preventing the flaw from being used for malicously redirecting Internet traffic to phony Web sites for large-scale phishing exploits.

But on Monday, Matasano Security, which knew the ins and outs of how the flaw could be used for DNS cache poisoning, inadvertently publicized the details by confirming a complex speculative theory raised in a blog entry by Halvar Flake, a specialist in reverse engineering and the CEO of Zynamics.

"The cat is out of the bag. Yes, Halvar Flake figured out the flaw Dan Kaminsky will announce at Black Hat," responded a post on the Matasano site, since taken down but still residing in Google's cache, at the time of this writing.

Matasono has since apologized for the glitch. "Earlier today, a security researcher posted [a] hypothesis regarding Dan Kaminsky's DNS finding. Shortly afterwards, when the story began getting traction, a post appeared on our blog about that hypothesis. It was posted in error," wrote Thomas Ptacek, principal of Matasano security, on the company's site.

"We regret that it ran. We removed it from the blog as soon as we saw it. Unfortunately, it takes only seconds for Internet publications to spread," according to Ptacek.

"Dan told me about his finding personally, in order to help ensure widespread patching before further details were announced at the upcoming Black Hat conference. We chose to have a story locked and loaded for that presentation, or for any other confirmed public disclosure. On a personal level, I regret this as well."

"Patch. Today. Now. Yes, stay late," Kaminsky warned on his own Web site after the Matasano post.

Kaminsky has added a "DNS checker" to his site, for use in determining whether a server has been patched for the flaw.

"Recently, a significant threat to DNS, the system that translates names you can remember (such as www.doxpara.com) to numbers the Internet can route (66.240.226.139) was discovered, that would allow malicious people to impersonate almost any website on the Internet. Software companies across the industry have quietly collaborated to simultaneously release fixes for all affected name servers," according to a blurb on the site about the tool.

Can Linux do BitLocker better than Windows 7?

Betanews kicks off a new series with a look at how the Linux operating system's FDE stacks up against BitLocker, the Windows feature that today commands a $120 premium.

Firefox 3.5: The need for speed

This has been the big payoff week for Mozilla's developers, who worked overtime to squeeze out the last drop of performance from their new JavaScript engine.

'GeoHot' gets a shower, cleans up nice, reveals new iPhone 3G S jailbreak

Either puberty has been very kind to the author of the new 'Purple Ra1n' jailbreak tool, or George Hotz may also have some adequate Photoshop skills.

What's Next: Obama gives 'Einstein' the go-ahead, while China gives 'Green Dam' a thumbs-down

Plus: If you put up a Web site and name it after you and you're a federal judge, you might not want a bunch of weird nudity hanging around on it.

Why would Windows 7 customers spend $120 more for BitLocker?

For pre-orders from now until July 11, Microsoft is offering the Windows 7 Professional SKU for a very steep discount. So why invest in Ultimate?

Geeks vs. journalists: A tale of two worldviews

Recovery with Angela Gunn Why geeks think most mainstream journalism is flaky, and why the mainstream thinks geeks are trying to kill them. (They're both right.)

Fire in downtown Seattle data center knocks out businesses, online services

Small fire has global impact with payment centers, city services down.

Hybrid satellite cell phones aren't far off

The first satellite in Terrestar's hybrid cellular/satellite phone network has been launched.

SMS could be a critical iPhone vulnerability, says white-hat hacker

Mac hacker Charlie Miller knows how to get into your iPhone.

Will Oracle's Java-based Fusion middleware 'fuse' with Java?

Now that Oracle has acquired Sun Microsystems, Java developers and supporters are wondering when Oracle will formally welcome Java into the family.

All together now: iPhone and Palm Pre, likely to both grace O2's UK portfolio

European wireless network operator O2 has reportedly reached a deal to exclusively carry the Palm Pre in the UK. O2,...

Vista's dead: Microsoft kills an OS and no one cares

Carmi Levy: Wide Angle Zoom Can you kill an operating system? Microsoft is about to find out.

Kantaris Media Player 0.5.7

July 3 - 5:34 PM ET

Kaspersky Internet Security 2010 9.0.0.463 Beta

July 3 - 5:34 PM ET

Kaspersky Anti-Virus 9.0.0.463 Beta

July 3 - 5:34 PM ET

Wine 1.1.25

July 3 - 5:30 PM ET

ChrisTV Online! Free 4.00

July 3 - 5:22 PM ET

glu 1.0.19 RC1

July 3 - 5:11 PM ET

Website-Watcher 5.1.0 Beta 10

July 3 - 1:20 PM ET