Major DNS flaw revealed

Experts are warning of a major DNS vulnerability

A high-profile security flaw scheduled for disclosure next month has been released early, much to the chagrin of security experts.

Researcher Dan Kaminsky had originally planned to disclose details about the vulnerability at next month's Black Hat conference in Las Vegas.

The vulnerability lies in the basic components of the Domain Name System and could allow a hacker to use a 'cache poisoning' attack to redirect traffic without the user's knowledge.

Kaminsky said that, although he had known about the vulnerability for months, he had not publicly released any details to allow vendors time to patch the flaw and prevent the attack.

Vendors had responded well to the policy, coordinating a major patch release earlier this month. By last week, reports surfaced that a number of ISPs had either already patched the flaw or were in the process of doing so.

Yesterday, however, the grace period ended when a self-proclaimed DNS novice blew the gaff. Reverse engineering specialist Halvar Flake posted a theory which turned out to be Kaminsky's DNS flaw.

Researchers are now urging administrators who have not patched the flaw to install updates as soon as possible.

"Since this now means the bad guys have access to it at will, the urgency of patching your recursive DNS servers just increased significantly," said Sans researcher Swa Frantzen.

A posting on Kaminsky's blog said: "Patch. Today. Now. Yes, stay late." The US Computer Emergency Readiness Team has posted a set of guidelines for mitigating the flaw on unpatched servers.

The disclosure of the vulnerability was not exactly intentional. Flake was reading through a basic DNS text in his spare time and posted a blog on Monday speculating on the possible flaw.

"I have done pretty much no protocol work in my life, so I have little hope for having gotten close to the truth," he wrote.

As it turns out, Flake's speculation was right on. Security firm Matasano briefly posted a blog entry confirming Flake's hypothesis. Shortly after, the posting was removed and the company issued an apology for the confirmation.

"Dan told me about his finding personally in order to help ensure widespread patching before further details were announced at the upcoming Black Hat conference," wrote Matasano principal Thomas Ptacek.

"That I helped detract from that work is painful both personally and professionally, and I apologize to Dan for the way this played out."

Flake, however, issued no such apologies. The researcher noted that the information embargo assumed that malware writers would not discover and exploit the flaw before the Black Hat conference.

"I respect Dan Kaminsky's viewpoint, but I disagree that this buys anyone time," Flake wrote.

"If nobody speculates publicly, we are pulling the wool over the eyes of the general public and ourselves. We are not buying anybody time; we are buying people a warm and fuzzy feeling."