|
Posted by Monty Solomon on July 27, 2008, 6:00 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Details of DNS Flaw Leaked; Exploit Expected by End of Today
By Kim Zetter
July 22, 2008
Despite Dan Kaminsky's efforts to keep a lid on the details of the
critical DNS vulnerability he found, someone at the security firm
Matasano leaked the information on its blog yesterday, then quickly
pulled the post down. But not before others had grabbed the
information and reposted it elsewhere, leading Kaminsky to post an
urgent 0-day message on his blog reading, "Patch. Today. Now. Yes,
stay late."
Hackers are furiously working on an exploit to attack the
vulnerability. HD Moore, creator of the Metasploit tool, says one
should be available by the end of the day.
Earlier this month, Kaminsky, a penetration tester with IOActive,
went public with information about a serious and fundamental security
vulnerability in the Domain Name System that would allow attackers to
easily impersonate any website -- banking sites, Google, Gmail and
other web mail websites -- to attack unsuspecting users.
Kaminsky announced the vulnerability after working quietly for months
with a number of vendors that make DNS software to create a fix for
the flaw and patch their software. On July 8, Kaminsky held a press
conference announcing a massive multivendor patch among those
vendors, and urged everyone who owns a DNS server to update their
software.
But Kaminsky broke one of the fundamental rules of disclosure in
announcing the bug. He failed to provide details about the flaw so
system administrators could understand what it was and determine if
it was serious enough to warrant an upgrade to their systems.
Kaminsky promised to reveal those details next month in a
presentation he plans to give at the Black Hat security conference in
Las Vegas. But he said he wanted to give administrators a 30-day head
start to get their systems patched before he provided details that
could allow hackers to create an exploit to attack the systems.
Kaminsky asked researchers not to speculate about the bug details in
the meantime and to trust that it was a serious issue. Some did as he
asked. But many security researchers took his coyness as a challenge
to uncover the details Kaminsky was holding back.
...
http://blog.wired.com/27bstroke6/2008/07/details-of-dns.html
|
| Similar Threads | Posted | | Microsoft Gives First Key Details on New Xbox | March 10, 2005, 3:47 am |
| MSN Site Hacking - More Details | June 3, 2005, 11:44 pm |
| Details From Microsoft Regarding Significant WGA Changes | June 27, 2006, 1:14 pm |
| Nortel Chief Details Road Map | February 24, 2006, 12:45 pm |
| Vodafone Reveals Details of U.K. Broadband Strategy | November 10, 2006, 1:50 pm |
| TJX Releases More Details on Massive Data Breach | March 30, 2007, 12:05 am |
| Details of Unlisted Number Address "Exploit" Revealed | December 21, 2007, 12:39 pm |
| Bell Labs Details 100-Gbit Ethernet Over Optical Fiber | September 30, 2005, 1:01 pm |
| Suit Demands Details on Secret Court Wiretap Ruling | March 20, 2007, 11:47 am |
| Diebold Source Code Leaked Once Again | October 25, 2006, 6:28 pm |
|
|
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map