« Zero-Knowledge Password Management | Main | A User Study of Off-the-Record Messaging »
July 25, 2008
DNS Exploit "Weaponized," Major ISPs Still Flapping
“Nearly two weeks ago security researcher Dan Kaminsky, in coordination with US-CERT, announced a critical vulnerability in DNS (define) that could cripple parts of the Internet. At the time of disclosure, Kaminsky refused to provide full details of the vulnerability in hopes that users of DNS would have 30 days to patch their servers. As it turns out, they only got 13 days.
“Kaminsky admitted today on a Black Hat webcast that there is now a valid attack in the wild that exploits the DNS vulnerability. The attack is now available as a module for the point and click Metasploit framework making exploitation simple for script kiddies to try and execute.
“With the attack in the wild, millions of recursive DNS servers that have not yet been patched for the flaw could be at risk from the cache poisoning attack.
“‘It doesn’t matter who leaked the exploit, we have an actual extant threat to the network and it’s a big deal,’ Kaminsky said. ‘I don’t care who said what when. Now it doesn’t matter, what matters is people need to patch. We’re in a lot of trouble. This attack is being weaponized out in the field.’”
(Link)
“According to an informal survey of Register readers, 15 ISPs failed the ‘Check my DNS’ test (see button to the right) on the website of researcher Dan Kaminsky, who discovered the bug. Now that attack code exploiting the vulnerability has been leaked into the wild, millions of subscribers are at risk of being silently redirected to impostor sites that try to install malware or steal sensitive information. Comcast and Plusnet were the only two ISPs we found that weren’t vulnerable.
“The lack of action comes after Kaminsky, domain name resolution guru Paul Vixie and others have repeatedly warned that the vulnerability has the potential to wreak havoc on the net. Their advisories became more urgent following the leaking of the vulnerability details, which Kaminsky intended to keep private until next month’s Black Hat conference in Las Vegas.
“‘It’s obviously not a high enough priority in the minds of large companies yet,’ said Tom Parker, manager of security consulting at Mu Dynamics, a seller of security products. ‘It is concerning that there are lots of people out there that haven’t done anything about it yet.’”
(Link)
Kaminsky and the Register both plug OpenDNS, which is perfectly easy to set up for the average home user. If you visit Kaminsky’s site and his vulnerability tester says you’re using a vulnerable DNS server, OpenDNS is a safe haven until your ISP gets its act together.
Posted by mhall at 12:07 AM | Add Comment
Leave a comment