DNS flaw details heighten urgency to patch
A researcher has publicly exposed details surrounding a major design vulnerability in the domain name system (DNS) protocol, rejecting a request by the flaw's discoverer to avoid speculation.
As a result of the vulnerability details – later confirmed by a research firm that had been briefed on the issue by the bug's discover, Dan Kaminsky – US-CERT issued an advisory urging businesses to patch their DNS name servers immediately. Experts believe attack code is not far off.
"It's out," Kaminsky told SCMagazineUS.com on Tuesday. "Let's not pretend we're not in trouble. The bug is out. People gotta patch."
Kaminsky, who discovered the flaw several months ago and worked with about 80 vendors to release a joint patch, asked the research community to avoid speculation, promising he would release comprehensive details during a presentation scheduled for Aug. 6 at the Black Hat conference in Las Vegas.
Kaminsky, when he revealed the vulnerability in a conference call two weeks ago, said he wanted to hold off on releasing specifics behind the vulnerability so businesses would have a chance to patch prior to any possible attacks.
But that changed when Thomas Dullien, who uses the handle Harvar Flake, speculated on the vulnerability in a blog post. Dullien, chief executive of Germany-based research firm Zynamics.com, said he decided to hypothesize because he thought the delay between announcing the vulnerability and reporting the details actually hurt businesses.
“By asking the community not to publicly speculate…we are not buying anybody time, we are buying people a warm and fuzzy feeling,” wrote Flake, who prefaced his conjecture by saying he was likely well off base.
He apparently was not.
After his post appeared Monday, Thomas Ptacek, principal of Matasano Security, wrote his own blog post, confirming the findings. Kaminsky had previously briefed Ptacek on the vulnerability.
Ptacek, however, soon took his post down and said in another entry that he regretted that he had affirmed Flake's supposition.
“We removed it from the blog as soon as we saw it,” Ptacek wrote Monday. “Unfortunately, it takes only seconds for internet publications to spread.”
“This is a serious problem,” he added. “It merits immediate attention, and the extra attention it's receiving today may increase the threat.…That I helped detract from [Kaminsky's] work is painful both personally and professionally and I apologize to Dan for the way this played out.”
Kaminsky, who is the director of penetration testing at IOActive, declined to discuss the "drama" that has resulted since Monday's unlikely revelation surrounding the most hyped vulnerability of the year. He preferred instead to focus on the bigger issue -- that businesses running vulnerable recursive name servers must patch.
"Customers are at more risk than they were two days ago," he said. "The bug is real. Everyone who said, 'I don't have enough information to patch this bug so I'm not going to do it,' well you know what, now you've got enough information. Now there is a race [to patch]."
He said he was able to warn organizations and internet service providers 13 days before Flake posted his blog outlining the DNS flaw's details.
"That's more than I probably deserved," Kaminsky said.
If exploited, the vulnerability could permit a cache poisoning, which may allow a name server's clients to reach an incorrect, and possibly malicious, website of a hacker's choosing, US-CERT said.
Some customers have been reluctant to patch because of complications that could arise, Kaminsky said.
"Your email going to your competitors is worse," he said. "Google not going to Google is worse."
Flake did not respond to a request for comment.