Tuesday
Jul292008
A Matter of Misplaced Trust
July 8, 2008: Multiple vendors release patches for non-specified DNS flaws and US CERT publishes Vulnerability Note VU#800113 titled "Deficiencies in the DNS protocol and common DNS implementations facilitate DNS cache poisoning attacks."
July 9, 2008: The reporter of the DNS flaw, Dan Kaminsky, blogs about the "Astonishing Collaboration"
July 11, 2008: Kaminsky reports sharing details of the flaw with Thomas Ptacek of Matasano Security in order to appease critics. Ptacek confirmed the flaw and urged Kaminsky to "come clean on this and publish the details".
July 12, 2008: Halvar Flake speculates about the flaw, basing that speculation on publicly released info. His conclusions are a bit wrong as a result, but Thomas Ptacek's Matasano crew quickly responds with "The cat is out of the bag. Yes, Halvar Flake figured out the flaw Dan Kaminsky will announce at Black Hat." And then Matasano went on to "publish the details". (Matasano pulled the blog post and eventually issued an apology but the damage had been done).
July 24, 2008: Twelve days after the untimely disclosure and barely 16 days after the CERT notice, Metasploit releases exploit modules for the DNS flaws.
July 28, 2008: Infobyte Security Research releases ISR-evilgrade v1.0.0 which employs the DNS exploit modules from Metasploit as part of its framework designed to "take advantage of poor upgrade implementations by injecting fake updates." First targets on the block: Sun Java, Winzip, Winamp, MacOS, OpenOffice, iTunes, Linkedin Toolbar, DAP, Notepad, and Speedbit.
And all of this comes with the news that several major ISPs still have not patched to protect against the critical DNS flaws.
July 9, 2008: The reporter of the DNS flaw, Dan Kaminsky, blogs about the "Astonishing Collaboration"
July 11, 2008: Kaminsky reports sharing details of the flaw with Thomas Ptacek of Matasano Security in order to appease critics. Ptacek confirmed the flaw and urged Kaminsky to "come clean on this and publish the details".
July 12, 2008: Halvar Flake speculates about the flaw, basing that speculation on publicly released info. His conclusions are a bit wrong as a result, but Thomas Ptacek's Matasano crew quickly responds with "The cat is out of the bag. Yes, Halvar Flake figured out the flaw Dan Kaminsky will announce at Black Hat." And then Matasano went on to "publish the details". (Matasano pulled the blog post and eventually issued an apology but the damage had been done).
July 24, 2008: Twelve days after the untimely disclosure and barely 16 days after the CERT notice, Metasploit releases exploit modules for the DNS flaws.
July 28, 2008: Infobyte Security Research releases ISR-evilgrade v1.0.0 which employs the DNS exploit modules from Metasploit as part of its framework designed to "take advantage of poor upgrade implementations by injecting fake updates." First targets on the block: Sun Java, Winzip, Winamp, MacOS, OpenOffice, iTunes, Linkedin Toolbar, DAP, Notepad, and Speedbit.
And all of this comes with the news that several major ISPs still have not patched to protect against the critical DNS flaws.
Mary Landesman
Reader Comments