Since Dan Kaminsky‘s public announcement on July 8, 2008, regarding a serious DNS vulnerability, much publicity has been granted to this topic by the online press. Many key people in the industry reinforced the notion that this was serious. The message to system administrators was clear: “patch, trust us.”
This announcement was different than the prototypical announcement surrounding a software security vulnerability. Many vendors were already on board months prior, and patches for many DNS software applications were ready to be made public at the same time as the announcement. The unusual nature of the coordination effort and its subsequent announcement implied that this vulnerability was serious.
The good news: organizations had 30 days to patch their vulnerable software. On August 7, Dan will present the full details about the vulnerability at the Black Hat conference in Las Vegas.
30 Days Becomes 13 Days: Exploit Revealed
Unfortunately, that original window of 30 days turned out to be only 13 days. Last week, researcher Halvar Flake began speculating about the cache-poisoning nature of the vulnerability. While he did not get the exact detail of the exploit correct, he apparently got close enough. Shortly thereafter, Matasano Security published a blog entry, filling in some of the details that Halvar missed. The blog post was not intended to be posted before August 7, and it has since been deleted, but plenty of copies still exist on the Internet.
Too late. That was it. The cat was now out of the bag. Within a day or two, exploit code began appearing on the Internet.
As Kaminsky noted on his blog that day, “13>0 … Patch. Today. Now. Yes, stay late.” And that’s just what I did. Like a lot of people, I had dragged my feet on this one. Partly because I felt safe that I would have 30 days to patch.
Note to self: In future, assume 3 days instead of 30. Better yet, assume 0 days.
- US CERT Vulnerability Notice: VU#800113