Well, sort of.
Today Dan Kaminsky released a first, as far as I can recall. A coordinated patch was released today by Dan Kaminsky of IO Active that fixes a vulnerability that apparently exists in all DNS servers.
Unlike other researchers who give up the gory details, Kaminsky took a wiser path by smiling and nodding. He’ll give up the goods at Black Hat in August. That should give folks enough time to patch their systems.
From CNET:
Toward addressing the flaw, Kaminsky said the researchers decided to conduct a synchronized, multivendor release and as part of that, Microsoft in its July Patch Tuesday released MS08-037. Cisco, Sun, and Bind are also expected to roll out patches later on Tuesday.
As part of the coordinated release, Art Manion of CERT said vendors with DNS servers have been contacted, and there’s a longer list of additional vendors that have DNS clients. That list includes AT&T, Akamai, Juniper Networks, Inc., Netgear, Nortel, and ZyXEL. Not all of the DNS client vendors have announced patches or updates. Manion also confirmed that other nations with CERTs have also been informed of this vulnerability.
So, the race is on. How long until the negaverse discovers the true nature of the vulnerability? Dan has provided a DNS checking tool on his site to see if your DNS is vulnerable.
More on this story over on Rich Mogull’s site. And there appears to be some doubt from the Matasano camp as to the substance of the vulnerability. UPDATE: Thomas Ptacek has retracted his earlier statement.
US-CERT drops another gem. It has to do with DNS cache poisoning.
UPDATE: Nate McFeters managed to wrangle an interview with Kaminsky and Ptacek.
UPDATE 2: Dan has posted a round up of his own on the release of the DNS vulnerability.
[tags]DNS Security, Dan Kaminsky, DNS[/tags]
