On the heels of the release of weaponized exploit code for the DNS cache poisoning vulnerability, Microsoft has joined the chorus of security pros pleading with DNS server providers to immediately apply patches to protect users from malicious attacks.
The Redmond, Wash. security giant issued a formal security advisory advisory today with a terse warning that "attacks are likely imminent" because of the availability of exploit code:
Since the coordinated release of these updates, the threat to DNS systems has increased due to a greater public understanding of the attacks, as well as detailed exploit code being published on the Internet.
Microsoft is not currently aware of active attacks utilizing this exploit code or of customer impact at this time. However, attacks are likely imminent due to the publicly posted proof of concept and Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.
[ SEE: Attack code published for DNS flaw ]
The company said its investigation of the exploit code, which was included in Metasploit, has verified that it does not affect Microsoft customers who have installed the updates detailed in Microsoft Security Bulletin MS08-037.
However, as Dan Goodin reports, some of the world's biggest ISPs are still very slow to ship fixes to protect customers. Goodin found that the tardy ISPs included AT&T, Time Warner and Bell Canada.
My own testing of AT&T's network on the iPhone returned conflicting results. Dan Kaminsky's Doxpara DNS checker said AT&T was vulnerable but the same test at the DNS-OARC’s DNS checker and got this: 126.96.36.199 (schinetdns.mycingular.net) appears to have GREAT source port randomness and GREAT transcation ID randomness.
According to Rich Mogull, Apple is also among the tardy vendors:
Apple has yet to patch the vulnerability which affects both Mac OS X and Mac OS X Server. While individual computers that look up DNS are vulnerable, servers are far more at risk due to the nature and scope of the attack.
Apple uses the popular Internet Systems Consortium BIND DNS server which was one of the first tools patched, but Apple has yet to include the fixed version in Mac OS X Server, despite being notified of vulnerability details early in the process and being informed of the coordinated patch release date.
All users of Mac OS X Server who use it for recursive DNS must immediately switch to an alternative or risk being compromised and traffic being redirected. Installing the above-mentioned BIND should be relatively trivial for anyone who can compile software at the command line. The Mac community could take this up if someone created a compiled version of BIND 9.0.5-P1 and distributed it for simpler installation.
With active exploit code available in a common attack tool, it is imperative that Apple fix this vulnerability. Due to their involvement in the process and the ability of other vendors to fix their products in a timely fashion, it's hard to imagine any possible justification for Apple's tardy behavior.
I have confirmed at least three publicly available exploits for this vulnerability and there are reliable behind-the-scenes mumbling that others are on the way.
Dan Kaminsky gets the last word: "Less drama, more patching."