It would seem there’s a bigger story to that MS08-037 flaw that came out for Patch Tuesday today.
From Dave Lewis over at the Liquid Matrix security blog:
Today Dan Kaminsky released a first, as far as I can recall. A coordinated patch was released today by Dan Kaminsky of IO Active that fixes a vulnerability that apparently exists in all DNS servers.
Unlike other researchers who give up the gory details, Kaminsky took a wiser path by smiling and nodding. He’ll give up the goods at Black Hat in August. That should give folks enough time to patch their systems.
From CNET:
Toward addressing the flaw, Kaminsky said the researchers decided to conduct a synchronized, multivendor release and as part of that, Microsoft in its July Patch Tuesday released MS08-037. Cisco, Sun, and Bind are also expected to roll out patches later on Tuesday.
As part of the coordinated release, Art Manion of CERT said vendors with DNS servers have been contacted, and there’s a longer list of additional vendors that have DNS clients. That list includes AT&T, Akamai, Juniper Networks, Inc., Netgear, Nortel, and ZyXEL. Not all of the DNS client vendors have announced patches or updates. Manion also confirmed that other nations with CERTs have also been informed of this vulnerability.
Apparently Kaminsky has also provided a DNS checking tool on his site to see if your DNS is vulnerable.
The Liquid Matrix guys also mention that Rich Mogull has more details on the flaw over at the Securosis blog, and that the Thomas Ptacek, of the Matasano crew, has some doubts about this flaw, as seen on Twitter. Mogull calls the issue a “major issue in DNS that could allow attackers to easily compromise any name server (it also affects clients).” Mogull further goes on to say:
The issue is extremely serious, and all name servers should be patched as soon as possible. Updates are also being released for a variety of other platforms since this is a problem with the DNS protocol itself, not a specific implementation. The good news is this is a really strange situation where the fix does not immediately reveal the vulnerability and reverse engineering isn’t directly possible.
Dan asked for some assistance in getting the word out and was kind enough to sit down with me for an interview. We discuss the importance of DNS, why this issue is such a problem, how he discovered it, and how such a large group of vendors was able to come together, decide on a fix, keep it secret, and all issue on the same day.
Dan and the vendors, did an amazing job with this one. We’ve also attached the official CERT release and an Executive Overview document discussing the issue.
Further, Mogull has released a podcat of his interview with Kaminsky here.
I’ll be trying to reach out to Thomas Ptacek and Dan Kaminsky to see if we can get anymore details, but we may have to accept that this won’t be resolved for a month at Black Hat. We’ll have full coverage of that event, so stay tuned.
-Nate
