Don't doubt Deputy Dan

Well, it would seem that Tom Ptacek may have figured out something to do with Dan Kaminsky's earlier DNS flaw, and this may actually be the vulnerability to fear that we had originally heard.  Let's just say this, I've read Tom's postings on the Matasano blog for quite some time now, and he's a smart enough guy to not be easily impressed. The last time I saw a post where he looked truly this impressed was when Mark Dowd actually pulled off that ridiculous null pointer exploit. From the Matasano blog:

Dan Kaminsky could have made hundreds of thousands of dollars with this DNS flaw!

Thomas Ptacek | July 08th, 2008 | Category: Uncategorized

Java JSESSIONID: BB16479A0338D3DCF26D11712F138BC1 .NET ASPESSIONID: HHODHGFDJOJAKDIPPJCKHGOE SiteMinder SMESSIONID: su/hxP2nLeaZBdEn8qClOdeCGwG2xfLaBfXQF2QpSCSxKYBLVTF7OfqtVcHxLITpuNa6+1W c2ZJ9MKWInlFlEe5GqZAjobgyzInCwe3JiTebqyJaftWtVht/La0qlvjLF9oaI5y1aIdtUGiTmQI OW28AL0gLJe4pdA0sw2fq4cBG8ZWPMblwX4nGCGXGU8JQ1PtOhm8ohtSQcXZ7lm35t29 P5tcbfDrQs3z4g43zrLRO5M68m91xP7xcHY0uLuSYUSMFIrUbaEVSVVewFY4tskjPYecoWT uLV0deSJilKpfSTVyekbzGXO2ejhIPxsE5cvPVNPt5AoJ6KIdvWMezUHz+KQt3uVuJEHpZkU QhEfLrWAdJ2TwE++na2G3GI8BqlSOB+KRl3rz19/9nqpE87c/IWsscSfOQLemzwd/Z3DZfn ioKB/tFsZWLndqdNq5XmDuRvRN2+EVMT8QFYEq1c+mNhsOIeFCjo8JOOXPG3F+r6h0kXN M4zjRtgN/qSYRAycXluqKozAIMgr5qemW1UItwCyqJu1cDMLuKgkSq9XXA3Cru6PVPF74D1 t8l2IvV2HWmxL2PP4RdIXa5Ofb1sCLc6AUZ9opLGhwYHt7S3PnxXzKoYsMJwoFm7nGqjKp J7S9e0iRTMUqY7fOgSQALLw+hsac7hhNCUtB3/xEhvfJ7Y4b1Xj26jWJAujEnHgF+DUJQHvX hkLl7Rr2dbCPJu/8hDMOKdfz4QJXAQSbCJyA4MrJLXn4UZLpgwMeIVMddvloO4dZatrxQT9m ZQtqvow5jKcpUKhtxqqf7M4MFDMOEvQdIT3U8WRsbjk1lT4UajljxyTa9TSF9sCid1BH/O3Hq YyJtfpDcr7QxqHXr9AZYtHbO93DX/I82bQ3mcCco DNS XID: 04d8 Getting To File This Week’s Front Page Security Story Before Changing Out Of Your Pajamas: Priceless. There are some vulnerabilities money can’t buy. For everything else: there’s the DNS.

Yeah, it would seem that Tom is impressed.  One can guess at the issue here... it's obviously not just dealing with randomization of source ports, but also with the weak entropy in the DNS transfer id (DNS XID).  When Tom was impressed with Dowd's paper on null pointer exploitation, I spent a week reading and then re-reading the paper tons of times to make sure I wasn't getting duped.  Maybe Dan will produce some serious fireworks for Black Hat this year, like he did for ToorCon Seattle.  One thing seems to be clear, don't doubt Deputy Dan (for those who didn't know, Deputy Dan is the inside nickname given to Kaminsky by Microsoft employees who say he is pretty immovable once convince of a security issue) apply that patch ASAP. -Nate