[ISN] Kaminsky (finally) provides DNS flaw details
InfoSec News
alerts at infosecnews.org
Fri Jul 25 07:31:37 CDT 2008
http://news.cnet.com/8301-1009_3-9998906-83.html
By Robert Vamosi
Security
News.com
July 24, 2008
In his first public comments since his Domain Name System (DNS) cache
poisoning flaw was made public, Dan Kaminsky said in a conference call
on Thursday he doesn't want to parse who said what when. He just wants
everyone to understand that they must patch their systems now.
Speaking during the second pre-Black Hat security conference Webinar,
Kaminsky, who's director of penetration testing for IOActive, provided
the most information to date about the DNS flaw he found earlier this
year but only disclosed in public on July 8. DNS is what translates the
common name of a Web site into its numerical IP address, and is
therefore a fundamental component to the Internet. His announcement
coincided with a massive, multivendor patch release. But he withheld
details, hoping that most people would get their systems patched before
the bad guys got a hold of it.
Kaminsky said the word is getting out about the patches, but there are
still many systems that are vulnerable. From the period of July 8
through July 13, 86 percent of the people testing their system on his
Web site were vulnerable. Today it's 52 percent. "Not perfect; not even
good enough," he said. But "I'll take 52 any day of week and twice on
Sunday."
[...]
More information about the ISN
mailing list