A computer security company has published details of a major flaw in the Internet's Domain Name System (DNS) two weeks before they were due to be revealed.

The flaw was discovered several months ago by IOActive researcher Dan Kaminsky, who worked through the early part of this year with Internet software vendors such as Microsoft, Cisco and the Internet Systems Consortium to patch the issue.
The companies released a fix for the bug two weeks ago and encouraged corporate users and Internet service providers to patch their DNS systems as soon as possible. Although the problem could affect some home users, it is not considered to be a major issue for consumers, according to Kaminsky.
At the time he announced the flaw, Kaminsky asked members of the security research community to hold off on public speculation about its precise nature in order to give users time to patch their systems. Kaminsky had planned to disclose details of the flaw during a presentation at the Black Hat security conference set for 6 August.
Some researchers took the request as a personal challenge to find the flaw before Kaminsky's talk. Others complained at being kept in the dark about the technical details of his finding.
On Monday, Zynamics.com CEO Thomas Dullien (who uses the hacker name Halvar Flake) [cq] took a guess at the bug, admitting that he knew very little about DNS.
His findings were quickly confirmed by Matasano Security, a vendor that had been briefed on the issue.

"The cat is out of the bag. Yes, Halvar Flake figured out the flaw Dan Kaminsky will announce at Black Hat,"Matasano said in a blog posting that was removed within five minutes of its 1:30 p.m. Eastern publication. Copies of the post were soon circulating on the Internet, one of which was viewed by IDG News Service.
Matasano's post discusses the technical details of the bug, saying that by using a fast Internet connection, an attacker could launch what's known as a DNS cache poisoning attack against a Domain Name server and succeed, for example, in redirecting traffic to malicious Web sites within about 10 seconds.
Matasano Researcher Thomas Ptacek declined to comment on whether or not Flake had actually figured out the flaw, but in a telephone interview he said the item had been "accidentally posted too soon." Ptacek was one of the few security researchers who had been given a detailed briefing on the bug and had agreed not to comment on it before details were made public.



Matasano's post inadvertently confirmed that Flake had described the flaw correctly, Ptacek admitted.



Late Monday, Ptacek apologised to Kaminsky on his company blog. "We regret that it ran," he wrote. "We removed it from the blog as soon as we saw it. Unfortunately, it takes only seconds for Internet publications to spread."
Kaminsky's attack takes advantage of several known DNS bugs, combining them in a novel way, said Cricket Liu vice president of architecture with DNS appliance vendor Infoblox, after viewing the Matasano post.
The bug has to do with the way DNS clients and servers obtain information from other DNS servers on the Internet. When the DNS software does not know the numerical IP (Internet Protocol) address of a computer, it asks another DNS server for this information. With cache poisoning, the attacker tricks the DNS software into believing that legitimate domains, such as idg.com, map to malicious IP addresses.
In Kaminsky's attack a cache poisoning attempt also includes what is known as "Additional Resource Record" data. By adding this data, the attack becomes much more powerful, security experts say. "The combination of them is pretty bad," Liu said.
An attacker could launch such an attack against an Internet service provider's domain name servers and then redirect them to malicious servers. By poisoning the domain name record for www.citibank.com, for example, the attackers could redirect the ISP's users to a malicious phishing server every time they tried to visit the banking site with their Web browser.



Kaminsky declined to confirm that Flake had discovered his issue, but in a posting to his Web site Monday he wrote "13>0," apparently a comment that the 13 days administrators have had to patch his flaw before its public disclosure is better than nothing.
"Patch. Today. Now. Yes, stay late," he wrote.
He has posted a test on his Web site that anyone can run to find our if their network's DNS software is patched

Hackers preparing to exploit DNS flaw


Security experts are warning that a DNS attack is now imminent, following the accidental publication of the details of a DNS flaw.

Several hackers are almost certainly already developing attack code for the bug, and it will most likely crop up within the next few days, said Dave Aitel, chief technology officer at security vendor Immunity. His company will eventually develop sample code for its Canvas security testing software too, a task he expects to take about a day, given the simplicity of the attack. "It's not that hard," he said. "You're not looking at a DNA-cracking effort."
The author of one widely used hacking tool said he expected to have an exploit by the end of the day Tuesday. HD Moore, author of the Metasploit penetration testing software, agreed with Aitel that the attack code was not going to be difficult to write.
The flaw, a variation on what's known as a cache poisoning attack, was announced on 8 July by IOActive researcher Dan Kaminsky, who planned to disclose full details of the bug during an 6 August presentation at the Black Hat conference.
That plan was thwarted when someone at Matasano accidentally posted details of the flaw, ahead of schedule. Matasano quickly removed the post and apologised for its mistake, but it was too late. Details of the flaw soon spread around the Internet.
And that's bad news, according to Paul Vixie, president of the company that is the dominant maker of DNS software, the Internet Systems Consortium. Vixie, like others who were briefed on Kaminsky's bug, did not confirm that it had been disclosed by Matasano. But if it had, "it's a big deal," he said.



The attack can be used to redirect victims to malicious servers on the Internet by targeting the DNS servers that serve as signposts for all of the Internet's traffic. By tricking an Internet service provider's (ISPs) servers into accepting bad information, attackers could redirect that company's customers to malicious web sites without their knowledge.



Although a software fix is now available for most users of DNS software, it can take time for these updates to work their way through the testing process and actually get installed on the network.
"Most people have not patched yet," Vixie said. "That's a gigantic problem for the world."
Just how big of a problem is a matter of some debate.
Neal Krawetz, owner of computer security consultancy Hacker Factor Solutions, took a look at DNS servers run by major ISPs earlier this week and found that more than half of them were still vulnerable to the attack.
"I find it dumbfounding that the largest ISPs ... are still identified as vulnerable," he wrote on his blog. "When the [hackers] learn of the exploit, they will go playing. They are certain to start with the lowest hanging fruit - large companies that are vulnerable and support a huge number of users."
He expects that users will see attacks within weeks, starting first with test attacks, and possibly even a widespread domain hijacking. "Finally will be the phishers, malware writers and organised attackers," he said. "I really expect these to be very focused attacks."
Most ISPs will have probably applied the patch by the time any attacks start to surface, and that will protect most home users, said Russ Cooper, a senior information security analyst with Verizon Business. And business users who use secure DNS-proxying software will also be "pretty much protected" from the attack at their firewall, Cooper said.

Hackers have released software that exploits a recently disclosed DNS flaw. The attack code was released Wednesday by developers of the Metasploit hacking toolkit. Internet security experts warn that this code may give criminals a way to launch virtually undetectable phishing attacks against Internet users whose service providers have not installed the latest DNS server patches. Attackers could also use the code to silently redirect users to fake software update servers in order to install malicious software on their computers, said Zulfikar Ramizan, a technical director with security vendor Symantec. "What makes this whole thing really scary is that from an end-user perspective they may not notice anything," he said. The bug was first disclosed by IOActive researcher Dan Kaminsky earlier this month, but its technical details were leaked onto the Internet earlier this week, making the Metasploit code possible. Kaminsky had worked for several months with major providers of DNS software such as Microsoft, Cisco and the Internet Systems Consortium (ISC) to develop a fix for the problem. The corporate users and Internet service providers who are the major users of DNS servers have had since July 8 to patch the flaw, but many have not yet installed the fix on all DNS servers. The attack is a variation on what's known as a cache poisoning attack. It has to do with the way DNS clients and servers obtain information from other DNS servers on the Internet. When the DNS software does not know the numerical IP address of a computer, it asks another DNS server for this information. With cache poisoning, the attacker tricks the DNS software into believing that legitimate domains map to malicious IP addresses. In Kaminsky's attack a cache poisoning attempt also includes what is known as "Additional Resource Record" data. By adding this data, the attack becomes much more powerful, security experts say. An attacker could launch such an attack against an ISP's domain name servers and then redirect them to malicious servers. By poisoning the domain name record for www.citibank.com, for example, the attackers could redirect the ISP's users to a malicious phishing server every time they tried to visit the banking site with their browser.

__________________