Major DNS Security Flaw Details Leaked

DATE: 22-JUL-2008
Discuss Total Posts: 1
By Larry Seltzer
One of the many things that researchers agreed on in the major coordinated fix of a flaw in the DNS earlier this month was to withhold details on the vulnerability itself in order to give users enough time to apply updates. Too bad, another researcher spilled the beans.

Halvar Flake, talented in the ways of reverse-engineering and not, it seems, part of any confidentiality agreement, speculated on the details of the attack in his blog. Flake disagrees on the utility of the 29 day blackout period; he argues that people are better off with more information in this case. He says "It feels like we're all trying to rock the train." (To get the rest of the joke preceding that punch line, read his blog.)

Flake dismissed his own expertise and assumed his guess must be wrong, but turns out he was right. Matasano Security released their own blog on Monday announcing that Flake was right and delving further into the details. They quickly realized they shouldn't have done that and pulled the blog entry, but too late: For instance, my own RSS reader had already gotten the entry and I have a copy of it.

Let's hope that Flake is right and that the silence period is not really advantageous, because the details of the attack became generally known 11 days after the patch, not 29. In the meantime, patch as fast as you can.

Originally posted on the PC Magazine security blog, Security Watch.


 


Comment on this article
Be the first to comment on this article.
Sponsored Content
White Papers

No registration required to download these free white papers:

Security in the World of Web 2.0

Intelligent Infrastructure for Information Services

Making Server Consolidation A Reality

Protecting Client Systems from the Crimeware Invasion

Top 10 Ways to Increase Enterprise Security While Reducing Costs
Upcoming eSeminars

Data Protection Virtual Tradeshow
Cameron Crotty 50x50

Available On-Demand
Join Cameron Crotty and experts as they explore best practices and solutions needed to maintain a secure flow of data.
Available On-Demand
Security 2.0: Controlling Complexity
with Cameron Crotty. Sponsored by Symantec
Available On-Demand
Backup Exec 11d - The Gold Standard in Windows Data Recovery
with Frank Derfler. Sponsored by Symantec
Advertisement
Sponsors
  • 64 Pages of How-To Operational Advice for IT
  • You have a choice! Ericom's Alternative to Citrix
  • Discover what 2000 Cisco customers know about Riverbed
  • ScanSoft PDF Converter Professional 4
  • Defy the laws of reporting with Crystal Reports® 2008.
  • See how EMC can help you store more intelligently.
  • When Speed Counts, Count On 3Com.
  • Download the Windows Server® 2008 Release Candidate today.
    		•
    Security IT Hub Contact Us | About | Advertise
    Ziff Davis Enterprise

    Home | Contact Us | Advertise | Link to Us | Reprints | Magazine Subscriptions | Newsletters | RSS Feeds | Tech Shop | White Papers | Tech Encyclopedia | PC Downloads | ROI Calculators | Tech Jobs | Enterprise Product Comparison Guides | Tech Webcasts | Tech Podcasts | Tech Video

    1UP | AppScout | Baseline | Careers | Channel Insider | CIO Insight | Cranky Geeks | DesktopLinux | DeviceForge
    DevSource | DigitalLife | DL.TV | eSeminars | eWEEK | ExtremeTech | Filefront | GameVideos | GearLog
    LinuxDevices | Linux Watch | Microsoft Watch | Mid-market | My Cheats | Networking | PC Magazine | PCMagCasts | PDF Zone |
    Publish | Security IT Hub | Server IQ | Smart Device Central | Strategic Partner | TechnoRide | Web Buyer's Guide |
    What's New Now | Windows for Devices | Ziff Davis Media International

    Use of this site is governed by our Terms of Use and Privacy Policy
    Copyright © 2004-2006 Ziff Davis Publishing Holding Inc. All Rights Reserved. Security IT Hub is a trademark of Ziff Davis Publishing Holdings Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Media Inc. is prohibited.