Oh, that is surely going to feed my sickness, thank you!

Security researcher Dan Kaminsky of IOActive stumbled upon the Domain Name System (DNS) vulnerability about six months ago and warned industry giants including Microsoft, Sun and Cisco to collaborate on a solution.

Amazing how people just "stumble" on to stuff like this.

The patch can't be "reverse engineered" by hackers interested in figuring out how to take advantage of the flaw, technical details of which are being kept secret for a month to give companies time to update computers.

So, we have a month to wait before the details are released. I'll be on pins and needles the whole time counting down each day until those details come out. ;)

Dan Kaminsky Discovers Fundamental Issue In DNS: Massive Multivendor Patch Released
[securosis.com...]

On July 8th, technology vendors from across the industry will simultaneously release patches for their products to close a major vulnerability in the underpinnings of the Internet. While most home users will be automatically updated, it’s important for all businesses to immediately update their networks. This is the largest synchronized security update in the history of the Internet, and is the result of hard work and dedication across dozens of organizations.

Dan Kaminsky has been active in the more esoteric aspects of DNS research for a number of years. Ioactive is an entity that I have not seen attached to his name before.

His organisation is very cooperative about such things as requests to not try downloading zone files. He is very sincere about his work and how it is carried out.

He's got a tool available to check if you are open to this particular exploit...

To find out if the DNS server you use is vulnerable, click below.
[doxpara.com...]

Hmmm, guess what the results show me? My provider is vulnerable. And guess what they are vulnerable to?

Your name server, at ***.***.***.***, appears vulnerable to DNS Cache Poisoning.

Remember all those topics I ran on DNS Recursion and all that stuff that doesn't happen to many so it gets blown off? I have to wonder if this is related? I just don't know if I can wait a whole month to find out. ;)

Please Note

There is absolutely no reason to panic; there is no evidence of current malicious activity using this flaw, but it is important everyone follow their vendor's guidelines to protect themselves and their organizations.

Cisco just released information...

Cisco Security Advisory: Multiple Cisco Products Vulnerable to DNS Cache Poisoning Attacks
2008-07-08 - [cisco.com...]

Multiple Cisco products are vulnerable to DNS cache poisoning attacks due to their use of insufficiently randomized DNS transaction IDs and UDP source ports in the DNS queries that they produce, which may allow an attacker to more easily forge DNS answers that can poison DNS caches.

US-CERT has all the details...

Multiple DNS implementations vulnerable to cache poisoning
National Cyber Alert System
Technical Cyber Security Alert TA08-190B
2008-07-08 - [us-cert.gov...]

Thanks for the clarifying links.

So, it's the same old news.

As a provider that would not have been on Dan's radar, I had already sent a direct inquiry asking for clarification in the event that algorithmic changes had to be made. Given that the only email current email address available to me was as listed in the doxpara.com whois, I had my doubts about getting a timely answer. If the cert advisory is accurate, then I have my answer. And, need not do anything :)

If I am reading this right "they" found vulnerability around April 12th 08. Some (interesting) additional information on Dan Kaminsky at toorrr.com

On a related note, if you happen to be a ZoneLabs ZoneAlarm user, you might want to read this before performing the MS update KB951748.

[forums.zonealarm.com...]

-Commerce

Hmm. I wish I could sort Vista updates by KB number, not just by date order. Then it would be easy to see if I had it installed already.

I installed the MS security patch KB951748 and use ZA. Yup, I can't use that machine to get online. How advisable is it to uninstall a security patch and how should I do it if it's ok: just use the add/remove program dialog?

You can remove the patch using add remove programs but as soon as you re-boot you will get another notice that there is a security update that you need.

You can also just move the Internet security slider to "Medium" in ZA until the 2 companies come up with a better fix.

just use the add/remove program dialog

Yep, thats what I did and the connection came back. I`ve switched off updates for now and removed the reminder balloon. I`ll try it again in a couple of weeks.

dc

There is more information on MS patches at:

[isc.sans.org...]

KB951748 is rated as Important, but not Critical or Patch Now. I would make a guess that the folks at ZA (and from what I am reading some of the other like security app providers) are probably working on a solution.

Some have reported that turning the security level for ZA down to medium will also work.

-Commerce

PS - BTW, thanks to PageOneResults for the link to doxpara.com - it looks like a patched or upgraded DNS server will indeed report as safe.

I`ll just keep monitoring the zone alarm site. Its a good job I had 2 laptops this morning or else I wouldn`t have suspected the update.

dc

Hmm. Is that an XP only update? I have all of the Vista updates (except Vista SP1) and it isn't listed here.

The Microsoft patches in question were released only yesterday.

If you have a hardware firewall or NAT router, moving the ZoneAlarm Firewall "Internet Security" slider to Medium is a safe approach, and avoids having to uninstall the Microsoft update.

If you don't have a hardware firewall, this is not safe to do because it allows file and printer sharing with anyone on the internet. But frankly, I'm sot sure whether it's any more or less safe than uninstalling the Microsoft patches.

Jim

I have a question in regards to the title of this topic. If I run a DNS Report and find that my NS FAILs for Open DNS Servers, what does that mean to "you" and/or for "you"?

FAIL - Open DNS Servers

ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are:

Have you checked your DNS lately?
[webmasterworld.com...]

Kaminsky's check reported the following for me:

Your name server, at xx.xx.xx.xx, may be safe, but the NAT/Firewall in front of it appears to be interfering with its port selection policy. The difference between largest port and smallest port was only 40.
Please talk to your firewall or gateway vendor -- all are working on patches, mitigations, and workarounds.

What the heck does that mean?

page1: For this "you" it meant finding a new host. I contacted mine when I got the "Fail" and they said using open servers was their policy and that it wouldn't cause any problems. I got a great education from jtara on this over in the technology forum some months back (the first couple of posts are about .us domain sites, but then the thread goes into DNS):
[webmasterworld.com...]

Beagle, THANK YOU!

I knew I had seen that somewhere before and just couldn't dig it up. That is one to bookmark as jtara gave a real good explanation of each.

I especially like the "Run" part in regards to FAIL Open DNS Servers.

This is probably a really stupid question, but I went to Dan Kaminsky's site for the DNS checker, clicked on "Check your DNS" and an answer immediately popped up. It didn't ask me for any information - how does it know what my name server is (since I want the info for the servers my sites are on, not the one for my ISP)?

Ah, that one is a "simple check" for your own connections to the Internet.

The only one I know of that I would trust is the DNS Report. They don't offer it for free anymore and there are all sorts of copycats out there. I'll pay my dues and stick with the DNS Report. :)

Okay, I said it was probably a stupid question... Because of the context when I first heard about it (not here), I thought its purpose was to check the vulnerability of the servers holding your websites - not your ISP.