InternetDNS Cache Poisoning Flaw Goes Ballistic

Kaminsky admits flaw is now public and that less than half of potentially affected users have patched their servers.

Nearly two weeks ago security researcher Dan Kaminsky, in coordination with US-CERT, announced a critical vulnerability in DNS (define) that could cripple parts of the Internet. At the time of disclosure, Kaminsky refused to provide full details of the vulnerability in hopes that users of DNS would have 30 days to patch their servers. As it turns out, they only got 13 days. Kaminsky admitted today on a Black Hat webcast that there is now a valid attack in the wild that exploits the DNS vulnerability. The attack is now available as a module for the point and click Metasploit framework making exploitation simple for script kiddies to try and execute. With the attack in the wild, millions of recursive DNS servers that have not yet been patched for the flaw could be at risk from the cache poisoning attack. "It doesn't matter who leaked the exploit, we have an actual extant threat to the network and it's a big deal," Kaminsky said. "I don't care who said what when. Now it doesn't matter, what matters is people need to patch. We're in a lot of trouble. This attack is being weaponized out in the field." RELATED ARTICLES Is DNSSEC the Answer to Internet Security? Act MicroDevices Gets Macro Financial Boost DNS at Risk From Multivendor Cache Poisoning For more stories on this topic: Kaminsky admitted that he made an unreasonable request of security researchers to not try and produce exploit code for the vulnerability... [ Read more on www.internetnews.com ]

InternetVonage to Shuffle Chief Executives?

Report says Web phone provider will name a new CEO as it looks to get out of the red.

InternetJuniper Touts Strong Growth, CEO Succession

The networking vendor reports growing sales and successful competition against Cisco, while its new CEO gets set to join.