The biggest security patch release in Internet history

Security concerns truly bind us all together and this is very much applicable in the electronic world. Yesterday saw the release of software patches from almost every major operating system and network device vendor that fixes a critical vulnerability in the Domain Name System (DNS). This was a well coordinated release for a vulnerability which was first discovered almost six months ago by Dan Kaminsky of IOActive.

The specifics of the vulnerability are not being disclosed, however, it is being described as an inherent design flaw which allows for DNS poisoning – allowing false DNS information to be cached by a DNS server and served to clients requesting it - by using predictable TX IDs and source port numbers. This could potentially lead visitors trying to accessing their everyday websites to be redirected to phishing or malicious websites.

The patch deployment process itself is going to take a while for bigger DNS installations; expect some phishing attacks to target end-users within days. As of this writing, my ISP in Dubai is vulnerable according to Dan Kaminsky’s script that checks for the flaw in DNS servers.

For now, a good workaround is the use third-party DNS service such as OpenDNS which is not vulnerable to the discovered flaw.

NIST CVE-2008-1447 has more details and links to vendor patches.