This past Tuesday July 8th was a big day in information security. Accomplished security researcher Dan Kaminsky of IOActive announced a major new vulnerability in the DNS infrastructure underpinning the Internet. What is the vulnerability, you ask? We may all have to wait for Dan to tell us at the Black Hat Briefings security conference, kicking off on Wednesday August 6th.
You see, what transpired Tuesday was a massive coordinated exercise in controlled vulnerability disclosure, pulled off by many of the biggest vendors in IT. It has been attempted (e.g., SNMP), but something like this has never really been pulled off before.
Dan Kaminsky, with the help of Internet pioneer Paul Vixie and US-CERT, pulled all the major players together and got them to actually agree they had a problem. At a closely guarded March 31st meeting on Microsoft's Redmond campus, the likes of Microsoft, Cisco and the ISC BIND team reached consensus on an aggressive fix to be coordinated among the participants. What's more, this diverse group managed to effectively keep a lid on their efforts until Tuesday. As Dan said in a podcast interview, they "were very careful."
Security research is all built upon trust, and the folks involved in this disclosure process proved themselves worthy of ours.
Dan references our very own Joe Stewart's 2002 work on DNS cache poisoning attacksas helping to form a basis for this new work.
For the less technically inclined, Rich Mogull's Executive Overview does a good job at explaining what all the fuss is about. Otherwise, I'd suggest you go right to the source, Dan's post at DoxPara Research. And for good measure and referential completeness, US-CERT Vulnerability Note #VU800113 is right here.