Patch your OS now

In early July it was made public that Dan Kaminsky, internet security guru, had figured out (several months earlier) a way to use DNS (the internet name server thingie) to do bad things. It is called “cashe poisoning.” DNS uses a cache to remember typically redundant info about addresses so it does not have to keep looking them up. While DNS itself may be fairly secure, this cache apparently is not. This would allow, for instance, a bad guy to substitute his own server for your bank’s server. Or, more likely, his own server that looks like the bank to the end user to everybody who goes to that bank’s web site via a certain node on the internet.

This is not a bug in DNS. The vulnerability is part of the design of the system, it is ubiquitous. This might be the most wide spread and simultaneously serious vulnerability to require a more or less simultaneous repair. A patch was devised and implemented on July 8th by a large number of vendors.

A more fundamental change will be made in DNS in early August. In the mean time, there are increasing reports of attacks (though small scale) using this vulnerability, as well as reports of the patch working.

This bug may affect DNS clients as well as DNS servers.

For those of us who only vaguely understand these things (which is not hard, since the details are secret!) there is only one thing to do: That nagging flyout on your desktop that says “system upgrades are available, install?” with the options of “yes” vs. “later” (or whatever)….? press the “yes” button. Every day. Until August 12th or so. That ought to do it.

Comments

  1. #1 Paladin
    July 28, 2008

    “This would allow, for instance, a bad guy to substitute his own server for your bank’s server. Or, more likely, his own server that looks like the bank to the end user to everybody who goes to that bank’s web site via a certain node on the internet.”

    Of course, that’s why there are those annoying messages from your web browser that tell you things about security certificates that do not match, or are self-signed and so on. If people would only read those messages…

  2. #2 Hank Roberts
    July 28, 2008

    > It is called “cashe poisoning.” DNS uses a cache …

    aaaaaaaaaaaaaauuuuuuuuuuuuuggggghhhh …

    Sorry. Typos drive me crazy some mornings.

Current ye@r *