A high-profile security flaw scheduled for disclosure next month has been released early, much to the chagrin of security experts.
Researcher Dan Kaminsky had originally planned to disclose details about the vulnerability at next month's Blackhat conference in Las Vegas.
The vulnerability lies in the basic components of the DNS system and can allow an attacker to use a 'cache poisoning' attack to redirect traffic without the user's knowledge. Though he had known about the vulnerability for months, Kaminsky was not publically releasing any detail in order to allow vendors time to patch the flaw and prevent attack.
Vendors had responded well to the policy, coordinating a massive patch release earlier this month. By last week, reports surfaced that a number of major ISPs had either already patched the flaw or were in the process of doing so.
Yesterday, however, the grace period ended when a self-proclaimed DNS novice blew the gaff. Reverse engineering specialist Halvar Flake posted a theory which turned out to be Kaminsky's storied DNS flaw.
Researchers are now urging administrators who have not patched the flaw to install updates as soon as possible.
"Since this now means the bad guys have access to it at will, the urgency of patching your recursive DNS servers just increased significantly," said Sans researcher Swa Frantzen.
"Patch. Today. Now. Yes, stay late," read a posting on Kaminsky's blog
The US-cert team has also posted a set of guidelines for mitigating the flaw on unpatched servers.
Flake's disclosure of the vulnerability was not exactly intentional. The researcher was reading through a basic DNS text in his spare time and posted a blog on Monday speculating on the possible flaw.
"I have done pretty much no protocol work in my life, so I have little hope for having gotten close to the truth," Flake wrote on the posting.
As it turns out, Flake's speculation was right on. Security firm Matasano briefly posted a blog entry confirming Flake's hypothesis. Shortly after, the posting was removed and the company issued an apology for the confirmation.
"Dan told me about his finding personally, in order to help ensure widespread patching before further details were announced at the upcoming Black Hat conference," wrote Matasano principal Thomas Ptacek.
"That I helped detract from that work is painful both personally and professionally, and I apologize to Dan for the way this played out."
Flake, however, issued no such apologies. The researcher noted that the information embargo assumed that malware writers would not discover and exploit the flaw before the Blackhat conference.
"I respect Dan's viewpoint, but I disagree that this buys anyone time," Flake wrote.
"If nobody speculates publicly, we are pulling wool over the eyes of the general public, and ourselves."
"We are not buying anybody time, we are buying people a warm and fuzzy feeling."