Оце цікавий день

http://www.microsoft.com/technet/security/Bulletin/MS08-037.mspx

A security researcher has responsibly disclosed a fundamental flaw within the Domain Name System (DNS), the addressing scheme behind the common names used on the Internet. Currently, it may be possible to guess these transaction ID values in advance and assert a malicious server as the authoritative DNS server for a popular bank or e-commerce site. The news was announced Tuesday.

Dan Kaminsky, director of penetration testing services for IO Active, found the DNS flaw earlier this year. Rather than sell the vulnerability, as some researchers have done, Kaminsky decided instead to gather the affected parties and discuss it with them first. Without disclosing any technical details, he said, "the severity is shown by the number of people who've gotten onboard with this patch."

Toward addressing the flaw, Kaminsky said the researchers all decided to conduct a synchronized, multivendor release. As part of that, Microsoft in its July Patch Tuesday released MS08-037. Cisco Systems, Sun Microsystems, and BIND are also expected to roll out patches later on Tuesday.

The coordinated release covers a wide variety of vendors. Art Manion of US-CERT (United States Computer Emergency Readiness Team) said vendors with DNS servers have been contacted, and there's a longer list of additional vendors that have DNS clients. That list includes AT&T, Akamai, Juniper Networks, Netgear, Nortel, and ZyXEL. Not all of the DNS client vendors have announced patches or updates. Manion also confirmed that other nations with CERTs have also been informed of this vulnerability.




http://news.cnet.com/8301-10789_3-9985618-57.html?hhTest∂=rss&subj=news&tag=2547-1_3-0-5