Dan Kaminsky could have made hundreds of thousands of dollars with this DNS flaw!

Java JSESSIONID: BB16479A0338D3DCF26D11712F138BC1



su/hxP2nLeaZBdEn8qClOdeCGwG2xfLaBfXQF2QpSCSxKYBLVTF7OfqtVcHxLITpuNa6+1W c2ZJ9MKWInlFlEe5GqZAjobgyzInCwe3JiTebqyJaftWtVht/La0qlvjLF9oaI5y1aIdtUGiTmQI OW28AL0gLJe4pdA0sw2fq4cBG8ZWPMblwX4nGCGXGU8JQ1PtOhm8ohtSQcXZ7lm35t29 P5tcbfDrQs3z4g43zrLRO5M68m91xP7xcHY0uLuSYUSMFIrUbaEVSVVewFY4tskjPYecoWT uLV0deSJilKpfSTVyekbzGXO2ejhIPxsE5cvPVNPt5AoJ6KIdvWMezUHz+KQt3uVuJEHpZkU QhEfLrWAdJ2TwE++na2G3GI8BqlSOB+KRl3rz19/9nqpE87c/IWsscSfOQLemzwd/Z3DZfn ioKB/tFsZWLndqdNq5XmDuRvRN2+EVMT8QFYEq1c+mNhsOIeFCjo8JOOXPG3F+r6h0kXN M4zjRtgN/qSYRAycXluqKozAIMgr5qemW1UItwCyqJu1cDMLuKgkSq9XXA3Cru6PVPF74D1 t8l2IvV2HWmxL2PP4RdIXa5Ofb1sCLc6AUZ9opLGhwYHt7S3PnxXzKoYsMJwoFm7nGqjKp J7S9e0iRTMUqY7fOgSQALLw+hsac7hhNCUtB3/xEhvfJ7Y4b1Xj26jWJAujEnHgF+DUJQHvX hkLl7Rr2dbCPJu/8hDMOKdfz4QJXAQSbCJyA4MrJLXn4UZLpgwMeIVMddvloO4dZatrxQT9m ZQtqvow5jKcpUKhtxqqf7M4MFDMOEvQdIT3U8WRsbjk1lT4UajljxyTa9TSF9sCid1BH/O3Hq YyJtfpDcr7QxqHXr9AZYtHbO93DX/I82bQ3mcCco

DNS XID: 04d8

Getting To File This Week’s Front Page Security Story Before Changing Out Of Your Pajamas: Priceless.

There are some vulnerabilities money can’t buy. For everything else: there’s the DNS.

Yeah, it would seem that Tom is impressed. One can guess at the issue here… it’s obviously not just dealing with randomization of source ports, but also with the weak entropy in the DNS transfer id (DNS XID). When Tom was impressed with Dowd’s paper on null pointer exploitation, I spent a week reading and then re-reading the paper tons of times to make sure I wasn’t getting duped. Maybe Dan will produce some serious fireworks for Black Hat this year, like he did for ToorCon Seattle. One thing seems to be clear, don’t doubt Deputy Dan (for those who didn’t know, Deputy Dan is the inside nickname given to Kaminsky by Microsoft employees who say he is pretty immovable once convince of a security issue) apply that patch ASAP.

[Source: zdnet]