funsec mailing list archives
Re: Leaks in Patch for Web Security Hole
From: Valdis.Kletnieks () vt edu
Date: Sun, 10 Aug 2008 00:51:57 -0400
On Sat, 09 Aug 2008 10:29:23 EDT, "Richard M. Smith" said:
In a posting on his blog <http://tservice.net.ru/%7Es0mbre/blog/devel/networking/dns/2008_08_08.html> , the physicist, Evgeniy Polyakov, wrote that he had fooled the software that serves as the Internet's telephone book into returning an incorrect address in just 10 hours
Vixie said "11 seconds". So the patch added a work factor of roughly 3,600, rather than the 64K that *full* randomization would have added. Or he just got lucky and it happened to work in the first 5% of the attack... But then, it was *known* that the patches merely made it harder to hit the hole, and DNSSEC is needed to *totally* fix the issue.
Attachment:
_bin
Description:
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Leaks in Patch for Web Security Hole Richard M. Smith (Aug 09)
- Re: Leaks in Patch for Web Security Hole Valdis . Kletnieks (Aug 09)
- Re: Leaks in Patch for Web Security Hole Larry Seltzer (Aug 10)
- Re: Leaks in Patch for Web Security Hole Gadi Evron (Aug 10)
- Re: Leaks in Patch for Web Security Hole Åke Nordin (Aug 10)
- Re: Leaks in Patch for Web Security Hole Paul Vixie (Aug 10)
- Re: Leaks in Patch for Web Security Hole Larry Seltzer (Aug 10)
- Re: Leaks in Patch for Web Security Hole Valdis . Kletnieks (Aug 09)