Many of you may have heard of the massive DNS patch release coordinated by Dan Kaminsky. What you may have also heard is that the details of the vulnerability and the patch would be released at Black Hat this year (two weeks from now).

This has been one of the few patch releases that had such widespread secrecy around it. Very few people knew about the patch until Windows (and OS X and Linux) asked them to update. Now that the patch is released, the code can be viewed, and compared to the old code and people can figure out what the problem is. It took a while, but several people have done just that.

There are some generally accepted “rules” to vulnerability disclosure that most security researchers follow, and agree not to disclose the vulnerability before a patch is released. However, the patch was released well before the vulnerability was disclosed (if not by the initial researcher). With the patch out there, smart people are going to be looking at it to see why things were patched. BIND, an open source DNS server was affected, and so the code is freely available. It was only a matter of time before someone (with more time than me) read the code to see what changed and what was wrong.

Reverse-engineering patches is more difficult, but not impossible, when you don’t have the source code, so it’s not reasonable to expect people to keep quiet.

In this particular case, there were a lot of politics going on about disclosure and giving a talk at Black Hat, but the fact remains the same, once the patch is released, the cat’s out of the bag, and it’ll be pretty hard to get back in.

This entry was posted on Thursday, July 24th, 2008 at 1:46 pm by Laura Raderman and is filed under software. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.