SILICON VALLEY

RESEARCHERS at an Internet security company have effectively invited hackers worldwide to zero in, after they prematurely leaked details of a serious flaw in the Internet's Domain Name System (DNS).

If exploited, the flaw could be used to launch so-called cache-poisoning attacks on computers, sending users to fake Web pages where they might enter passwords or credit-card details.

Details of the DNS flaw were revealed in two blog posts before they were meant to be announced publicly at a conference next month, reported ChannelWeb.

Security expert Dan Kaminsky had discovered the flaw six months ago.

Promptly alerting US national security agencies, he had also asked the research community to keep mum, while companies came up with ways to patch the flaw and block attacks.

Though the existence of a flaw was reported in the media, the crucial details have been kept under wraps until now.

But on Tuesday, Zynamics.com chief Thomas Dullien speculated in detail on the flaw in an extensive blog post.

The self-proclaimed DNS novice's speculation was correct, and researchers at Matasano Security confirmed his hypothesis.

Minutes after being posted, the Matasano post was taken down.

But it was too late.

The word was out.

"Since this now means the bad guys have access to it at will, the urgency of patching your recursive DNS servers just increased significantly," Sans researcher Swa Frantzen was quoted as saying on vnunet.com.

Matasano principal Thomas Ptacek later posted an apology on the company blog for prematurely publishing the flaw.

"It was posted in error... We removed it from the blog as soon as we saw it. Unfortunately, it takes only seconds for Internet publications to spread," wrote Mr Ptacek.

"We dropped the ball here."

Mr Dullien, however, was unapologetic.

The researcher's position is that the information embargo simply assumes that so-called "malware" writers would not discover the flaw on their own and exploit it before Mr Kaminsky tells all at the Black Hat USA 2008 conference.

"I respect Dan's viewpoint, but I disagree that this buys anyone time," he wrote.

"If nobody speculates publicly, we are pulling wool over the eyes of the general public and ourselves."

Companies have now been alerted to go seek a patch as soon as possible from their Internet security providers.

It is understood that many major ISPs had also already patched the flaw or were in the process of doing so.

"Patch. Today," read a posting on Mr Kaminsky's blog.

" Now. Yes, stay late."

For more my paper stories click here.