Patch. Today. Now. Yes, stay late. Yes, forward to OpenDNS if you have to. (They’re ready for your traffic.) Thank you to the many of you who already have.
From what I can tell, it’s out of the bag. I haven’t done any testing to make sure, but what I’ve read makes sense. If you’re not entirely sure about your DNS, set yourself up on OpenDNS now.
Edit: Ah to heck with it, looks like everyone knows where to find it now anyways. Here ya go, on Halvar Flake’s blog.
Edit Edit: Actually that’s not quite right, I think, but Matasano was, and I think you can figure it out from there.
Edit Edit Edit: Well, seeing as you can find out from comments on a Slashdot post, and other blogs, here’s the juicy part of the Matasano post:
Let’s try again to convince Bob that WWW.VICTIM.COM is 126.96.36.199.
This time though, instead of getting Bob to look up WWW.VICTIM.COM and then beating Alice in the race, or getting Bob to look up WWW.EVIL.COM and slipping strychnine into his ham sandwich, we’re going to be clever (sneaky).
Get Bob to look up AAAAA.VICTIM.COM. Race Alice. Alice’s answer is NXDOMAIN, because there’s no such name as AAAAA.VICTIM.COM. Mallory has an answer. We’ll come back to it. Alice has an advantage in the race, and so she likely beats Mallory. NXDOMAIN for AAAAA.VICTIM.COM.
Alice’s advantage is not insurmountable. Mallory repeats with AAAAB.VICTIM.COM. Then AAAAC.VICTIM.COM. And so on. Sometime, perhaps around CXOPQ.VICTIM.COM, Mallory wins! Bob believes CXOPQ.VICTIM.COM is 188.8.131.52!
Poisoning CXOPQ.VICTIM.COM is not super valuable to Mallory. But Mallory has another trick up her sleeve. Because her response didn’t just say CXOPQ.VICTIM.COM was 184.108.40.206. It also contained Additional RRs pointing WWW.VICTIM.COM to 220.127.116.11. Those records are in-bailiwick: Bob is in fact interested in VICTIM.COM for this query. Mallory has combined attack #1 with attack #2, defeating fix #1 and fix #2. Mallory can conduct this attack in less than 10 seconds on a fast Internet link.
Patch patch patch (then play with it in your test environment).