Flake hypothesized on his blog about how an attacker could conduct DNS cache poisoning by overloading the server with requests until a legitimate answer is received. The goal is to get a DNS cache poisoning packet to match the transaction ID, according to Flake’s post. The technique also involves redirecting the name server to an IP address set up by the attacker, and the use of Bailiwick checking to dupe the server that the queried domain is legit.

Security researcher Thomas Ptacek and the team at Matasano Security, LLC responded quickly to the post with a post of their own, but quickly pulled it down, calling the post an error in judgment. Ptacek was one of two researchers briefed by Kaminsky on the details of the flaw. In the original post, Matasano said the attack could occur in less than 10 seconds, according to a researcher who had the post cached in his RSS feed reader.

“We confirmed the severity of the problem then and, by inadvertently verifying another researcher’s results today, reconfirm it today,” Ptacek said. “This is a serious problem, it merits immediate attention, and the extra attention it’s receiving today may increase the threat. The Internet needs to patch this problem ASAP.”

Kaminsky said he was trying to keep details of the flaw private to give companies and the government time to patch the DNS servers. In a Twitter post late Monday night, Kaminsky confirmed that the researchers figured out the details.

“DNS bug is public. You need to patch, or switch to opendns, RIGHT NOW,” Kaminsky said.

In a similar message on his DoxPara Research blog, Kaminsky warned IT pros to deploy the patches immediately.

“Patch. Today. Now. Yes, stay late. Yes, forward to OpenDNS if you have to. (They’re ready for your traffic.) Thank you to the many of you who already have.”

Virtualization at the application level separates the application from the operating system, preventing applications from modifying system files and avoiding DLL conflicts, said Mike Ferron-Jones, manager of digital office platform marketing at Intel Corp. The technology allows applications to run on clients and be administered from a central location.

“It’s a great way to deploy applications in a way that eliminates the root cause of many helpdesk calls,” he said.

Application virtualization offers IT organizations the ability to save money and maintain control over licensing and patching while giving end users the mobility and performance they need, he and Brian Duckering, endpoint virtualization senior product marketing manager at Symantec Corp. said.

“You can strike a balance between the user and IT needs,” Duckering said.

Virtualization, however, doesn’t eliminate security problems, the executives said.

“An unpatched virtual application is just as vulnerable as an unpatched local application,” Ferron-Jones said.

Duckering cautioned that companies shouldn’t deploy virtualization just for the sake of it. “Understand why you’re doing it and what you’re trying to accomplish.”

Symantec is working on a virtualized security system for Intel’s vPro platform, but a published report last summer said licensing issues were delaying its release. The system will be isolated from the primary OS with the goal of making it tamper resistant.

In a statement Friday, Symantec said customers have been beta testing the first version of the virtual security system and “that customer input will be used for virtual security solutions going forward, but we do not have any dates set for a product release yet.” The company said it’s continuing to work with Intel Corp. and its vPro platform from an endpoint management standpoint.

At a seminar on compliance that SearchSecurity.com put on this week, I asked for a show of hands among the attendees on who was a trained security professional and who was more of a compliance and policy specialist. Somewhere north of 90% of the people identified themselves as security pros. And yet, here they were at a seminar on compliance, learning the ins and outs of every regulation under the sun and how to stay on the auditor’s good side. Many of these same people said that their companies also had a separate compliance group, but the security teams still shouldered a lot of the day-to-day compliance burdens. And these were professionals from some of the larger financial services, health care and retail companies in the world.

What this tells me, and what the attendees said themselves, is that even the biggest, most highly regulated companies still don’t have this compliance thing licked. A lot of the talk I hear at conferences and trade shows is about how to become compliant with one product, or framework or set of policies. Those things are certainly vital components of a compliance program, but the ugly truth is that regulations and networks change and shift constantly, and even if you passed an audit this morning with flying colors, you were probably out of compliance by the time you got back from lunch.

I would wager that the number of security professionals who got into the industry hoping to work their way into a compliance role approaches zero. But, virtually every expert I talk to about this tells me that there is more regulation coming in the near future and that things are going to continue getting more and more complex. This means more time poring over arcane legislation and industry requirements and less time solving interesting security problems. At that same seminar, I asked our two speakers whether they thought compliance should be the job of the security staff, and the they both said no, compliance demands its own dedicated staff and the security people are too busy. Ah, well. It’s certainly not pretty, but there it is.

The protocol handling errors were discovered by security researcher Billy Rios. Mozilla released Firefox 3.0.1 and Firefox 2.0.0.16.

Rios said an attacker can pass the URI from a remote Web page to FireFox.exe.

Mozilla said URIs pose a danger by allowing an attacker to read data or place a malicious file on the victim’s hard drive.

“This attack only works if the user is using another internet-connected application with Firefox not running. Using Firefox, or making sure it is at least running, prevents this attack,” Mozilla said in its advisory.

Rios also discovered a flaw in the Opera browser, which has been fixed. In both cases, Rios said the browser security teams worked quickly and took the threats seriously.

Ayelet Heyman, a Finjan security researcher said the list of sites include a large number of government and top businesses. Some of the sites compromised include San Francisco’s official website, the City of Marysville Police Department, the Department of Culture and Tourism of the State of Bahia, Brazil, the National Health Service website in the UK, and Snapple Beverage Corp. The list goes on and on. In addition, Finjan found some advertisement networks directing people to compromised sites.

Heyman said the attack is being carried out by users of the Asprox toolkit. Clearly it’s getting easier and easier for non-techies to pull off a successful attack. All they have to do is buy a toolkit to begin spreading malware. The toolkit injects JavaScript code, which ultimately infects website visitors with a Trojan.

While on the surface it doesn’t seem like a major breach, Cluley points out that a person’s date of birth is a valuable piece of information for identity thieves. Cluley says Facebook users should change their date of birth to avoid being targeted by phishers.

Cluley posted a YouTube video demonstrating the flaw.

Researcher Halvar Flake said that anyone who uses the internet should assume that the DNS gateway is already a haven for attackers.

“That is why we have SSL, that is why we have certificates, that is why SSH tells you when the host key changes,” Flake said in a post on his blog. “DNS can never be trusted - you always have to assume that your ISP’s admin runs a broken file sharing server on the same box with BIND.”

Flake is the creator of BinDiff, a command-line tool that helps researchers conduct binary differential analysis to detail the differences between two binaries. He called security researcher Dan Kaminsky’s discovery of a serious flaw in the implementation of the DNS protocol good work, but added that there have been much worse problems in recent memory.

In an announcement last week, Kaminsky called the DNS flaw a threat to every system that connects to the Internet. The flaw opens DNS servers to cache poisoning, which allows an attacker to redirect Internet traffic and potentially steal sensitive data, such as credit card numbers and personally identifiable information.

The flaw was a design issue that couldn’t be addressed by a single vendor. As a result, a number of DNS vendors issued a coordinated release of updates to address the issue.

Kaminsky addressed the skepticism of some researchers in his DoxPara Research blog. Kaminsky provided details of the flaw to security researchers Thomas Ptacek and Dino Dai Zovi. Both researchers called the DNS issue way more serious than they imagined.

“Nobody reading this can know if I was right or not, because (almost) nobody knows the bug,” Kaminsky said.

Kaminsky said he will release details of the flaw at the Black Hat 2008 conference on Aug. 7 and 8 in Las Vegas.

The Trojan is spreading quickly to users of P2P file sharing programs such as Limewire, Secure Computing said. When an infected media file is opened, the Windows Media Player is redirected to a malicious site hosting a fake codec and malware. They describe how the media files are infected in the illustration below.

A similar attack was detected in May when McAfee detected infections on more than 360,000 machines.

Ultimately, end users need to be educated to stay away from sites hosting files that need a serial key to crack protection.

In May, a P2P network was the apparent source of a breach at Walter Reed Army Medical Center that exposed the personal information of 1,000 former patients.