Well the DNS security crisis continued today with more customers calling us in response to the CERT advisory that came out on Tuesday. Fortunately we are now able to offer a pre-release version of code that fixes it, but our vendor is saying it won’t have a full regression tested version available until late July! That’s potentially 3 weeks away.
I have since found out that the guy who "discovered" the problem has been co-ordinating with many vendors over the past 6 months to get the patches ready to address this problem, and he is going public with full details of how to exploit the vulnerability on August 6th at a hacker convention in Las Vegas. This means if some of our customers want to wait until the full GA version of code is available, they will only have 1 week in which to patch their servers before full details of the problem are fully disclosed (which will enable hackers to have full access to the vulnerability and devise ways to exploit it). As most of our customers are big FTSE 100 companies, they will struggle to patch their servers that quickly due to internal change control procedures, leaving their servers exposed to a potential hack (which will be much more likely after August 6th).
Maybe I should just take the first 2 weeks of August off on holiday! 🙂