While having Web sites behave suspiciously is annoying, the potential mischief that can be achieved by completely controlling a user's web traffic is almost limitless.

With not all vendors providing updates for their DNS offerings, and with the more recent discovery of the issues that NAT connections can cause, this is going to be a problem for users long into the future. Perhaps the vendor that is causing the most concern at the moment is Apple, with reports that they are yet to provide updates for the DNS tools supplied with OS X. This means that the relatively few systems in use that use OS X to provide DNS caching are vulnerable to exploitation.

Microsoft were one of the first to publicly patch against this issue, indeed it was their patch that came at the time of the co-ordinated information release by Kaminsky, and many of the different Linux, BSD, and *nix distributions have since pushed updates for the tools provided with their systems. Users and administrators of these systems have also been able to recompile their DNS tools independently of their distro's release schedule.

While it would be ideal if Apple would provide an out of cycle update for this issue, bringing them into line with the other major operating system platform vendors, the bigger problem is still posed by ISPs that have not updated their systems and those administrators that have placed their caching servers behind a NATed connection. A saving grace, though it is limited, is that OS X administrators can apply the same procedures as Linux / BSD / *nix administrators and compile an updated version of BIND themselves and overwrite the Apple-provided version to obtain protection.

As the attack code being developed becomes more efficient and hackers find more opportunities to target vulnerable and semi-vulnerable systems it is beginning to look like a pandora's box has been opened up.