Security researcher Dan Kaminsky recently discovered a serious design flaw in DNS. That flaw, according to US-CERT, involves a new implementation of DNS poisoning, a trick that allows a hacker to redirect unwitting surfers to alternate addresses (that's not good news for the technically daft and easily swindled). Kaminsky's discovery was significant enough to get thirty-some vendors to release a simultaneous general patch earlier this month, though Kaminsky had stayed vague enough about the nature of the flaw to prevent exploits from being developed.

He had also asked security analysts not to publicly speculate on the nature of the flaw. That's a steep request in a sector packed with highly intelligent, curious, and frequently egocentric researchers. On Monday of this week, one security expert managed to accurately guess the precise DNS flaw mechanics. This quickly resulted in the development of two working exploits. The Register offers one of several layman breakdowns:Anyone who then uses that vulnerable DNS server is going to see the wrong DNS server record for the poisoned domain. According to several researchers, a significant number of large ISPs (including AT&T, Comcast (see update) and Verizon) and an an even greater number of large organizations have yet to fully patch their systems. Kaminsky's website offers a tool that allows users to test whether their ISP and network is vulnerable (another test is here).