The Internet remains vulnerable to exploits of a critical security flaw in the Domain Name System, a Russian programmer demonstrated last week. Writing on his blog on Friday, Evgeniy Polyakov posted that he had succeeded in getting patched DNS software to return an incorrect location in less than 10 hours.

Researchers who spearheaded an international push to get internet service providers and other large organizations to patch the flaw said they weren't terribly concerned about the exploit code. That's because Polyakov's attack took 10 hours to carry out using two machines connected directly to the targeted DNS server via a gigabit ethernet link.

"That's a little different then spending 10 seconds over the internet," to carry out an attack, said Dan Kaminsky, the researcher who first warned of the DNS cache poisoning vulnerability.

The original attack works by flooding a DNS server with thousands of requests for domains with slightly different variations, 1.google.com, 2.google.com, 3.google.com and so forth. That allows attackers to gain a secret transaction number needed to trick other computers into updating their records with IP addresses that lead to rogue websites.

So a word to the big players of world: You dodged a bullet in surviving the Kaminsky bug without issue, but next time you may not be as lucky.
Creating a real fix won't be easy, but it's essential.