Nominum Ignorant of Own Security History

Oh dear, so Nominum crop up on ZDNet decrying “freeware” (by which they probably mean open source) as bad and closed source as being good by saying:

Nominum software was written 100 percent from the ground up, and by having software with source code that is not open for everybody to look at, it is inherently more secure.

Because, of course, that security through obscurity approach works so well for people like Microsoft (have you patched the SMB2 remote admin attack on your Windows boxes yet?). They go on to justify this by saying that you should look at all the security patches that get applied to BIND et. al and contrast that with their own software.

Nominum has not had a single known vulnerability in its software.

Which would be almost impressive, if it were actually true, which it isn’t. That quote is from 22nd September 2009, but over a year earlier they had to release a security patch for their software (PDF document), because:

Cache poisoning allows an attacker to selectively control destination web sites for users accessing a compromised DNS. For example, if a cache entry for Google is poisoned, a user typing in www.google.com would not get the Google website but rather a site controlled by the attacker.

In fact it wasn’t just one piece of software they wrote that had a bug, it was two..

This vulnerability affects all customers using versions of CNS and Vantio released before June 4th, 2008 regardless of what features are being used.

So perhaps people in (smoked) glass houses shouldn’t try and throw stones…