Critical Internet software found vulnerablegreenspun.com : LUSENET : Grassroots Information Coordination Center (GICC) : One Thread
Fair use for educational/research purposes only
Posted at 10:10 a.m. PST Monday, Jan. 29, 2001
Critical Internet software found vulnerable
WASHINGTON (Reuters) - A high-risk flaw in what may be the Internet's most important software package could disrupt the operations of every company that maintains a Web site, a U.S. Defense Department-funded research center said Monday.
Electronic intruders seizing on the newly discovered vulnerability could gain control of domain name servers (DNS), which translate names that are easy to remember such as www.reuters.com into numeric addresses read by computers.
Once in control of these devices, attackers could conceivably change and reroute the numeric ``Internet Protocol'' addresses, said the CERT Coordination Center at Carnegie Mellon University in Pittsburgh, Pennsylvania.
``The result of a change in mapping could be devastating: Internet traffic such as Web access, electronic mail, and file transfers could be redirected to arbitrary sites chosen by an intruder,'' said the CERT Coordination Center, formerly the Computer Emergency Response Team at the university's Software Engineering Institute.
Hackers could use the flaw to disable access to or from their victims, in effect cutting them off from the rest of the Internet, CERT said.
Virtually every site on the Internet depends on one or more name servers. CERT estimated that more than 80 percent of the name servers on the Internet were vulnerable.
It urged system and network administrators to upgrade immediately their versions of BIND -- the most commonly used software for DNS servers -- to a supposedly invulnerable version.
BIND stands for Berkeley Internet Name Domain. Versions 4 and 8 of the package were found to contain flaws that would let a remote attacker execute ``arbitrary code.''
The vulnerability was discovered by PGP Security, a unit of Santa Clara, California-based Network Associates Inc.
``Exploitation of these vulnerabilities could potentially disrupt all Internet-based communication that relies on a domain name, affecting every company that maintains a Web site or that utilizes e-mail as a communications tool,'' PGP Security said.
Technical information and advice on upgrading is available at http://www.cert.org/advisories/CA-2001-02.html. The Internet Software Consortium, the authors of BIND, have posted new versions of the software on their Web site at www.isc.org.
``If this vulnerability was exploited by an attacker, all Internet traffic relying on a vulnerable server could be brought to a halt,'' said Jim Magdych, manager of the Computer Vulnerability Emergency Response Team at PGP Security.
Jeffrey Lanza, an Internet security analyst at the CERT Coordination Center, said CERT was not aware of any exploitation of the newly found vulnerabilities.
No mention was made in the advisory of problems suffered last week by Microsoft Corp., which said its Web services were disrupted by repeated ``denial-of-service'' attacks.
Rick Devenuti, Microsoft's chief information officer, said Friday the software giant ``did not apply sufficient self-defense techniques to our use of some third-party products at the front end of parts of our core network infrastructure.''
-- Martin Thompson (firstname.lastname@example.org), January 29, 2001
Thanks, Martin. I wonder if this is what happened to my ISP last week.
-- Rachel Gibson (email@example.com), January 29, 2001.