March 02, 2001, 10:36 AM — Companies rushed to upgrade DNS (Domain Name System) software after warnings were
issued in late January about a flaw in widely used DNS software. In the past weeks,
however, upgrading has come to a halt, concludes Iceland-based DNS consultancy
and software firm Men & Mice.
Reykjavik-based Men & Mice tested the DNS systems for the Web sites of
Fortune 1000 companies and random .com domains at set dates after the alerts
were released. The results were made public on the company's site. The Computer
Emergency Response Team (CERT) at Carnegie Mellon University, meanwhile, said
this week that it has begun receiving reports of BIND (Berkeley Internet Name
Domain) holes being successfully exploited.
BIND, distributed free by the Internet Software Consortium (ISC), is software
run by companies and ISPs (Internet service providers) to translate text-based
Internet addresses into numbered IP (Internet Protocol) addresses. Versions
including both 4.9.x prior to 4.9.8 and 8.2.x are not secure, according to the
The day after the CERT and Network Associates Inc.'s PGP security subsidiary
sent out the warnings, 33.3 percent of Fortune 1000 sites were using a bad version
of BIND and 40.27 percent of .coms were vulnerable. A week later, the figures
were down to 17.4 percent and 16.73 percent, respectively, Men & Mice said.
After the big drop, which Men & Mice attributed to the "extensive
media coverage" about the issue, the pace of companies updating DNS software
fell off sharply. The latest tests, run on Feb. 21, showed that 12.4 percent
of Fortune 1000 companies and 13.1 percent of dot-coms were still using insecure
Men & Mice ran a similar test for DNS software used in the national domains
of Germany (.de) and Switzerland (.ch) and the U.K.'s commercial domain (.co.uk).
Software for those domains was updated, but 15.29 percent of DNS servers in
Germany, 11.54 percent in Switzerland and 9.87 percent of the U.K.'s commercial
domain remained vulnerable as of Feb. 21.
A patch to fix the problem is available on ISC's Web site, http://www.isc.org/.