Companies rushed to upgrade DNS (Domain Name System) software after warnings were issued in late January about a flaw in widely used DNS software. In the past weeks, however, upgrading has come to a halt, concludes Iceland-based DNS consultancy and software firm Men & Mice.
Reykjavik-based Men & Mice tested the DNS systems for the Web sites of Fortune 1000 companies and random .com domains at set dates after the alerts were released. The results were made public on the company's site. The Computer Emergency Response Team (CERT) at Carnegie Mellon University, meanwhile, said this week that it has begun receiving reports of BIND (Berkeley Internet Name Domain) holes being successfully exploited.
BIND, distributed free by the Internet Software Consortium (ISC), is software run by companies and ISPs (Internet service providers) to translate text-based Internet addresses into numbered IP (Internet Protocol) addresses. Versions including both 4.9.x prior to 4.9.8 and 8.2.x are not secure, according to the CERT.
The day after the CERT and Network Associates Inc.'s PGP security subsidiary sent out the warnings, 33.3 percent of Fortune 1000 sites were using a bad version of BIND and 40.27 percent of .coms were vulnerable. A week later, the figures were down to 17.4 percent and 16.73 percent, respectively, Men & Mice said.
After the big drop, which Men & Mice attributed to the "extensive media coverage" about the issue, the pace of companies updating DNS software fell off sharply. The latest tests, run on Feb. 21, showed that 12.4 percent of Fortune 1000 companies and 13.1 percent of dot-coms were still using insecure DNS software.
Men & Mice ran a similar test for DNS software used in the national domains of Germany (.de) and Switzerland (.ch) and the U.K.'s commercial domain (.co.uk). Software for those domains was updated, but 15.29 percent of DNS servers in Germany, 11.54 percent in Switzerland and 9.87 percent of the U.K.'s commercial domain remained vulnerable as of Feb. 21.
A patch to fix the problem is available on ISC's Web site, http://www.isc.org/.