Security analysts are bracing themselves for what potentially could be a devastating series of denial-of-service attacks in the coming weeks if systems administrators throughout the U.S. fail to apply patches that are designed to close four new security gaps discovered in the software that allows most companies to connect to the Internet.
The CERT Coordination Center at Carnegie Mellon University and Network Associates Inc.'s PGP Security subsidiary Monday morning released simultaneous warnings about vulnerabilities in multiple versions of the Internet Software Consortium's Berkeley Internet Name Domain (BIND) server software. BIND is software that allows Web servers run by companies and Internet service providers to translate text-based Internet addresses into numbered IP addresses that can be read and understood by computers.
In a notice posted on its Web site, the Internet Software Consortium (ISC) "strongly recommended" that users upgrade to Version 9.1 of BIND, the latest release of the software, in order to plug the security holes. That version isn't vulnerable to the vulnerabilities. If installing 9.1 isn't possible, the Redwood City, Calif.-based organization added, upgrading to at least BIND 8.2.3 is "imperative."
CERT, PGP Security and ISC officials are most concerned about a new vulnerability in the Transaction Signatures (TSig) feature of BIND that could enable malicious hackers to take control of Web servers and either redirect or block Internet requests that are sent to them. The organizations are also warning that hackers could take over targeted machines and implant malicious code for use in distributed denial-of-service attacks such as the ones that were launched against Microsoft Corp. last week and against eBay Inc., Buy.com Inc., Amazon.com Inc. and other widely used e-commerce sites last February.
ISC rated the severity of the TSig vulnerability as "critical" in the notice on its Web site. And CERT has already contacted the Federal Computer Incident Response Capability to alert federal government agencies to the security hole, said Jeff Carpenter, manager of the Pittsburgh-based CERT Coordination Center.
"This is absolutely a huge vulnerability," said Amit Yoran, former director of the Vulnerability Assessment and Assistance Program for the U.S. Department of Defense's Computer Emergency Response Team. "This has the potential to be catastrophic to many organizations. It's a vulnerability against a piece of software that is required by every company in order to have an Internet presence today."
Yoran is now CEO at Riptech, Inc., a network security monitoring firm in Alexandria, Va. Whenever a BIND-related vulnerability is uncovered, he said, attacks increase against that protocol by an order of magnitude of 30 to 40 times the norm. Would-be attackers are likely hard at work developing automated tools that could be used to exploit the TSig hole, he added.
The latest warning is the 12th advisory published on BIND vulnerabilities by CERT since 1997. However, Carpenter said not all systems and network administrators have heeded its earlier advice to patch security holes or upgrade to newer versions of the software. That's raising concerns that many companies remain at risk for the new vulnerabilities, especially the TSig one, he added.
"Absent getting the word out, we would have a much worse situation this time than we had [during last February's denial-of-service attacks]," Carpenter said. To illustrate its view of the severity of the situation, he noted, CERT is taking an unusual step and issuing a press release "to alert organizations to take action to prevent potentially devastating compromises."
"This is a very serious problem [and] a very widespread problem," said Jim Magdych, security research manager at PGP Security's Computer Vulnerability Emergency Response Team Labs unit, which discovered and analyzed the new vulnerabilities.
"If everyone applies the patches in the next day or so, they [will] have averted potential catastrophe," Magdych said. "This really needs to be a concerted effort."