January 30, 2001, 8:25 AM — Security analysts are bracing themselves for what potentially could be a devastating series of denial-of-service attacks in the coming weeks if systems administrators throughout the U.S. fail to apply patches that are designed to close four new security gaps discovered in the software that allows most companies to connect to the Internet.
The CERT Coordination Center at Carnegie Mellon University and Network Associates Inc.'s PGP Security subsidiary Monday morning released simultaneous warnings about vulnerabilities in multiple versions of the Internet Software Consortium's Berkeley Internet Name Domain (BIND) server software. BIND is software that allows Web servers run by companies and Internet service providers to translate text-based Internet addresses into numbered IP addresses that can be read and understood by computers.
In a notice posted on its Web site, the Internet Software Consortium (ISC) "strongly recommended" that users upgrade to Version 9.1 of BIND, the latest release of the software, in order to plug the security holes. That version isn't vulnerable to the vulnerabilities. If installing 9.1 isn't possible, the Redwood City, Calif.-based organization added, upgrading to at least BIND 8.2.3 is "imperative."
CERT, PGP Security and ISC officials are most concerned about a new vulnerability in the Transaction Signatures (TSig) feature of BIND that could enable malicious hackers to take control of Web servers and either redirect or block Internet requests that are sent to them. The organizations are also warning that hackers could take over targeted machines and implant malicious code for use in distributed denial-of-service attacks such as the ones that were launched against Microsoft Corp. last week and against eBay Inc., Buy.com Inc., Amazon.com Inc. and other widely used e-commerce sites last February.
ISC rated the severity of the TSig vulnerability as "critical" in the notice on its Web site. And CERT has already contacted the Federal Computer Incident Response Capability to alert federal government agencies to the security hole, said Jeff Carpenter, manager of the Pittsburgh-based CERT Coordination Center.
"This is absolutely a huge vulnerability," said Amit Yoran, former director of the Vulnerability Assessment and Assistance Program for the U.S. Department of Defense's Computer Emergency Response Team. "This has the potential to be catastrophic to many organizations. It's a vulnerability against a piece of software that is required by every company in order to have an Internet presence today."