[ISN] BIND Flaws Reignite Security Debate

From: InfoSec News (isnat_private)
Date: Mon Nov 18 2002 - 05:27:13 PST

  • Next message: InfoSec News: "[ISN] Crackers steal 52,000 university passwords"

    By Dennis Fisher
    November 15, 2002 
    An apparent delay in the availability of patches for the
    vulnerabilities in BIND that were disclosed earlier this week is once
    again highlighting the seemingly endless debate over when and to whom
    vulnerability data should be released.
    Internet Security Systems Inc.'s X-Force research team on Tuesday
    released an advisory warning of three newly discovered vulnerabilities
    in BIND (Berkeley Internet Name Domain) versions 4 and 8. One of the
    flaws allows a remote attacker to take over a vulnerable server and
    run any code of choice.
    ISS officials said that they did not believe that the vulnerabilities
    were known in the computer underground or were being actively
    exploited by crackers. The advisory also said that patches for the
    problems were ready and provided an e-mail address at the Internet
    Software Consortium where users could request the patches.
    However, according to messages from BIND users posted on a security
    mailing list, the patches at the time of the advisory apparently were
    only available to organizations that had paid the ISC a fee to receive
    early warning of problems with BIND. The ISC, which maintains BIND,
    established a limited distribution, early-notification mailing list
    last year when word of another batch of vulnerabilities leaked before
    patches were available.
    BIND runs on the vast majority of the Internet's DNS servers, a key
    part of the global network's infrastructure.
    The list was meant to give vendors some lead time to fix their
    software before an announcement went out to the general public.  
    However, in this case, the advisory hit the Internet at least 24 hours
    before the patches were available to most BIND users.
    That window of time when a vulnerability is publicly disclosed and the
    patch is released is at the heart of the full-disclosure debate about
    how much information to release and who should have access to it.
    Michael Brennen, president of FishNet Inc., a Plano, Texas, domain
    registrar, wrote in a message to BugTraq that he emailed the ISC and
    asked to be sent the patches. He received a response about eight hours
    later saying that he had been added to the patch announcement list.  
    Brennen also asked why the patches had not been made available at the
    time of the advisory.
    The ISC told him that they wanted to make sure that the right audience
    had the patches first.
    "My response to [the ISC] was that the right audience should change in
    relation to the announcement. As of the moment of the announcement,
    the right audience should be expanded to include all those placed at
    risk because they use the software," Brennen wrote. "Failure to make
    the patches available suddenly puts many systems at rapidly increasing
    ISS security officials said they coordinated their release with the
    "Our understanding was that the patches were available to everyone"  
    when the advisory was published, said Dan Ingevaldson, team lead for
    ISS' X-Force, based in Atlanta. "We notified them of the
    vulnerabilities on Oct. 25. They knew when we were releasing it."
    ISC officials said the patches were posted to the organization's site
    at about 7 p.m. EST Wednesday.
    "Prior to this, as early as Monday the patches were available for the
    asking to anyone who wasn't obviously going to reverse engineer them
    for malicious purposes or distribute them without our permission,"  
    said Lynda McGinley, program driector of the ISC. "Unfortunately, we
    weren't able to keep the patches from leaking out. Members of the BIND
    Forum's early security notification announcements received the patches
    over the weekend."
    One post to the BugTraq mailing list said the patches were posted to
    the ISC FTP server late Wednesday night. However, the time stamp on
    the patches indicates they were produced on Oct. 30, leaving open the
    question of why they weren't available when the advisory went out Nov.  
    In an e-mail interview, Brennen said he chose not to pay the fee to
    join the early announcement list and is now preparing to remove BIND
    from his environment.
    "Ultimately each of us has to take the final responsibility for the
    software we choose to use. There is a price to pay for all such
    choices, whether in money, or time, or development," Brennen said. "No
    doubt some will choose to pay the ISC fees for early notification. I
    choose not to be held hostage. I will do what it takes to replace BIND
    in my systems."
    (Editor's Note: This story has been updated since its original posting
    to include comments from the ISC's Lynda McGinley.)
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Nov 18 2002 - 08:11:46 PST