'Most common' web software open to hack attack

NEWS The problem, discovered by researchers at Network Associates' Covert labs in the US, could provide an easy route for malicious hackers to control website traffic, publish false information, spread viruses or launch a denial of service (DoS) attacks. The flaw was found in two of the most commonly used versions of Berkeley Internet Name Software, BIND 4 and BIND 8, which are used to run the majority of the world's internet domain name servers. It is that prevalence which is causing concern. According to Tom Watson, internet security consultant at Defcom, the vulnerabilities could cause a huge problem. "This software is very widespread," he said, " and it sounds like it's very easy to exploit."
Network Associates and the CERT Coordination Centre at Carnegie Mellon University kept the vulnerability under wraps until a patch could be developed and made widely available. "As a matter of routine users should upgrade and patch all their software," said Watson. "But something like BIND software is very easy to overlook, it's tucked away." According to Watson users still don't have the right mindset. "Its not until someone attacks part of your system that you realise its there," he said. Petur Petursson, CEO of DNS software and consultancy firm Mice & Men, said this isn't the first time vulnerabilities have been discovered in BIND. "There is a really big need for security in DNS," he claimed. Although standards groups are working on a secure DNS protocol it will be another 12 months before it is complete. "In the meantime users need to be aware that there is no authentication - its not secure," Petursson warned. The news follows high profile attacks on Microsoft's DNS servers last week, after it was discovered the software giant had a potentially weak system design. A survey by Mice & Men revealed a quarter of Fortune 1000 firms have the same badly configured DNS software, leaving flaws and weaknesses for hackers to exploit. The consultancy claims the problem is even worse in new economy companies, with insecure DNS systems at over a third of 5,000 dot-coms tested. The BIND flaws were found in lab conditions and so far there is no evidence they have been exploited in the wild. You can find the BIND patch at:
http://www.isc.org