Security analysts warn of serious internet security holes

Security analysts are bracing themselves for what potentially could be a devastating series of denial-of-service attacks in the coming weeks.

          Security analysts are bracing themselves for a potentially lethal series of denial-of-service attacks in the coming weeks. Systems administrators around the world are being warned that four new security gaps discovered in the software that allows most companies to connect to the internet.

          The CERT Coordination Center at Carnegie Mellon University and Network Associates Inc.'s PGP Security subsidiary have simultaneously released warnings about vulnerabilities in multiple versions of the Internet Software Consortium's Berkeley Internet Name Domain (BIND) server software.

          BIND is software that allows web servers run by companies and internet service providers to translate text-based internet addresses into numbered IP addresses that can be read and understood by computers.

          In a notice posted on its web site, the Internet Software Consortium (ISC) "strongly recommended" that users upgrade to Version 9.1 of BIND, the latest release of the software, in order to plug the security holes. That version isn't vulnerable to the vulnerabilities. If installing 9.1 isn't possible, the Redwood City, Calif.-based organization added, upgrading to at least BIND 8.2.3 is "imperative."

          CERT, PGP Security and ISC officials are most concerned about a new vulnerability in the Transaction Signatures (TSig) feature of BIND that could enable malicious hackers to take control of web servers and either redirect or block internet requests that are sent to them. The organizations are also warning that hackers could take over targeted machines and implant malicious code for use in distributed denial-of-service attacks such as the ones that were launched against Microsoft Corp. last week and against eBay Inc., Inc., Inc. and other widely used e-commerce sites last February.

          ISC rated the severity of the TSig vulnerability as "critical" in the notice on its web site.

          The latest warning is the 12th advisory published on BIND vulnerabilities by CERT since 1997.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Amazon.comAmazon Web ServicesBuy.comCarnegie Mellon University AustraliaCERT AustraliaeBayInc.Internet Software ConsortiumMellonMicrosoftPGPPGP Security

Show Comments