BIND Flaws Reignite Security Debate
A skirmish over the release of patches for three serious flaws found in the BIND server software incites vulnerability reporting debate.An apparent delay in the availability of patches for the vulnerabilities in BIND that were disclosed earlier this week is once again highlighting the seemingly endless debate over when and to whom vulnerability data should be released. Internet Security Systems Inc.s X-Force research team on Tuesday released an advisory warning of three newly discovered vulnerabilities in BIND (Berkeley Internet Name Domain) versions 4 and 8. One of the flaws allows a remote attacker to take over a vulnerable server and run any code of choice. ISS officials said that they did not believe that the vulnerabilities were known in the computer underground or were being actively exploited by crackers. The advisory also said that patches for the problems were ready and provided an e-mail address at the Internet Software Consortium where users could request the patches.
However, according to messages from BIND users posted on a security mailing list, the patches at the time of the advisory apparently were only available to organizations that had paid the ISC a fee to receive early warning of problems with BIND. The ISC, which maintains BIND, established a limited distribution, early-notification mailing list last year when word of another batch of vulnerabilities leaked before patches were available.