Page Two

By Dennis Fisher  |  Posted 2003-03-03 Print this article Print

Officials at the CERT Coordination Center at Carnegie Mellon University in Pittsburgh were also informed on the issue, and they sent early notifications to the affected Linux and BSD developers. By late the next week, it had become clear that not all of the smaller vendors would be able to produce their patches in time for the release of the advisory the following week, Paller said. But officials worried that delaying the release might give crackers a head start if any of them had caught wind of the flaw. However, researchers at ISS reported that none of their sensors had picked up any active exploitation of this vulnerability, nor had there been any chatter about it on the cracker discussion groups. Eventually, the group decided to delay the advisorys release until March 3. In the interim, the available patches were given to the Department of Defense and deployed on vulnerable military servers.
Late last week, other government and military groups in the United States and abroad were given advance notice of the vulnerability to prepare them for the patches release the following Monday. The group also informed the CIOs of all of the Cabinet-level departments and the heads of the Information Sharing and Analysis Centers.
Experts estimate that Sendmail handles upward of 50 percent of the mail traffic on the Internet and it is distributed in various forms by numerous vendors. IBM, Apple Computer Inc., Hewlett-Packard Co. and Sun Microsystems Inc. all distribute Sendmail with some of their products, but not all of them are affected by this vulnerability. All of the affected vendors have been notified of the issue. The Sendmail Consortium, which maintains the open-source version of the server, has released an updated version, 8.12..8, which fixes this vulnerability. Sendmail Inc., which sells a commercial version, has released a patch for its product, available on the companys Web site. (Editors Note: This story was updated since its original posting to include the governments role in patching the flaw.) For more information on patches for the flaw, check out:
Serious Vulnerability In Sendmail (Security Supersite) Latest Security News: Search for more stories by Dennis Fisher.
Find white papers on security.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel