Users in a Bind

Software holes need patching

More users must upgrade their version of a key program underlying the Internet or risk damaging attacks by hackers that could affect systems far beyond their own, security experts warn.

"We believe this issue is among the most serious the Internet will face," said Shawn Hernan, team leader for vulnerability handling at Carnegie Mellon Universitys Computer Emergency Response Team (CERT), which monitors problems on the Internet.

Exposure to the problem is pervasive and the hazard of not fixing it is widely underestimated, experts said. Many users havent yet taken advantage of the available upgrade.

The program is called the Berkeley Internet Name Domain. Its open source code that links a name, such as, to a numeric Internet Protocol address on a Domain Name System server, which directs users to the right place. With a few exceptions, Web sites have such a server in front of them running BIND and directing traffic. The DNS server is typically outside the corporate firewall with minimal protection and, thus, is a frequent target for hackers. Hernan said 80 percent to 90 percent of the copies of BIND in use contain one of a dozen known vulnerabilities.

Users must not view the vulnerabilities as purely a local issue, he said. "My level of security on the network depends on yours," he noted.

But the seriousness of the situation is beneath the view of corporate managers and desktop users, who were more likely to notice last weeks attack of the Anna Kournikova virus than the fact that their DNS server went down for three minutes.

Because BIND is open source code, its functions are an open book to hackers looking for holes to exploit.

In January, anti-virus software supplier Network Associates disclosed four previously unknown BIND vulnerabilities, and CERT issued an alert Jan. 29, urging users to upgrade to the latest Version 8.2.3, which closes the holes. The new version is available from the Internet Software Consortium, which maintains BIND, at

One immediate result of the alert was that Network Associates Web site was attacked two days later by hackers "upset that the vulnerabilities had been published," said Romain Agostini, director of product management at Entercept Security Technologies, an exploit countermeasure supplier. The Network Associates site was closed down by a denial-of-service attack for 90 minutes Feb. 1.

In one sense, the malicious hackers had little to worry about. With hundreds of thousands of copies of BIND in operation, many of them would not be upgraded for weeks, months or even years, the security spokesmen said.

Many BIND users are reluctant to take their servers down to perform the upgrade, since they rely on them for around-the-clock movement of traffic to the Web site. "Many are still running a 4.x version of BIND," an old version, noted Patricia Steadman, vice president at Incognito Software, supplier of a proprietary substitute for BIND, DNS Commander 3.0.

Others dont upgrade because they "believe they have nothing an intruder would want," Hernan said. But gaining an account on the DNS server is sufficient motive, he noted. Distributed denial-of-service attacks, such as the one that brought down Microsofts DNS servers in January, are launched from DNS and other servers around the Internet taken over by malicious hackers.