BIND Flaws Reignite Security Debate

A skirmish over the release of patches for three serious flaws found in the BIND server software incites vulnerability reporting debate.

An apparent delay in the availability of patches for the vulnerabilities in BIND that were disclosed earlier this week is once again highlighting the seemingly endless debate over when and to whom vulnerability data should be released.

Internet Security Systems Inc.s X-Force research team on Tuesday released an advisory warning of three newly discovered vulnerabilities in BIND (Berkeley Internet Name Domain) versions 4 and 8. One of the flaws allows a remote attacker to take over a vulnerable server and run any code of choice.

ISS officials said that they did not believe that the vulnerabilities were known in the computer underground or were being actively exploited by crackers. The advisory also said that patches for the problems were ready and provided an e-mail address at the Internet Software Consortium where users could request the patches.

However, according to messages from BIND users posted on a security mailing list, the patches at the time of the advisory apparently were only available to organizations that had paid the ISC a fee to receive early warning of problems with BIND. The ISC, which maintains BIND, established a limited distribution, early-notification mailing list last year when word of another batch of vulnerabilities leaked before patches were available.

BIND runs on the vast majority of the Internets DNS servers, a key part of the global networks infrastructure.

The list was meant to give vendors some lead time to fix their software before an announcement went out to the general public. However, in this case, the advisory hit the Internet at least 24 hours before the patches were available to most BIND users.

That window of time when a vulnerability is publicly disclosed and the patch is released is at the heart of the full-disclosure debate about how much information to release and who should have access to it.