SecurityFocus: BIND holes mean big troubleJan 30, 2001, 15:47 (3 Talkback[s])
(Other stories by Kevin Poulsen)
"Serious new security holes have been found in the ubiquitous BIND name server program, the worst of which jeopardize hundreds of thousands of computers and make key elements of the Internet's infrastructure vulnerable to hack attacks, according to a Monday morning advisory from the Computer Emergency Response Team (CERT)."
"The advisory documents four vulnerabilities in BIND, including two buffer overflows that could allow attackers to remotely gain unrestricted access to machines running the program, which comes installed in a dozen different vendor flavors of Unix and Linux. "Because the majority of name servers in operation today run BIND, these vulnerabilities present a serious threat to the Internet infrastructure," reads the advisory."
"California security company Network Associates Inc. (NAI) discovered the buffer overflows in December, and notified the Internet Software Consortium (ISC), which maintains BIND. Upgrades that eliminate the holes are now available from some vendors, and directly from the ISC, which spent the weekend quietly urging network operators to upgrade in advance of Monday's announcement."