Net consortium ties flaws to BIND
The Internet Software Consortium admits that the "maintenance release" of the latest version of the domain name server software is flawed and "strongly recommends" the update.
Confusion is rife about potential vulnerabilities in BIND (Berkeley Internet Name Domain), the most commonly used domain name server on the Internet, and experts are calling on the makers of the software to clarify the issue.
Domain name servers are used to match domain names to numerical Internet Protocol addresses, with the vast majority of these running BIND; the software essentially runs the Internet.
The Internet Software Consortium (ISC) the group responsible for maintaining the software, released a new version of BIND on Monday, with their Web site billing it as a maintenance release.
"BIND 9.2.2 is the latest release of BIND 9. It is a maintenance release, containing fixes for a number of bugs in 9.2.0, but no new features," it said. However, on Wednesday the site had been updated, saying that ISC had been made aware of vulnerabilities in BIND, adding that upgrading was "strongly recommended."
BIND 9.2.1, the previous version, is vulnerable to a remote buffer overflow bug when installed with the "libbind" nondefault option. Previous versions may also be vulnerable to problems associated with the commonly used OpenSSL library, but again this is a nondefault installation option and has more to do with the SSL library than BIND itself.
Johannes Ulrich, chief technology officer of the SANS Institute's Internet Storm Center, believes that ISC has not given the issue the attention it deserves. Ulrich said that the software consortium should "basically do a better PR job by notifying people to the urgency of the release."
"We still don't know enough about it," he added.
Melbourne, Australia-based security consultant Adam Pointon agrees, and says that ISC should release a detailed advisory on the issue simply to clarify the situation.
"I think they should because the vendors are going to be confused as well as the normal users...no normal users will know about this problem yet," he said.
Ulrich said that the libbind vulnerability might have been indirectly known about for sometime. Confusion about the code used in which version has lead to uncertainty in regard to vulnerabilities affecting particular versions of BIND.
"In hindsight it was known since the beginning. That libbind thing is the last of the shared code between (versions) 8 and 9," Pointon said.
Version 9 was more or less a complete rewrite of version 8, and it is generally regarded as being a lot more secure.
ZDNet Australia's Patrick Gray reported from Sydney.