All three flaws could lead to denial-of-service attacks on the majority of domain name system (DNS) servers, which act as the address books for the Internet, said Internet Security Systems, which discovered the vulnerabilities. One flaw could allow an attacker to run programs on a vulnerable computer. Given the Internet leveled at the DNS root servers three weeks ago, new attacks could be around the corner, ISS warned.
"A worm could be developed using this thing," said Dan Ingevaldson, leader for ISS's vulnerability research and development group. "We feel this vulnerability is in the same class as" the flaw that led to Code Red.
The flaws occur in the popular Berkeley Internet Name Domain (BIND) software. Servers running versions of the software up to and including 4.9.10-REL and 8.3.3-REL will have to patch the servers. While BIND 9 is the latest version of the software, many administrators still use BIND 8 and many older systems continue to run BIND 4.
ISS's Ingevaldson said that tens of thousands to hundreds of thousands of servers connected to the Internet are running some version of BIND.
While theon the root servers in October didn't exploit any particular flaw, the FBI and System Audit Network Security Institute have that un-patched software flaws in BIND software were among the top 10 vulnerabilities on the Internet for Unix-like operating systems.
The Internet Software Consortium, which manages the open-source BIND software, recommends that administrators upgrade their servers to BIND 9.2.1.