  |
 |
|
Research and retrieval of news articles by: SPECIAL NOTE TO ALL VISITORS: | ||
 |
|
FLAW FOUND IN CRITICAL INTERNET SOFTWARESource: Internet WeekPosted on January 30, 2001 A high-risk flaw in what may be the Internet's most important software package could disrupt the operations of every company that maintains a website, a U.S. Defense Department-funded research center said Monday. Electronic intruders seizing on the newly-discovered vulnerability could gain control of domain name systems (DNS), which translate names that are easy to remember such as www.reuters.com into numeric addresses read by computers. Once in control of these devices, attackers could conceivably change and reroute the numeric IP addresses, according to the CERT Coordination Center at Carnegie Mellon University in Pittsburgh. "The result of a change in mapping could be devastating: Internet traffic such as Web access, electronic mail, and file transfers could be redirected to arbitrary sites chosen by an intruder," said the center, formerly the Computer Emergency Response Team at the university's Software Engineering Institute. Hackers could use the flaw to disable access to or from their victims, in effect cutting them off from the rest of the Internet, CERT said. Almost every site on the Internet depends on one or more name servers. CERT estimated that more than 80 percent of the name servers on the Internet were vulnerable. CERT urged system and network administrators to upgrade immediately their versions of BIND -- the most commonly used software for DNS servers -- to a supposedly invulnerable version. BIND stands for Berkeley Internet Name Domain. Versions 4 and 8 of the package were found to contain flaws that would let a remote attacker execute "arbitrary code." Technical information and advice on upgrading is available at http://www.cert.org/advisories/CA-2001-02.html. The Internet Software Consortium, the authors of BIND, have posted new versions of the software on their website at www.isc.org. The vulnerability was discovered by PGP Security, a unit of Network Associates Inc., Santa Clara, Calif. "Exploitation could potentially disrupt all Internet-based communication that relies on a domain name, affecting every company that maintains a website or that utilizes e-mail as a communications tool," PGP Security said. "If this vulnerability was exploited by an attacker, all Internet traffic relying on a vulnerable server could be brought to a halt," said Jim Magdych, manager of the Computer Vulnerability Emergency Response Team at PGP Security. Jeffrey Lanza, an Internet security analyst at the CERT Coordination Center, said CERT was not aware of any exploitation of the newly-found vulnerabilities. No mention was made in the advisory of problems suffered last week by Microsoft Corp., which said its Web services were disrupted by repeated "denial-of-service" attacks. Rick Devenuti, Microsoft's chief information officer, said Friday the software giant "did not apply sufficient self-defense techniques to our use of some third-party products at the front end of parts of our core network infrastructure."
E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes. |
|
ALERT  WebTrust Is Your Best Defense Against Privacy Breaches. Get WebTrust Working For Your Site. |