Please, for the love of everything holy, STOP USING WINDOWS!!
Oh, this doesn't target Windows?
Um. Never mind then. Um. This isn't a big deal because...
Um.
*blush*
High-risk internet server exploit goes wild
Summary
An active Bind 9 exploit that a hacker could use to crash internet servers is in wide circulation, according to the Internet Systems Consortium.
Topics
An exploit that a hacker could use to crash internet servers is being used in the wild.
The exploit targets a vulnerability in Bind 9, the most widely used DNS server standard, warned the Internet Systems Consortium (ISC) on Tuesday. ISC is the organization that supports Bind.
The hole in Bind 9 has no workaround. Administrators must upgrade to Bind versions 9.4.3-P3, 9.5.1-P3 or 9.6.1-P1 to mitigate the threat. The exploit, which a hacker could use to launch an attack against unpatched master servers, is easily available, warned ISC.
"An active remote exploit is in wide circulation at this time," said ISC in an advisory.
The Berkeley Internet Name Domain (Bind) is the most widely used DNS server standard. Bind 9 was coded to overcome security issues associated with Bind, and supports DNS Security Extensions, (DNSSEC), or encrypted DNS.
The Bind 9 dynamic update DOS vulnerability affects master servers for one or more zones. Receipt of a specially crafted dynamic update message may cause Bind 9 master servers to crash, said ISC.
This article was originally posted on ZDNet UK.
Talkback Most Recent of 9 Talkback(s)
-
NonZealot29th Jul 2009 -
I place the blame squarely on linux
Since every copy of linux installs BIND by default this exploit is the work of the very shoddy linux developers. This is just one more reason not to trust linux or even install it, because somewhere between having BIND and telnet installed by default its just inherently insecure and there is nothing you can do about it. Please make the switch away from linux now if you value your data and the internet. Meanwhile I'll be sitting here laughing as the linux fanboys are lighting up gcc and downloading code and spending hours recompiling and reconfiguring while my computer "just works."
Loverock Davidson29th Jul 2009 -
Yay, the Help Desk guy speaks!
So, how long have you been in Help Desk anyways? What is a good time span (career wise) to spend in an entry level position (like help desk)?
B.O.F.H.29th Jul 2009 -
You tell me
We would all like to know.Loverock Davidson29th Jul 2009 -
bind isn't installed by default
There are several different dns servers available for Linux such as djbdns, mydns, pdns, mdns, dnsjava, dnsmasq, maradns, nsd, unbound. Many of these have an optional database backend and optional webserver frontend. dnsmasq combines a dhcpd and dnsd. Haven't seen the bind daemon get installed by default ever.
robertjtownley@...29th Jul 2009 -
wow, if everyone...
was as stupid and ignorant as you, we would have no world left. try looking at windows instead. how many security holes are there?? i will bet you that there will be over 500 new vulnerabilities found in vista/7/xp by the end of this year. you very rarely see any security concerns in linux. and you are also very stupid, because most servers will just do an update from the main package repository that the server is based on. and, as someone else mentioned, BIND and/or BIND 9 are NOT installed by default unless it says it is. stop trying to put down something that you clearly know absolutely NOTHING about! it is people like you that cause mac newbies to purge their drives. it is people like you that makes me want to kill something because you never seem to get the fact that visiting porn sites will give you viruses or that it is a bad idea not to have a firewall. or how about those that seem to think that you don't need antivirus and antispyware? people like you should never be tech proffessionals. go learn something, think about what you wrote, and then come back and correct your post.
crabbypup2nd Aug 2009 -
smart people doing smart things
This boils down to how vigilant and competent your IT people are. It doesn't matter whether it's on Linux or Windows. Remember Conficker ?
BIND is hardly installed on just any Linux system. If they are smart to install and configure BIND, trust me they are smart enough to upgrade it
BTW, you do not need to recompile BIND
just like if you are smart enough to install Windows server then you must be smart enough to patch it up to date.
Please we do not need extremist here
ThinkFairer29th Jul 2009 -
RE: High-risk internet server exploit goes wild
There have been a large number of vulnerabilities ranging in distribution and seriousness over the years (we after all are only just recovering from Kaminsky 1. It is crucial that we all take patching of this infrastructure extremely seriously as ultimately name resolution can be the keys to the kingdom (given that most applications or users tend to perform insufficient application/transport level validation). If an attacker controls your DNS, they can do some very scary things with your web presence or internal environment. After all, redirecting banking sites to a web server with a non matching SSL certificaite unfortunately will not raise alarms for most users - they will just click ignore!
So, ensure you appropriately secure DNS; there have been serious vulnerabilities against Windows, Linux and UNIX alike. Keep it patched and isolated running with minimal privileges. Ideally run a baseline system against the zone files to monitor for unsolicited changes.
James Lyne, Senior Technologist, Sophos
http://www.sophos.com
jameslynesophos30th Jul 2009 -
RE: High-risk internet server exploit goes wild
I think by now we should all know that there is no such thing as a "set and forget" computer, server or router. Those who thought such a thing existed are pounding the pavement and/or complaining about the president, "the man" or anyone else they can think of to blame instead of themselves.
bob@...31st Jul 2009
Talkback - Tell Us What You Think
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
Facebook Activity
