ISC confirms BIND vulnerabilities

Following what was described as a 'maintenance release' of the latest version of BIND, the Internet Software Consortium has admitted that flaws in the earlier software mean the update is 'strongly recommended'

Confusion is rife about potential vulnerabilities in BIND, the most commonly used domain name server on the Internet, and experts are calling on the makers of the software to clarify the issue.

Domain name servers are used to match domain names to numerical IP addresses, with the vast majority of these running BIND; the software essentially runs the Internet.

The Internet Software Consortium (ISC), the group responsible for maintaining the software, released a new version of BIND on Monday, with their Web site billing it as a maintenance release.

"BIND 9.2.2 is the latest release of BIND 9. It is a maintenance release, containing fixes for a number of bugs in 9.2.0 but no new features," it said. However, on Wednesday the site had been updated, saying that ISC had been made aware of vulnerabilities in BIND, and saying that upgrading was "strongly recommended".

BIND 9.2.1, the previous version, is vulnerable to a remote buffer overflow bug when installed with the "libbind" non-default option. Previous versions may also be vulnerable to problems associated with the commonly used OpenSSL library, but again this is a non-default installation option and has more to do with the SSL library than BIND itself.

Johannes Ulrich, chief technology officer of the SANS Institute's Internet Storm Center, believes that ISC has not given the issue the attention it deserves. Ulrich said that the software consortium should "basically do a better PR job by notifying people to the urgency of the release."

"We still don't know enough about it," he added.

Melbourne based security consultant Adam Pointon agrees, and says that ISC should release a detailed advisory on the issue simply to clarify the situation.

"I think they should because the vendors are going to be confused as well as the normal users... no normal users will know about this problem yet," he said.

Ulrich said that the libbind vulnerability may have in fact been indirectly known about for a while now. Confusion about which code was used in which version has lead to uncertainty in regard to which vulnerability effects which version of BIND. "In hindsight it was known since the beginning. That libbind thing is the last of the shared code between [versions] 8 and 9," he said.

Version 9 was more or less a complete rewrite of version 8, and is generally regarded as being a lot more secure.


For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.

Let the editors know what you think in the Mailroom.