A serious security vulnerability has been found in the ubiquitous Sendmail software, which processes 60 percent to 70 percent of the world's email messages.
The flaw was discovered by US-based security researcher Michal Zalewski, and is separate from the one discovered by Internet Security Systems earlier this month. "I've confirmed this is a local issue, and my initial impression is that a remote attack possibility is not that unlikely," Zalewski said in a statement.
The bug was found in the prescan() function, which is used to parse email addresses from incoming messages. By sending a malformed email message to a Sendmail server, it may be possible for a remote attacker to gain entry to vulnerable machines.
US-based vulnerability coordination centre CERT claimed most companies are likely to be affected by the new glitch.
"Most medium-sized to large organisations are likely to have at least one vulnerable Sendmail server," CERT said in an advisory.
The advisory also pointed out that companies may not even know they are running Sendmail because it is enabled by default in many Unix and Linux distributions.
Because the vulnerability is exploitable through malformed messages, companies using other software to relay mail to a Sendmail server on an internal network segment will also be affected.
"An MTA (mail transfer agent) that does not contain the vulnerability will pass the malicious message along to other MTAs that may be protected at the network level... Sendmail servers on the interior of a network are still at risk," CERT said.
Security researcher Matthew McGlashan, who is based at AusCERT at the University of Queensland, says that an exploit to the latest vulnerability isn't known to be circulating. "It's fairly new... there's more chance of attackers going after the first (flaw) rather than this," he said.
But McGlashan said there's no point risking it -- companies running Sendmail should patch it as soon as possible. "In these situations, you just wouldn't take any chances... it's good practice (by mitigating) by patching if you can," he said.
Alternatively, system administrators can run the Sendmail process as a low-level user instead of root, hence minimising the impact of the vulnerability, McGlashan said.