The non-profit Internet Software Consortium, provider of the Berkeley Internet Name Domain (BIND) software which is used by about 80 percent of the name servers on the Internet, Friday revealed it will create an exchange to share information about security flaws in the software.
The decision to found the exchange — which companies will pay a fee to join, though the fee will be waived for non-profits — follows in the wake of Monday’s announcement of four security flaws in certain versions of the Bind software. That announcement was made through the CERT (Computer Emergency Response Team) Coordination Center. But CERT’s security advisories are open to the general public, meaning businesses and individuals running name servers with an insecure BIND get information about security flaws at the same time crackers (malicious hackers) do. This means crackers can often use the very exploits warned against by CERT to initiate denial of service attacks.
Such was the case with the most recent warning. Network Associates Inc.’s COVERT Labs discovered three of the four flaws which CERT advised the public of Monday. Wednesday evening, a cracker posted details of one of those exploits on SecurityFocus.com’s Bugtraq mailing list. When list members downloaded the exploit, they also downloaded a Trojan which used one of the flaws to launch a denial of service attack against Network Associates. While Network Associates quickly contained the attack, it demonstrates the speed with which crackers can utilize security advisories.
The ISC’s information service — slated to begin later this month — is an attempt to work around that problem by giving legitimate businesses and individuals access to prerelease source code. Members will be required to register and use encrypted e-mail.
The solution does not sit well with some members of the security community, who said that BIND should remain open and that public discussion will make it more secure, not less.