Security Flaw Found in Web Software

Monday, January 29th 2001, 12:00 am

By: News On 6

PITTSBURGH (AP) â€” Security experts warned Monday of a new software vulnerability that could allow vandals to disrupt portions of the Internet by redirecting Web and e-mail traffic.

The CERT Coordination Center, the government-funded computer emergency response team at Carnegie Mellon University, said the vulnerability was in BIND software, a key part of computers that direct traffic on the Net.

The flaw was discovered earlier this month, and a fix was made available Jan. 17 by BIND's creator, the nonprofit Internet Software Consortium of Redwood City, Calif. CERT advised BIND users Monday to install the fix quickly.

BIND is used in computers, known as domain name servers, that function as the Internet's phone books. Typing in a domain name such as Yahoo.com prompts a server to contact Yahoo's computers.

If left uncorrected, the flaw could allow an intruder to change those directories.

``Your e-mail could be routed to the wrong place,'' said Shawn Hernan, a CERT security analyst. ``Web addresses could be routed to the wrong place. You could type in www.myfavorite-place.com and be directed to a porn site, or worse, something that looks a lot like the site you expect to find.''

BIND, or Berkeley Internet Name Domain, is used on about 90 percent of domain name servers in the United States, said Jeff Carpenter, the center's manager.

``BIND is a favorite target of intruders,'' Hernan said, ``and they will develop ways to exploit this quickly â€” in a matter of days or weeks.''

Hernan called it ``among the most serious classes of vulnerability to affect the Internet.''

Bill Pollak, a CERT spokesman, said the center knew of no hacking through the most recently identified weakness.

Although weaknesses in BIND have been identified before, this threat appears more serious because the program has been installed on many more machines since then, said David Conrad, the chief technology officer at Nominum Inc., the company that was hired by BIND's creators to close the gap.

There are tens of thousands of domain name servers around the world. Each one may serve 10,000 to 20,000 Internet users, so only portions of the Internet would be affected by a single attack.

The Internet also has 13 master directories, called root servers, which tell domain name servers where to get updated information. Those computers, located in the United States, Tokyo, Stockholm and London, also use BIND software, said Brian O'Shaughnessy, a spokesman for VeriSign Inc., which runs some of the root servers for the U.S. government.

In an extreme case, hackers could changing settings at those root servers and redirect all .com traffic.

Without BIND, Internet users would have to remember lengthy strings of numbers to surf the Web or send e-mail.

``It's the white pages for the Internet,'' said Cricket Liu, an Internet expert and co-author of the book ``DNS and BIND.''

Just last week, a technician's error and a hacking attack involving Microsoft's servers cut off the company's sites to the world for portions of four days. CERT officials do not believe those problems are related to the latest BIND weakness, but Hernan said they demonstrate the importance of the name servers.

PGP Security of Santa Clara, Calif., had been poking around to see where the BIND software might be weak and told CERT that two early versions could be vulnerable.

``We have seen large organizations that are not up to date. They are not necessarily immune,'' Carpenter said.

CERT's Hernan said managers of high-security sites, such as those in the military, already have fixed the problem.

â€”â€”â€”

On the Net:

CERT at http://www.cert.org