The BIND DNS software relied upon by companies large and small must contend with a newly-discovered, and critical security flaw that has the potential to crash domain name servers in a Denial of Service attack. The Internet Systems Consortium (ISC), which manages the BIND software, discovered the vulnerability and reported it to the public on March 26.
Though this particular security flaw only has the potential to affect servers powered by systems running Linux and Unix operating systems, other connected software programs are also made vulnerable, according to the ISC report. The issue lies with BIND’s libdns library -- hackers can force the software to use all available system memory (particularly in the daemon process, or "named" program) on a particular machine, which would inevitably send it crashing.
"A flaw in a library used by BIND 9.7, 9.8, and 9.9, when compiled on Unix and related operating systems, allows an attacker to deliberately cause excessive memory consumption by the named process, potentially resulting in exhaustion of memory resources on the affected server. This condition can crash BIND 9 and will likely severely affect operation of other programs running on the same machine," ISC said in the report. Patches are available for a few versions of BIND (the patch simply disables support for regular expressions), and is working on a process for system administrators to recompile BIND themselves in a similar way.
Rachel Rosmarin's technology reporting experience goes back a decade to the dawn of Wi-Fi, smartphones and the Mp3. She has an in-depth knowledge of consumer electronics and has cultivated her love of useful new toys and innovative social software at publications including Tom’s Guide, Forbes, Business 2.0, Sound & Vision and Mobile Magazine. She holds degrees in Journalism and Science In Human Culture from Northwestern University and is based in Los Angeles.
See here for all of Rachel's Tom's IT Pro articles.