Reports of previously unknown vulnerabilities in versions 4.x and 8.x of the popular BIND domain name system server software were published by security specialist ISS yesterday, 12 November. The flaw is remotely exploitable, and in many cases if used it would give the hacker full control of the server.

There have been no reports of worms to automate the exploitation of the flaw, so currently the likelihood of being hacked using this flaw is small. Even so, the news sent a shockwave through many IT departments because the BIND software is so ubiquitous, and because this is not the first flaw in BIND software to be reported this year.

Firms that upgraded to the current version 9.2.1 last June can take comfort from the fact that this version does not include the newly-discovered flaws. However, many firms chose not to upgrade at that time. One IT manager contacted by IT Week said he must now update BIND software on 20 separate servers under his control.

The flaw is particularly problematic for two reasons. First, BIND is typically run using system administrator privileges - for example, this is how the software is installed by default on Solaris systems. Running with these privileges means that once a hacker has gained control of the server using this flaw, they immediately have full control over the entire server.

Secondly, there is little that can be done by a firewall to protect BIND servers because the DNS protocol uses the Internet's UDP transport, which does not include any concept of connections between systems. This makes auditing and management of DNS traffic using firewall policies virtually impossible.

Have your say: contact IT Week