When security researchers announced that they had found new flaws in key Internet software last week, network administrators rushed to download the patches. However, the fixes for the software weren't available. Instead, the Internet Software Consortium -- the maker of the most popular domain name system (DNS) software on the Internet -- required that people who weren't part of the organisation's early-warning group email ISC for the patches. Because servers that run DNS software act as the address book of the Net, thousands of Internet service providers and companies were interested in getting the software fix. However, rather than replying to email requests sending the patch along, the ISC used the opportunity to solicit members for its paid support service, said Marc Maiffret, chief hacking officer for eEye Digital Security, a vulnerability assessment company. "They basically responded that they wouldn't make it available until the weekend, and then they said they had an early warning service and you have to pay money for that," Maiffret said. Maiffret eventually had to resort to using his network of friends to get a copy of the patch. Other security professionals complained they weren't able to get a copy of the patch until the ISC relented and published it to its Website on Wednesday night. Lynda McGinley, executive director for the Internet Software Consortium, said the group tried to act responsibly. "Our intention was to get the information to the right people," McGinley said. But she said the plan to evaluate potential recipients via email didn't work out. "This is not the best way to do it. That's very obvious," McGinley said. Class struggle
Several have questioned the group's motives in this latest slip-up. In February 2001, the ISC announced it would be creating a new group, called the BIND Forum, whose members would receive advanced notice of some problems. At the time, the consortium dismissed fears that the forum meant that BIND users were being divided into first- and second-class citizens. "There will be no special privilege level of information for this group," Paul Vixie, chairman of the ISC, said at the time. "Anything learned by the group will be absolutely learned by all the members." Yet, angry network administrators and security experts refuted that. "They deliberately withheld these patches," said Michael Brennen, president of FishNet, a boutique Internet service provider. "There are no other explanations. They knew what they were doing." Brennen, who runs a handful of BIND servers for his ISP as well as for his clients, said he got a message back from McGinley soon after he emailed her on Tuesday. The message said that he was on a list to get patches but gave no other information. When he asked for more information, she replied that Brennen may want to become part of the BIND Forum. Delays in notification also hurt the response times of groups whose role are to protect the critical functions of the Internet. Carnegie Mellon University's Computer Emergency Response Team Coordination Centre, the clearinghouse for much of the software-vulnerability information released on the Internet, didn't have much time to respond to the issue, said Martin Lindner, team leader for CERT. "We would have liked more time," Lindner said. "We would like to give the vendors as much time as possible." Lindner added that CERT contacted all the Linux distribution groups -- companies such as Red Hat and SuSE and organisations such as Debian -- as soon as they had information. Yet, according to statements by those groups, CERT only issued information 12 hours before the flaws were made public. As a result, none of the Linux sellers had a patch ready when the company that originally found the flaw, Internet Security Systems, made the issue public. Neohapsis's Shipley said the ISC's response could also affect the uneasy truce between those who find flaws and the companies who make the software that's being investigated. Security researchers typically want to make vulnerabilities public immediately. The software makers would rather not publicise the holes in their products at all, but at the very least, they'd like time to prepare patches before the flaws are made known. The two groups have been trying to reach a compromise, and the ISC's blunder sets a bad example, Shipley said. "Microsoft and Sun have refined policies around this stuff, but then you have the newcomers who are just learning to handle these things, and they are making some bad choices," Shipley said. "The BIND guys are veteran players. They have been around the space for a long time. I hope it's just a bad judgment call."
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.
