Computerworld - The Internet Software Consortium (ISC) is under fire for the fee-based procedures it follows to notify the Internet community of vulnerabilities in Berkeley Internet Name Domain (BIND) software used for routing traffic on the Internet.
When word reached the ISC on Oct. 25 that "serious" BIND vulnerabilities had been discovered, the first companies to receive notification were the paying members of ISC's early-alert notification service. The rest of the Internet security community had to wait until a patch was released Nov. 12 to be notified of the new holes in the software (see story). And even then, some security administrators said they couldn't locate a patch as much as 12 hours after the public announcement was made - about nine hours longer than it took for the patches to be leaked to the hacker underground.
Although the ISC, which maintains BIND, doesn't charge for patches, it does charge companies to be added to an early notification list, said Lynda McGinley, the consortium's executive director. Fees vary depending on the type and size of the subscription. An individual pays roughly $100 per year, while a large company can expect to pay $50,000 per year to be a member of the ISC forum, she said.
"Forum members with the early security notification option pay for ISC to validate their authenticity as someone who is not distributing patches to the underground," said McGinley. She added that notifications of the latest vulnerabilities "were leaked to the underground within a few hours of us sending them out to what we thought were valid users." That demonstrates the importance of the validation process, she said.
Michael Brennen, president of FishNet Inc., a Web hosting firm in Plano, Texas, was one of the many BIND users who couldn't locate patches for more than 12 hours on Nov. 12. "Deliberately withholding patches for root access security bugs is irresponsible in the extreme," he said. "Whether or not it is extortion is for others to decide. Personally, I don't want to be held hostage. I can't live with this anymore."
The latest vulnerabilities, discovered by Atlanta-based Internet Security Systems Inc. (ISS), affect BIND Versions 4 and 8, up to and including Release 8.3.3, according to ISS. "Eleven of the 13 root servers run Version 8.3.3," said Dan Ingevaldson, team leader of the ISS X-Force.
Lasting Problem
Jerry Brady, chief technology officer at Waltham, Mass.-based Guardent Inc., said he thought the patches came out a little late. "The recommendations were to either patch the old code or move to a new release of BIND, which is kind of daunting to the average user," said Brady. "As a result, this vulnerability will probably hang around for a long time."
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
