Computerworld - Has your sendmail been patched? Are you sure? If the answer is no, stop reading this and get it taken care of. Not later today. Not later this minute. You're already a week behind, and hackers have had exploit code working since last Tuesday. There are no work-arounds. Your firewall won't protect you. Your virus scanner won't protect you. A properly patched sendmail server that's upstream from your site will remove the fangs from a malicious e-mail message that exploits this security hole -- but do you really want to depend on the kindness of strangers?
You can't afford that risk. So find out. And if you have sendmail systems that haven't been patched or upgraded, do it right now!
How bad is this mess? Between 50% and 75% of all e-mail on the Internet is handled by sendmail servers. The bug that creates the security hole is about a decade old, which means if you're using sendmail, you do have the bug.
And since it took less than 48 hours for two separate groups of hackers to come up with working attacks on this security hole after it was officially announced, you can reasonably expect attacks to show up on the Internet pretty quickly, too.
Worse still, you may already have been hit by one. A successful attack won't leave any evidence on your system log. Which means someone who's just testing the technique may already have tried it on your unpatched sendmail systems, and you have no way of knowing.
The good news -- yes, there is some good news here -- is that this is one very subtle security hole. It's no simple buffer-overflow problem, like so many we've heard about. In this case, the buffer that lets the bad guys in is checked to make sure it doesn't overflow. Trouble is, there's a bug in one of the checking routines. And if a bad guy exploits that coding error -- but only if the bad guy knows exactly how to exploit that specific coding error -- sendmail is vulnerable.
Which explains why it took 10 years for anyone to spot the problem, and why it was Internet Security Systems in Atlanta that spotted it, not some malicious adolescent in his bedroom. The problem was buried deep in code that has been available to security experts and nasty crackers alike -- and until now, no one spotted it.
That's how far we've come on security: We now have so many researchers digging so deep and looking so
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
