A newly discovered flaw in a critical piece of Internet infrastructure software could put more than half the Internet’s e-mail servers at risk, researchers say. The flaw exists in Sendmail, a program that sorts and delivers most e-mail. A single message sent at a flawed e-mail server could allow an attacker to take control of the server, read its contents and use it to organize a massive denial of service attack. But officials are hopeful that a month’s work of secret efforts to shore up defenses against the flaw — which included informing top federal offices and foreign governments — will minimize its impact.
THE FLAW WAS ACTUALLY found in late December, but not revealed until today. That gave the Department of Homeland Security time to organize efforts that would protect against possible attacks, said Alan Paller, director of research at security firm The SANS Institute.
Because there are so many different flavors of Sendmail, twenty software vendors had to develop a variety of patches for the flaw. The flaw impacts principally Unix and Linux systems, as well as a limited number of Windows servers that run Sendmail — but it doesn’t affect desktop computers and won’t require action by typical consumers.
But estimates say between 50 and 75 percent of all the Internet’s e-mail is handled by the various versions of Sendmail, making the flaw particularly pervasive — even more than the flaws that led to the now-infamous Code Red and Slammer worms.
So Internet Security Systems, which discovered the flaw, shared it quietly with both Sendmail developers and the Department of Homeland Security. The organizations spent nearly two months developing fixes for the flaw, all the while keeping details of it a secret to prevent an attack against undefended machines.
That included early warnings to foreign governments, federal chief information officers, and “Information Sharing and Analysis Centers,” that coordinate security at U.S. infrastructure firms such as power companies and train services, Paller said.
Howard Schmidt, vice chairman of the President’s Critical Infrastructure Protection Board, said the Department of Homeland Security has made strides in organizing private sector efforts to fix large-scale Internet software flaws. And providing early warnings to infrastructure firms and other “key stakeholders” — such as foreign governments — can play a critical part in fending off an attack, he said.
“We had the opportunity to give everybody heads up, just to say, ‘Be prepared, so you don’t have half your staff off on vacation,’ ” Schmidt said. He said both foreign governments and foreign corporations are regularly warned about critical Internet flaws.
Such a limited disclosure is controversial. Some security researchers say it puts them at risk during the time it takes to develop a fix, and argue that all programmers should be notified immediately at time of discovery — known in the industry as full disclosure.
Schmidt is among those who thinks that would do more harm than good.
“The issue is not exposing your flank in a period where it may be tough,” he said.
Both the Department of Homeland Security and the CERT Coordination Center issued public advisories about the flaw on Monday, urging system administrators to patch the vulnerability quickly. Several companies also followed with warnings.
“At this point, because of the spread of Sendmail, it’s a serious problem,” said Oliver Friedrichs, senior manager with Symantec Corp.’s Security Response Team. “It has the potential to be a big problem.”
HOW ATTACKERS COULD STRIKE
In the past, many software flaw advisories have received only tepid response — with consequences being global computer worm epidemics like Code Red or February’s SQL Slammer Worm, which managed to slow down the entire operation of the Internet, and even crippled some bank ATM machines.
Generally, it takes virus and worm writers at least several weeks to engineer attacks based on the discovery of a flaw, but malignant programmers are likely to attack this flaw even quicker, Paller said.
“I give equal odds between 1 day and 21 days for a worm,” Paller said. That’s because Sendmail is an open source program, meaning it will be relatively easy for programmers to reverse engineer the fix into an attack.
Such an attack could have widespread consequences:
A single attacking e-mail could disable an e-mail server, causing a flood of undelivered e-mails. A number of these attacks could flood the Internet with bounced e-mail messages, causing a global Internet slowdown, said Chris Rouland of Internet Security Systems, which discovered the flaw.
An attacker could also bug an e-mail server, allow him or her to read any messages sent through the machine, Paller said.
Also, since e-mail servers tend to have high-bandwidth connections to the Internet, they are prime targets for takeover by attackers looking to amass an army of machines that can perform a denial-of-service attack, Paller said.
But there are some mitigating factors, Friedrichs said. Because there are so many flavors of Sendmail, a worm writer probably couldn’t craft a program that successfully attacks each flavor. That means it’s unlikely a single attack could quickly infect millions of machines worldwide, the way the Slammer worm did.
‘THE RIGHT TIME IS NOW’ Still, the potential consequences make it particularly crucial for companies and governments to quickly patch their systems. That might be tricky; e-mail administrators are generally loathe to add any new programs or patches to their machines, since patches can sometimes backfire, and temporarily interrupt e-mail delivery.
”(Administrators) tend to delay patching critical e-mail systems because it’s worse to have e-mail go out than anything else in your life,” Paller said. “We’re going to have to pump up the visibility of this to persuade people to patch Sendmail quickly.”
Rouland said the new Department of Homeland Security, which recently absorbed the FBI’s National Infrastructure Protection Center, helped his firm get warnings out about the flaw without revealing details that could have put companies in danger. Often, details of security flaws are leaked on the Internet, and fall into the hands of virus writers, before companies can develop fixes.
“The biggest benefit of working with them is there is no risk of predisclosure,” he said.
Paller also said the Department of Homeland Security has become more proactive in dealing with critical software flaws that might impact national security or the critical functions of the Internet.
“The government got involved in Code Red not when the vendor announced the vulnerability, but when the worm hit. That’s the wrong time for the government to get involved,” he said. “The right time is now, and to use the bully pulpit so a larger percentage of machines get the fix.”