Time to get patching, sys admins: ISC (the Internet Systems Consortium) has issued a fix for a BIND 9 denial of service vulnerability. The defect and patch, published last week, “allows an attacker to crash a BIND 9 recursive resolver with a RUNTIME_CHECK error in resolver.c”, the ISC says in its announcement. CVE-2013-3919 …
Lack of detail in the announcement
I saw the announcement last week and still don't know if there are other ways to trigger this.
e.g. most mail servers do a lookup on the connecting IP to get the hostname from RDNS and sometimes the envelope and header to/from/cc/etc lines to do canonicalisation.
It is unclear to me if it is possible to use that to trigger the crash or if it needs something more from the query.
If it *is* possible to crash it via mail servers (or other services that do DNS lookups) then the potential exposure just skyrocketed.
Re: Lack of detail in the announcement
Just patch. The people who spend time working out new ways to interfere with your computer aren't the people who tell you about it and how to prevent it.
Ian: thanks for advertising to the world what software version you're running, but you may regret that. The office I'm in just moved off Adobe Reader 8, unsupported and unpatched for years. I had to bite my tongue, metaphorically, when the topic of updating came up, because our pants were well and truly down but it would be irresponsible to tell the outside world that. And futile to raise it internally.
Looks at the servers running Debian Wheezy...
9.8.4 and supported for another couple of years at least.
Always let someone else test the new stuff.
- Xmas Round-up Ten top tech toys to interface with a techie’s Christmas stocking
- Google embiggens its fat vid pipe Chromecast with TEN new supported apps
- Microsoft: Don't listen to 4chan ... especially the bit about bricking Xbox Ones
- Shivering boffins nail Earth's coldest spot
- Exploits no more! Firefox 26 blocks all Java plugins by default