Time to get patching, sys admins: ISC (the Internet Systems Consortium) has issued a fix for a BIND 9 denial of service vulnerability. The defect and patch, published last week, “allows an attacker to crash a BIND 9 recursive resolver with a RUNTIME_CHECK error in resolver.c”, the ISC says in its announcement. CVE-2013-3919 …
Lack of detail in the announcement
I saw the announcement last week and still don't know if there are other ways to trigger this.
e.g. most mail servers do a lookup on the connecting IP to get the hostname from RDNS and sometimes the envelope and header to/from/cc/etc lines to do canonicalisation.
It is unclear to me if it is possible to use that to trigger the crash or if it needs something more from the query.
If it *is* possible to crash it via mail servers (or other services that do DNS lookups) then the potential exposure just skyrocketed.
Re: Lack of detail in the announcement
Just patch. The people who spend time working out new ways to interfere with your computer aren't the people who tell you about it and how to prevent it.
Ian: thanks for advertising to the world what software version you're running, but you may regret that. The office I'm in just moved off Adobe Reader 8, unsupported and unpatched for years. I had to bite my tongue, metaphorically, when the topic of updating came up, because our pants were well and truly down but it would be irresponsible to tell the outside world that. And futile to raise it internally.
Looks at the servers running Debian Wheezy...
9.8.4 and supported for another couple of years at least.
Always let someone else test the new stuff.
- SMASH the Bash bug! Apple and Red Hat scramble for patch batches
- BENDY iPhone 6, you say? Pah, warp claims are bent out of shape: Consumer Reports
- eXpat Files 'Could we please not have naked developers running around the office BEFORE 10pm?'
- NASA rover Curiosity drills HOLE in MARS 'GOLF COURSE'
- WHY did Sunday Mirror stoop to slurping selfies for smut sting?