Sendmail Bug, Lessons Unlearned

Sendmail, the predominant SMTP e-mail server program on the Internettoday, had another serious security bug publicly revealed on Monday,March 3. Discovered by ISS' X-Force, the bug is a classic, potentiallygiving remote attackers the ability to execute arbitrary commands onthe victim server. Mail servers represent a major element of keyInternet infrastructure, moving business and personal communicationsalike, both locally and across continents, often in mere seconds.

Thus, you would expect key e-mail service providers--and the Internetbackbone itself--to be sensitive to such announcements. We checked onthe mail gateways of 18 large e-mail providers and Tier-1 NSPs (networkservice providers) 24 hours after the announcement and again 48 hourslater. What we found was not exactly encouraging.

At the 24-hour mark, 11 of the 18 mail systems were running sendmail,and of those 11, 10 were still vulnerable. The remainder (notvulnerable) were running qmail, postfix or a non-sendmail, commercialmail package. Translation: At the 24-hour mark, only 10 percent of thevulnerable sites had fixed the problem.

At the 72-hour mark, two more of the 10 remaining vulnerable systemshad updated their software. This left eight backbone or Internet mailproviders still vulnerable three days after a major securityannouncement with vulnerability confirmed by the authors of thepackages themselves. Translation: Three days after a security alert,only 30 percent of the affected key infrastructure systems had reacted.

Lest any of the Tier-1 providers claim complexity in trying to upgradelive mail systems that serve thousands of users, I'll break a rule ofmine and name names--if only in the positive. The one sendmail-usingNSP that reacted and updated before we even started looking? AT&T.--Mike Scher