This story was written by Keith Dawson for the Industry Standard's Media Grok email newsletter. It is archived here for informational purposes only because The Standard's site is no more. This material is Copyright 1999-2001 by Standard Media.

Sleep Tight, Don't Let the BIND Bugs Bite

Jan 30 2001 12:00 AM PST

The system that converts names to addresses on the Web could cause big trouble.

The government-funded Computer Emergency Response Team put on an unusual show yesterday to announce four bugs in a critical piece of Internet software - they issued a press release and held a televised news conference. Lots of outlets picked up the story but most didn't give it particular prominence. The Wall Street Journal was an exception, linking its coverage from the front page and leading the tech page with it. The Washington Post linked a Reuters story from its WashTech site's top page.

Why all the noise? CERT publicized four bugs in BIND, the "Berkeley Internet Name Domain" server that handles most of the Net's requests to translate people-friendly domain names into computer-friendly addresses. CERT fears that as soon as the Net bad guys develop "exploits" - distributable code that takes advantage of the bugs - much of the Internet will be vulnerable to rerouted traffic, denial of service and worse. According to the Journal, "experts expect (exploit) tools to start appearing on underground Web sites within days."

In CERT's hometown paper, the Pittsburgh Post-Gazette, science editor Byron Spice provided good background on the way crackers had jumped on the last announced BIND flaw, giving a taste of things to come unless system administrators upgrade their software but quick.

Though CERT warned of four bugs, most outlets only talked about the most serious of them. InternetNews's Thor Olavsrud (with Brian McWilliams) provided a more rounded picture of the CERT advisory in technical terms. Olavsrud outlined all four bugs and their possible consequences in a bulleted list. His coverage also linked to an online rant by D.J. Bernstein, who calls BIND the "Buggy Internet Name Daemon." Bernstein has written a DNS server of his own and offers a reward to anyone who finds a security hole in it. (InternetNews apparently didn't interview Bernstein, and the piece did not name him.)

Many of the stories mentioned Microsoft's recent DNS-related availability problems and denial-of-service attacks, though they are totally unrelated to the bugs under discussion. ZDNet even led with the Microsoft mention. Why not, it's all computer security, right?

Researchers Find Software Flaw Giving Hackers Key to Web Sites
Wall Street Journal
(Paid subscription required.)

Flaw Found in Critical Internet Software (Reuters)
Washington Post

Net Security Chiefs Told Not to Be Slackers
Pittsburgh Post-Gazette

Security Flaws Found in Popular DNS Software

More Outages Ahead?

Security Flaw Found in Web Software (AP)
Los Angeles Times

CERT Advisory CA-2001-02: Multiple Vulnerabilities in BIND
Carnegie Mellon Software Engineering Institute

BIND, the Buggy Internet Name Daemon
D.J. Bernstein