Bug hit BIND's makers suggest fee-for-fix model

[InfoSec News <isn () C4I ORG>]

http://www.it.fairfax.com.au/breaking/20010201/A18373-2001Feb1.html

Thursday, February 1, 2001, 14:51
By BARRY PARK, FAIRFAX IT

ISC, the company behind the BIND domain name server, has suggested a
fee-based membership forum for early vulnerability warnings after a
number of exploits in its server software were exposed.

In an e-mail sent to a company announcement newslist, ISC said "recent
events" had suggested a need for a fee-based membership forum
consisting of ISC itself, software and hardware vendors that include
BIND in their products, root and TLD name server operators, and "other
qualified parties ... nominated at ISC's discretion".

ISC said in the e-mail that not-for-profit members could have their
membership fees waived.

It said it would enforce the use of PGP, or possibly S/MIME, provide
members with information security training, and bind members to
"strong nondisclosure agreements".

Within an hour of the ISC proposal being publically listed on the
network security mailing list BugTRAQ, an anonymous poster had listed
a BIND TSIG (translation signature) buffer mismanagement overflow
exploit.

The exploit is one of four that became the subject of a CERT advisory
this week that the network security group said "present a serious
threat to the Internet infrastructure".

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".