Enterprises can learn a lesson about verifying the integrity of downloaded software from the recently unveiled security flaw found in the open-source e-mail server program Sendmail.
The Computer Emergency Response Team (CERT) out of Carnegie Mellon University issued an alert this week that a download point for the Sendmail source code was compromised. Visitors to the site might have downloaded versions of the code that included a Trojan horse program.
Affected versions are sendmail.8.12.6.tar.Z and sendmail.8.12.6.tar.gz, according to CERT's advisory. It appears those versions were available only between Sept. 28 and Oct. 6. Only versions from the ftp.sendmail.org site were affected, CERT said.
The Trojan horse affects only the system used to compile the downloaded source code, not the system that runs the resulting binaries. When run, the Trojan can allow the author to gain control of the system with the same authorization level that the compiler of the code had.
Rebooting the system is believed to close the backdoor, CERT said.
"This issue is a wake-up call for people who download software without verifying the integrity of the files," said Robert Lonadier, president of Boston-based RCL Associates.
As the CERT advisory suggested, there are two ways to verify that the files downloaded are truly the desired ones. Checking the PGP fingerprint would have helped with the Sendmail source code. The download did not contain an updated PGP signature. Verifying its integrity would have failed.
Also, the hash code of the download would have revealed it wasn't the correct code.
Verifying the integrity of software is not a new problem, and it is not easily solved, said Pete Lindstrom, research director of Spire Security, a Malvern, Penn.-based security research and analysis firm. Perhaps the best way to make sure software is legitimate is by buying it packaged.
When downloading software, users should consider both the source of the application and the integrity of downloaded material itself, Lindstrom said. Examining the source of the software is important. One may not want to install software from "Joe Shmoe's software development house in China, as it may contain something malicious," he said.
Second, examining the downloaded program is also important, in order to make sure it is what one wanted. This is where checking the integrity of the download comes in.
Users need to think about downloaded software much as they do about e-mail with attachments.
"You can't take it at face value, as it can possibly contain a Trojan horse or virus," Lindstrom said.
"All it really takes is a few keystrokes and 30 seconds to check the integrity of a download," Lonadier said. "It will save some embarrassment in the long term."