A serious buffer overflow vulnerability announced last week in Sendmail is ripe to be exploited by targeted attacks, but it is also possible for a worm writer to write malicious code that exploits the security hole.
No one can say whether a worm writer will create malware that targets the Sendmail flaw, but it is possible, experts said. The pervasiveness of the flaw and of Sendmail usage are strong reasons to be wary of the potential for such a worm.
Conservative estimates say that Sendmail, an open-source mail transport engine, handles between 50% to 75% of all Internet e-mail traffic. Most versions of the application, which can run on Unix, Linux and Windows, are susceptible to the buffer overflow vulnerability.
An attacker could exploit the flaw in a targeted way by sending an e-mail message with a specially crafted header. The buffer is static, so if an attacker sends a certain size chunk of data, then some would spill over and run on the affected system.
Generally, worm writers look for their creations to get the most bang for their programming buck. In other words, they aren't going to target obscure applications that no one uses.
Flaws in popular applications that are connected to the Web are the ripest targets, said Dan Ingevaldson, team lead for Internet Security Systems' X-Force R&D. Recent history has shown applications like BIND, Web servers and databases to be particularly high targets on worm writers' lists. "Sendmail
Just because Sendmail is popular doesn't mean there is a worm around the corner, said Roger Thompson, technical director of malicious code research for TruSecure Corp. "There have been 60 or 70 good exploitable vulnerabilities in Internet Explorer. Know how many have been exploited by worms?" he asked.
"Zero," he answered.
Often, a worm's success depends on how many vulnerable systems are patched or not. Nimda, for example, still propagates because many administrators still have not patched their vulnerable Microsoft Internet Information Services (IIS) Web servers, which the worm exploits. Because Nimda exists in memory only, it would die out if systems were patched.
It's still too early to say how well administrators are patching their Sendmail machines. The vulnerability has been well publicized. Federal officials worked with Sendmail's developers and ISS, which found the flaw, on getting the word out about it and available patches.
David Perry, global director of education for Trend Micro, a Tokyo-based antivirus software vendor, predicts that a lot of Sendmail machines will be patched. He bases his reasoning on the fact that Sendmail is primarily a Unix application. "Unix admins are used to patching all the time," he said. "This is not a slight to Microsoft or Windows admins."
Even if there is a critical mass of vulnerable machines, writing an exploit to take advantage of the flaw isn't easy. "That isn't something you can do with Visual Basic," Perry said.
A Polish security organization, the Last Stage of Delirium (LSD), released some exploit code that would affect some Red Hat and Slackware Linux servers running Sendmail. Group members, however, acknowledged that exploiting the flaw requires "technical knowledge about operating system internals and vulnerability exploitation tricks."
An analogy could be made with the recent Slammer worm, which exploited a 6-month old flaw in SQL Server. The worm spread very rapidly but didn't cause any direct damage per se. Some networks slowed to a halt. Bank customers in some areas found they couldn't access their money at ATM machines.
Slammer was created with demo exploit code, which required decent technical skills to create, said Craig Schmugar, an antivirus researcher with McAfee AVERT. "It didn't require the same knowledge to plug it into a propagation method," he said.
A worm that takes advantage of the Sendmail flaw would be much more complex than, say, a standard e-mail based worm, Thompson said. "There are plenty of lame e-mail worms," he said. "Creating a buffer overflow [worm] is far more complex."
FOR MORE INFORMATION:
- FEEDBACK: Are Sendmail servers generally patched quicker than vulnerable Windows machines?
Send your thoughts to News Writer Edward Hurley.