Sendmail Bug, Lessons Unlearned

Sendmail, the predominant SMTP e-mail server program on the Internet
today, had another serious security bug publicly revealed on Monday,
March 3. Discovered by ISS' X-Force, the bug is a classic, potentially
giving remote attackers the ability to execute arbitrary commands on
the victim server. Mail servers represent a major element of key
Internet infrastructure, moving business and personal communications
alike, both locally and across continents, often in mere seconds.

Thus, you would expect key e-mail service providers--and the Internet
backbone itself--to be sensitive to such announcements. We checked on
the mail gateways of 18 large e-mail providers and Tier-1 NSPs (network
service providers) 24 hours after the announcement and again 48 hours
later. What we found was not exactly encouraging.

At the 24-hour mark, 11 of the 18 mail systems were running sendmail,
and of those 11, 10 were still vulnerable. The remainder (not
vulnerable) were running qmail, postfix or a non-sendmail, commercial
mail package. Translation: At the 24-hour mark, only 10 percent of the
vulnerable sites had fixed the problem.

At the 72-hour mark, two more of the 10 remaining vulnerable systems
had updated their software. This left eight backbone or Internet mail
providers still vulnerable three days after a major security
announcement with vulnerability confirmed by the authors of the
packages themselves. Translation: Three days after a security alert,
only 30 percent of the affected key infrastructure systems had reacted.

Lest any of the Tier-1 providers claim complexity in trying to upgrade
live mail systems that serve thousands of users, I'll break a rule of
mine and name names--if only in the positive. The one sendmail-using
NSP that reacted and updated before we even started looking? AT&T.