Companies urged to patch Sendmail

A critical vulnerability in Sendmail, the internet's most popular mail-server application, had security experts and software companies moving quickly on Monday to convince customers to apply a patch.

The flaw allows an attacker to send a specially formatted email that could take control of a mail server running Sendmail and execute a malicious program. At present, no attack tool that could exploit the vulnerability is known to exist, said Greg Olson, chairman and co-founder of Sendmail, the company that has created a commercial version of the software.

"You have to understand that this is a very arcane security issue," he said. "It has been present in Sendmail code for 15 years and that code has been through multiple inspections."

The flaw - ironically in a Sendmail security function - occurs when the mail program parses an overlong header. The vulnerability was first found in December by security software firm Internet Security Systems. The company notified Sendmail and the National Infrastructure Protection Center, a joint computer crime and security task force, on 13 January.

"This vulnerability is especially dangerous because the exploit can be delivered within an email message and the attacker doesn't need any specific knowledge of the target to launch a successful attack," stated an ISS advisory released on Monday.

Because the vulnerability is contained in an email message, it will bypass firewalls and many intrusion detection systems, said Dan Ingsvaldson, team leader for ISS's vulnerability research group. Moreover, mail servers - also called mail transport agents (MTAs) - that aren't vulnerable will still forward the flaw-exploiting email message onto its destination.

"The only dependency is that the domain needs to accept email," Ingevaldson said.

The flaw is unrelated to a November break-in at the Sendmail Consortium's website.

Several companies, including Red Hat, IBM, SGI, Sun and Hewlett-Packard, released patches on Monday. The Sendmail Consortium, the group responsible for development of the open source Sendmail code, released Sendmail 8.12.8, an updated program that fixes the flaw.

"The key here is to get the word out and get it fixed before hackers get an exploit," said Sendmail's Olson. "You need to contact a lot of people and make sure they understand this is important and apply the patch."