'Most businesses have vulnerable servers'

A serious flaw has been found in Sendmail software, which processes between 60 and 70 per cent of the world's email traffic, leading security experts to suggest that most businesses are likely to have at least one vulnerable server.

The flaw was discovered by US-based security researcher Michal Zalewski, who warned that "a remote attack possibility is not that unlikely."

The bug was found in the prescan() function, which is used to parse email addresses from incoming messages. By sending a malformed email message to a Sendmail server, it may be possible for a remote attacker to gain entry to vulnerable machines.

US-based vulnerability coordination centre CERT claimed most companies are likely to be affected by the new glitch.

CERT said in an advisory: "Most medium-sized to large organisations are likely to have at least one vulnerable Sendmail server."

The advisory also pointed out that companies may not even know they are running Sendmail because it is enabled by default in many Unix and Linux distributions.

Because the vulnerability is exploitable through malformed messages, companies using other software to relay mail to a Sendmail server on an internal network segment will also be affected.

"An MTA (mail transfer agent) that does not contain the vulnerability will pass the malicious message along to other MTAs that may be protected at the network level... Sendmail servers on the interior of a network are still at risk," CERT said.

Security researcher Matthew McGlashan, who is based at AusCERT at the University of Queensland, says that an exploit to the latest vulnerability isn't known to be circulating. "It's fairly new... there's more chance of attackers going after the first [flaw] rather than this," he said.

But McGlashan said there's no point risking it - companies running Sendmail should patch it as soon as possible. "In these situations, you just wouldn't take any chances... it's good practice [by mitigating] by patching if you can," he said.

Alternatively, system administrators can run the Sendmail process as a low-level user instead of root, hence minimising the impact of the vulnerability, McGlashan said.