Mark Dowd at Internet Security Systems reported that a serious flaw exists in certain versions of the Sendmail open-source and commercial e-mail software.
If you use this for anything personally or in business you need to read the report online.
The good news is that there are patches already available researchers are reporting.
What is causing the problem, according to Dowd, is that the ways things currently are, an intruder could take control of your computer. This would be done by sending arbitrary code at strategic intervals to the SMTP mail server.
The attack would interfere with or intercept mail delivery, allow the attacker to go into programs on the computer and do what they wanted or possibly provide access to other systems on the network the computer is connected to.
The vulnerability embraces all Linux- and Unix-based versions of Sendmail 8 to version 8.12.6, but has no impact on Windows varieties of the open-source software, according to the Sendmail Consortium, which are overseeing the project.
The products specifically infected include Sendmail Switch, Sentrion and Advanced Message Server.
This is a potentially devastating problem if not fixed as 70 percent of the world's e-mail is delivered through the Sendmail software.
Gunter Ollmann, director ISS's X-Force research team, says "Since SMTP is one of the few listening services allowed consistently through perimeter firewalls, we expect that many attackers will focus their efforts on developing techniques to exploit the vulnerability in order to gain entry into corporate and government networks."
This is considered "critical" meaning that the vulnerability has a significant opportunity to for widespread exploitation.
The Sendmail Consortium urges that "open-source users to upgrade to version 8.13.6 of the software, which contains a fix and is available through its Web site. Patches for two older versions of the software are also available for download, but the group discouraged that tactic, warning that the patches may not work properly."
For people who use the commercial software, a complete rundown of recommended actions is available through the Sendmail company advisory.
Comment Preview