One of the most popular mail utilities in the world, sendmail, has a serious
flaw in it that could potentially leave a back door open onto a machine. The
vulnerability, which was
reported by
Mark Dowd at Internet Security Systems, could allow a remote attacker to
take control of a PC. To do this, the intruder would send arbitrary code at
carefully crafted time intervals to the SMTP mail server, according to alerts
from security providers ISS and FrSirt.
An attack could interfere with or intercept mail delivery, permit the intruder
to tamper with other programs and data on the vulnerable system, and potentially
provide access to other systems on the affected machine's network. The flaw
relates to all Linux- and Unix-based versions of Sendmail 8 up to version
8.12.6, but not Microsoft Windows varieties of the open-source software, said
the Sendmail Consortium, which oversees the project. Affected products put out
by Sendmail Inc., which sells a commercial version, include Sendmail Switch,
Sentrion and Advanced Message Server, according to a company alert.
The Sendmail Consortium strongly urged open-source users
to upgrade to version 8.13.6 of the software, which contains a fix and is
available through its
web site
