Security flaw puts e-mail at risk
Fixes for the vulnerability are available, free of charge, at Sendmail's Web site
by applying a patch or upgrading to the latest version of Sendmail.
SEATTLE, Washington (Reuters) -- The most widely used program for transferring e-mail between computer networks has a security flaw that could allow attackers to disrupt the flow of e-mail and intercept messages, the program's developer said Monday.
The security flaw does not directly affect desktop personal computers but puts e-mail and information sent over the Internet at risk, privately held Sendmail Inc. of Emeryville, California and Internet security provider Internet Security Systems Inc. said in a joint statement. Atlanta-based ISS said that Sendmail, which is estimated to handle as much as three-quarters of all Internet e-mail traffic, has a flaw that could allow attackers to gain top-level access to e-mail servers to stop e-mail traffic and read messages.
The companies said that it did not appear that the flaw had been exploited by hackers to date.
The flaw in Sendmail also makes it vulnerable to high volumes of data traffic, which could allow a malicious worm program to propagate and slow down global Web traffic, much like the "SQL Slammer" attack that slowed Internet traffic worldwide in late January.
ISS said in a statement that the vulnerability "especially dangerous" because an attacker doesn't need any specific knowledge of the target and can exploit the flaw via an e-mail message.
All commercial versions of Sendmail, as well as open-source versions from 5.79 and above are vulnerable, the companies said. Any Sendmail programs based on open source, which can be copied and modified freely, are also at risk.
Copyright 2003 Reuters
. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.