Internet security researchers have discovered a serious flaw in versions of the widely-used Sendmail open-source e-mail software.
The flaw could allow remote attackers to take control of users’ PCs. To enable this to happen, attackers would have to send malicious code at carefully planned time intervals to an SMTP mail server.
Alerts for the flaw have been issued by ISS, the French Security Incident Response Team (FrSIRT), and Symantec.
Such an attack could be used to intercept mail, allow intruders to tamper with other programs and data, and provide access to other systems on the network.
The flaw affects all Linux- and Unix-based versions of Sendmail 8 up to version 8.13.5. The flaw does not affect versions written for Microsoft Windows.
Sendmail products hit by the bug include Sendmail Switch, Sentrion and Advanced Message Server.
The Sendmail Consortium estimates that its software handles 70% of the world’s e-mail messages. The fact that the flaw doesn’t affect Windows versions of the software will help to curtail the threat.
The Sendmail Consortium urged users to upgrade to version 8.13.6 of the software, which contains a fix to the problem.