Dyad Securit on Wednesday posted an advisory about a potentially serious flaw in the open-source scripting language Perl but some security experts say they find the vulnerability unlikely.
Dyad's warning regards a vulnerability that could be exploited to launch a DOS (denial of service) attack. But Dyad also said that the vulnerability could be used by an attacker to access a server and then launch a malicious application.
Researchers at other security firms have tried to test the vulnerability but have only been able to confirm the DOS potential.
Thomas Kristensen, Secunia's chief technology officer, and his team tested the vulnerability on many versions of Perl and didn't find the potential for an attacker to launch malicious code. "While we don't rule out that there is a possibility that it could be exploited more, we need more details to see if it's true," he said. "It's difficult to say that we tested the right version." The original Dyad advisory doesn't specify which version of Perl contains the vulnerability. In addition, the vulnerability might only be present when certain applications use Perl in a specific way, Kristensen said.
Kristensen also pointed to a posting from HD Moore, a well-known security expert and one of the founders of security firm Digital Defense Inc., to the Full-disclosure security mailing list. Moore also tested the vulnerability, though on just one version of Perl, and wasn't able to exploit it.
There are two applications that are known to be susceptible to the DOS vulnerability and they have changed the way that they use Perl to prevent it, said Kristensen. "As far as we know, there's no update for Perl at the moment," he said. The applications are Webmin, a Web-based administration tool for configuring certain operating systems, and Usermin, a stripped-down version of Webmin.