Reykjavik-based Men & Mice tested the DNS systems for the Web sites of Fortune 1000 companies and random .com domains at set dates after the alerts were released. The results were made public on the company's site. The Computer Emergency Response Team (CERT) at Carnegie Mellon University, meanwhile, said this week that it has begun receiving reports of BIND (Berkeley Internet Name Domain) holes being successfully exploited.
BIND, distributed free by the Internet Software Consortium (ISC), is software run by companies and ISPs (Internet service providers) to translate text-based Internet addresses into numbered IP (Internet Protocol) addresses. Versions including both 4.9.x prior to 4.9.8 and 8.2.x are not secure, according to the CERT.
The day after the CERT and Network Associates' PGP security subsidiary sent out the warnings, 33.3 per cent of Fortune 1000 sites were using a bad version of BIND and 40.27 per cent of .coms were vulnerable. A week later, the figures were down to 17.4 per cent and 16.73 per cent, respectively, Men & Mice said.
After the big drop, which Men & Mice attributed to the "extensive media coverage" about the issue, the pace of companies updating DNS software fell off sharply. The latest tests, run on 21 February, showed that 12.4 per cent of Fortune 1000 companies and 13.1 per cent of dot-coms were still using insecure DNS software.
Men & Mice ran a similar test for DNS software used in the national domains of Germany (.de) and Switzerland (.ch) and the UK's commercial domain (.co.uk). Software for those domains was updated, but 15.29 per cent of DNS servers in Germany, 11.54 per cent in Switzerland and 9.8 per cent of the UK's commercial domain remained vulnerable as of 21 February.
A patch to fix the problem is available on ISC's Web site, http://www.isc.org/.