| A buffer overflow in the X Window Font System on Sun's Solaris operating
system can could let an attacker execute code or cause a denial-of-service
(DoS) attack, according to a warning from the
CERT Coordination Center.
The security flaws affect versions 2.5.1, 2.6, 7 and 8 (Sparc and Intel platforms) and version 9 (Sparc only) and CERT urged that the fs.auto daemon
be disabled until patches can be applied.
The flaw was found in Sun's Solaris X Window Font
Service (XFS), which serves font files to users. The XFS daemon (fs.auto),
which ships with Solaris and included in some other operating systems,
contains the bug that could let a remote attacker execute arbitrary code
with the privileges of the fs.auto daemon (typically nobody) or cause a
denial-of-service by crashing the service.
Sun issued a security bulletin of its won, confirming the security flaw and offered a
workaround until a comprehensive patch can be issued.
News for Developers of Internet and Corporate Applications::
Developer News. Mozilla 1.2 Spreads Its Wings - 11/27/2002 W3C Changes European Address - 11/27/2002 CERT Warns of Solaris Font Flaw - 11/27/2002
http://news.earthweb.com/dev-news/archives.php/200211HOME |
Software | CyberInsecure.com - Part 2::
This flaw affects Opera for Microsoft Windows, Linux, FreeBSD and Solaris. 5. ( less severe): When insecure pages load content from secure sites into a frame
http://cyberinsecure.com/category/software/page/2/HOME |
Sun joined CERT in urging clients to disable the XFS daemon as a temporary
security measure. It said users should also block access to port 7100/TCP on
firewalls to guard against possible external, but not internal, exploitation
on the flaw.
The release of the vulnerability without a vendor fix continues to cause
controversy among security consultants who argue that vendors aren't being
given enough time to react to security holes found by third-party firms.
Welcome to PhyAdmin::
The Computer Emergency Response Team (CERT) is warning of an increase in .. * SOLARIS FLAW GIVES ROOT By Shawna McAlearney A hacker group Tuesday released
http://www.ph.utexas.edu/~PhyAdmin/motd.htmlHOME |
Latest changes in Java Topics::
With 1.3.1 we got 4GB heaps on Solaris, why can't I get this to work on Windows? World’s first SCBCD certification exam simulator launched by Whizlabs
http://www.javafaq.nu/topics.htmlHOME |
In this case, one expert explained, the Solaris flaw was detected by the Internet Security Systems (ISS) X-Serve unit and
released before a comprehensive fix was made available.
The ISS said Sun confirmed patches would be made available on November 25 to
coincide with the release of its advisory but sun "rescheduled the patch
release" after the bulletin was published. ISS notified Sun of the
vulnerability on November 16.
Criticisms have dogged ISS in the past for jumping the gun and releasing
software flaws before a company can work on patches.
 W3C Changes European Address
 A Holey Reality |
HOME
PRINT
Add to favorites