CERT Warns of Solaris Font Flaw
Download the authoritative guide: Data Center Guide: Optimizing Your Data Center Strategy
Download the authoritative guide: Cloud Computing: Using the Cloud for Competitive Advantage
A buffer overflow in the X Window Font System on Sun's Solaris operating system can could let an attacker execute code or cause a denial-of-service (DoS) attack, according to a warning from the CERT Coordination Center. Sun Wednesday confirmed the security flaw in its X Window Font System and offered a workaround until a comprehensive patch can be issued.
The security flaws affect versions 2.5.1, 2.6, 7 and 8 (Sparc and Intel platforms) and version 9 (Sparc only). CERT urged that the fs.auto daemon be disabled until patches can be applied.
The flaw was found in Sun's Solaris X Window Font Service (XFS), which serves font files to users. The XFS daemon (fs.auto), which ships with Solaris and included in some other operating systems, contains the bug that could let a remote attacker execute arbitrary code with the privileges of the fs.auto daemon (typically nobody) or cause a denial-of-service by crashing the service.
Sun issued a security bulletin of its won, confirming the security flaw and offered a workaround until a comprehensive patch can be issued.
Sun joined CERT in urging clients to disable the XFS daemon as a temporary security measure. It said users should also block access to port 7100/TCP on firewalls to guard against possible external, but not internal, exploitation on the flaw.
The release of the vulnerability without a vendor fix continues to cause controversy among security consultants who argue that vendors aren't being given enough time to react to security holes found by third-party firms.
In this case, one expert explained, the Solaris flaw was detected by the Internet Security Systems (ISS) X-Serve unit and released before a comprehensive fix was made available.
The ISS said Sun confirmed patches would be made available on November 25 to coincide with the release of its advisory but sun "rescheduled the patch release" after the bulletin was published. ISS notified Sun of the vulnerability on November 16.
Criticisms have dogged ISS in the past for jumping the gun and releasing software flaws before a company can work on patches.
IT Solutions Builder TOP IT RESOURCES TO MOVE YOUR BUSINESS FORWARD
Which topic are you interested in?
What is your company size?
What is your job title?
What is your job function?
Searching our resource database to find your matches...