BNET UK
silicon.com
ZDNet UK

Home
News
Blogs
Reviews
Videos
Jobs
Resources
Community

Leader
Comment
White Papers
Downloads
Special Reports

Hardware
Software
Communications
Internet
Security
IT Management
Emerging Tech
Leader

Group Blogs
News Blog
Post Room
Rupert's Diary

Hardware Reviews
Software Reviews
Editors' Choice
Buyer's Guides
Tech Guides
Competitions

Dialogue Box
Security threats
Server platforms
Mobile devices
Application development
Full video index

Articles
White Papers
Downloads
Companies
Broadband Speed Test

People
Competitions
Post Room
FAQ

You are here: ZDNet UK > News > IT Management

Industry watch Toolkit

Font flaw foils Solaris security

Tags:
Security,
Font,
Solaris,
Sun Microsystems

Published: 27 Nov 2002 08:53 GMT

A flaw in the software that handles fonts for the desktop interface on Solaris-based workstations and servers could leave the computers open to attack, security experts said late on Monday.

The vulnerability could give hackers and online vandals the ability to take control of Solaris-based systems, according to an advisory released by security software developer Internet Security Systems. Sun Microsystems spokesman Brett Smith confirmed that the company knew of the flaw.

"We are aware of the problem, and we are working on a patch," he said, adding that Sun had been working with ISS on a patch, but problems during testing had delayed the fix. "We are trying to get it up as soon as possible."

The flaw, a memory problem known as a buffer overflow, appears in the X Windows Font Server (XFS) software known as fs.auto, a key component of the Solaris desktop system. However, the problem doesn't just affect workstations, said Jay Dyson, senior security consultant with security software Web site Treachery Unlimited.

"The problem is that it comes turned on with default Solaris," he said. "And 90 percent of the people don't turn it off."

The flaw affects every version of the operating system from Solaris 2.5.1 to Solaris 9 on both Sun's Sparc and Intel's x86 architectures, ISS stated in its advisory. A representative from the Atlanta-based security company was not immediately available for comment.

ISS recommends that administrators turn off the Solaris font software unless it's absolutely necessary. On any computer that needs the software, the company recommends that administrators block the port to keep outside attackers from using the flaw to get control of a computer within the network. A port is a software data channel that applications use to communicate with other computers via a network.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.

Did you find this article useful?
29 out of 64 people found this useful

Share this article:
Digg
Slashdot
Del.ici.ous
Stumble
Reddit

Company/Topic Alerts

Create a new alert from the list below:

Flaw
Solaris
Security

Sun Microsystems
font

Most Recent
Most Popular

Discussions

juicecultus

The link provided is not working

Sunday 6 December 2009, 5:13 PM

1 comment

lezlow

when it comes with power supply you,ll...

Saturday 5 December 2009, 9:42 PM

3 comments

wecando.biz

Does BT understand Twitter? Contrastin...

Saturday 5 December 2009, 10:55 AM

3 comments

sgt101

Does BT understand Twitter? Contrastin...

Saturday 5 December 2009, 10:49 AM

3 comments

View All

Discussions

View All

Video

Install Flash Player plugin

Find out more: From The Labs: The first...

Salesforce demos Service Cloud 2
Just how safe is storage in the cloud?
Dialogue Box 7.7: A first look at USB 3.0

All videos
Most popular videos
Latest videos

Featured Talkback

In association with Network Liberation Movement

When all is said, if Microsoft produce the best product people will buy it and thats a good thing. If people have to buy their product because no one else can produce an alternative, only because interoperability protocols are kept secret, then thats a bad thing.