Font flaw foils Solaris security

A flaw in the software that handles fonts for the desktop interface on Solaris-based workstations and servers could leave the computers open to attack, security experts said late Monday.

The vulnerability could give hackers and online vandals

		Reader Resources Securing Solaris CNET White Papers

the ability to take control of Solaris-based systems, according to an advisory released late Monday by security software developer Internet Security Systems. Sun Microsystems spokesman Brett Smith confirmed that the company knew of the flaw.

"We are aware of the problem, and we are working on a patch," he said, adding that Sun had been working with ISS on a patch, but problems during testing had delayed the fix. "We are trying to get it up as soon as possible."

The flaw, a memory problem known as a buffer overflow, appears in the X Windows Font Server (XFS) software known as fs.auto, a key component of the Solaris desktop system. However, the problem doesn't just affect workstations, said Jay Dyson, senior security consultant with security software Web site Treachery Unlimited.

"The problem is that it comes turned on with default Solaris," he said. "And 90 percent of the people don't turn it off."

The flaw affects every version of the operating system from Solaris 2.5.1 to Solaris 9 on both Sun's Sparc and Intel's x86 architectures, ISS stated in its advisory. A representative from the Atlanta-based security company was not immediately available for comment.

ISS recommends that administrators turn off the Solaris font software unless it's absolutely necessary. On any computer that needs the software, the company recommends that administrators block the port to keep outside attackers from using the flaw to get control of a computer within the network. A port is a software data channel that applications use to communicate with other computers via a network.