All the latest UK technology news, reviews and analysis
|
|
|
20 Nov 2001
A number of Unix vendors have been alerted to a security flaw, but Sun Microsystems is refusing to acknowledge that any problem exists.
Six vendors, including IBM, Hewlett-Packard and Sun, have been alerted to a vulnerability that ships with several Unix systems, which could allow a malicious attacker to take control of an affected system.
Internet Security Systems (ISS) identified the Unix vulnerability about a month ago, and the company warned that the serious weakness could be found in six Unix vendors' systems. ISS and CERT (Computer Emergency Response Team) issued an advisory about the problem.
While Caldera, Compaq and IBM said they had a patch for the problem, HP disagreed on the versions of its Unix flavour that needed the patch.
Sun said there wasn't a problem at all but it would investigate further, and SGI said it had acknowledged the CDE vulnerabilities and was currently investigating.
The affected software includes several versions of HP's HP-UX, IBM's AIX, Sun's Solaris, Caldera OpenUnix and UnixWare, and Compaq's Tru64 Unix.
"This vulnerability affecting CDE is, by default, on most Unix servers and desktops," said Dan Ingevaldson, ISS team leader for uncovering security vulnerabilities.
He said that no known hacker tool has been posted to exploit the attack, but pointed out that the vulnerability is serious enough that ISS is urging companies with Unix systems from the six vendors to check with them about patch availability.
According to an advisory from CERT, the vulnerability exists in a function used by the Common Desktop Environment (CDE). Because of an error in the way requests from clients are validated, hackers could manipulate data and cause a buffer overflow.
CERT said many common Unix and Linux systems ship with CDE installed and enabled by default. Some Unix vendors have provided information, which is available at CERT's website.
CERT advised that until patches were available, users could lessen their exposure by limiting or blocking access to the Subprocess Control Services from untrusted networks.
Latest stories from Software
Related articles
Related jobs
Poll
What is the most important IT priority for your company this year?
Hands on with the highly anticipated Android 4.0 Ice Cream Sandwich hybrid tablet
Connect with V3.co.uk
This paper focuses on a series of best practices and techniques for development teams looking to improve their software development processes
Why good data management at all levels is essential in the modern business (video, 6mins)
(Roc Search - Network Support Engineer, 2nd line, 3rd...
3rd Line Engineer / Infrastructure Engineer - Berkshire...
MySQL SQL SERVER DBA / Database Administrator - Online...
PMO Analyst - Banking Client A financial organisation...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?