about the latest developments in security every month
in Security Watch
Overflow in Solaris X Window Font Service
The Solaris X Window Font Service (XFS) daemon (fs.auto)
contains a buffer overflow vulnerability that could
allow an attacker to execute arbitrary code or cause
a denial of service. Exploitation of this vulnerability
can lead to arbitrary code execution on a vulnerable
The Solaris XFS serves font files to clients.
Sun describes the XFS service as follows: The X Font
Server is a simple TCP/IP-based service that serves
font files to its clients. Clients connect to the server
to request a font set, and the server reads the font
files off the disk and serves them to the clients. The
X Font Server daemon consists of a server binary /usr/openwin/bin/xfs.
The XFS daemon is installed and running by default on
all versions of the Solaris operating system. Note that
this vulnerability is in the X Window Font Server, and
not the file system of a similar name. A remote attacker
can execute arbitrary code with the privileges of the
fs.auto daemon (typically nobody) or cause a denial
of service by crashing the service.
Sun Microsystems Solaris 2.5.1/ 2.6 / 7 / 8 / 9 (Sparc/Intel)
Disable vulnerable service:
Until patches can be applied, you may wish to disable
the XFS daemon (fs.auto). As a best practice, it is
recommended disabling all services that are not explicitly
required. On a typical Solaris system, it should be
possible to disable the fs.auto daemon by commenting
out the relevant entries in /etc/inetd.conf and then
restarting the inetd process.
Block access to port 7100/TCP at your network perimeter.
Note that this will not protect vulnerable hosts within
your network perimeter.
NetBSD ships the xfs from XFree86, though it is not
on or used by default.
The Solaris X font server (xfs(1)) is affected in
the following versions:
The patches will be available from:
Heap Overflow Vulnerability in Microsoft Data Access
A vulnerability in the Microsoft Data Access Components
(MDAC) could lead to remote execution of code with the
privileges of the current process or user.
Microsoft Data Access Components (MDAC) is a collection
of utilities and routines to process requests between
databases and network applications. A buffer overflow
vulnerability exists in the Remote Data Services (RDS)
component of MDAC.
The RDS component provides an intermediary step for
a client's request for service from a back-end database
that enables the web site to apply business logic to
According to Microsoft's Security Bulletin MS02-065,
a routine in the RDS component, specifically the RDS
Data Stub function, contains an unchecked buffer. The
RDS Data Stub function's purpose is to parse incoming
HTTP requests and generate RDS commands. This unchecked
buffer could be exploited to cause a heap overflow.
There are two ways in which this vulnerability can be
exploited. By an attacker sending a malicious HTTP request
to a vulnerable service, such as an IIS server. If RDS
is enabled, the attacker can execute arbitrary code
as the IIS server. The other way to exploit this vulnerability
is a malicious web site hosting a page that exploits
the buffer overflow through a client application, such
as Internet Explorer. Most systems running Internet
Explorer on operating systems other than Windows XP
are vulnerable to this attack.
web servers and client applications that rely on MDAC
are affected. It is recommended that all users of Microsoft
Windows 98, Windows 98 SE, Windows ME, Windows NT 4.0,
and Windows 2000 apply the patch (Q329414). Windows
XP users are not affected since MDAC 2.7, the non-vulnerable
version, is installed by default.
All Microsoft Windows systems running the following:
Versions of MDAC prior to 2.7
Internet Explorer version 6/5.5/5.1
Microsoft Windows XP is shipped with MDAC version 2.7
and is not vulnerable by default even though Internet
Explorer 6.0 is installed.
A remote attacker could execute arbitrary code with
the privileges of the application that processed the
request. In the case of a web server or other service,
this is likely to be the system or another account with
elevated privileges. In the case of a client application,
this will be the account used to view the web page.
Microsoft has released a patch (Q329414) and a security
bulletin (MS02-065) to address this issue. An end-user
version of MS02-065 is available at:
According to the Microsoft advisory, a scenario exists
in by which a vulnerable version of the control may
be re-installed on a Windows system even after the patch
has been applied. This is due to the fact that the vulnerable
ActiveX control is signed by Microsoft and the patch
does not set the kill bit for the MDAC control.
Backdoor in OmniSwitch AOS
Alcatel recently discovered a serious vulnerability
in its AOS version 5.1.1. Exploitation of this vulnerability
can lead to full administrative control of the device
running AOS. AOS typically runs on network infrastructure
devices, such as the Alcatel OmniSwitch 7000 series
During an NMAP audit of the AOS 5.1.1 code that runs
on the Alcatel OmniSwitch 7700/7800 LAN switches, it
was determined a telnet server was listening on TCP
port number 6778. This was used during development to
access the Wind River Vx-Works operating system. Due
to an oversight, this access was not removed prior to
An attacker can gain full access to any device running
AOS version 5.1.1, which can result in, but is not limited
to, unauthorized access, unauthorized monitoring, information
leakage, or denial of service.
Alcatel OmniSwitch 7700/7800 switches running Alcatel
Operating System (AOS) version 5.1.1
Upgrade to AOS 5.1.1.R02 or AOS 5.1.1.R03
Block access to port 6778/TCP at your network perimeter.
SSH Secure Shell for Workstations has a buffer overflow
The Windows version of SSH Secure Shell for Workstations
contains a buffer overflow vulnerability that may allow
an attacker to execute arbitrary code.
The SSH Secure Shell for Workstations client includes
a URL handling feature that allows users to launch URLs
that appear in the terminal window. When the user clicks
on a URL, it will be launched using their default browser.
Versions 3.1 to 3.2.0 of this application contain a
buffer overflow vulnerability that is triggered when
the launched URL is approximately 500 characters or
greater in length. To exploit this vulnerability, an
attacker must supply a malicious URL to a terminal session
and convince the victim to launch it. This vulnerability
allows an attacker to execute arbitrary code by convincing
an unsuspecting user to click on a malicious URL.
SSH Communications Security
SSH Communications Security has addressed this vulnerability