A security hole in software used by numerous operating systems
could allow attackers to run malicious programs or cause
denial-of-service problems on unprotected servers
Developers at the Massachusetts Institute of Technology have
identified a number of operating system affected by the
vulnerability.
These include the Unix operating systems from companies such as Sun
Microsystems and IBM, as well as Red Hat's versions of Linux and
Apple Computer's Mac OS X Server software.
Microsoft and Hewlett-Packard have said they are investigating
whether their operating systems are at risk.
Jeff Havrilla, a member of the CERT Coordination Center at Carnegie
Mellon University, said, "The problem is large enough that pretty
much every single major operating system vendor has reported being
affected by it."
The vulnerability involves a communication protocol that was
developed by Sun and is based on its SunRPC remote procedure call
technology. The flaw exists in a program function distributed as
part of an External Data Representation (XDR) library that's used
by Sun and other vendors to provide platform-independent methods
for sending data between disparate systems.
The problem was first publicised by Internet Security Systems
(ISS), an Atlanta-based security software vendor that posted an
advisory on its Web site late last month. ISS said it had found Sun
Solaris and the open-source FreeBSD and OpenBSD versions of Unix to
be vulnerable to the hole.
CERT followed with its advisory last week and broadened the warning
to include other vendors, as well as popular applications that are
compiled using the flawed library. Those include MIT's Kerberos 5
software, the DMI Service Provider daemon for remote desktop
management and the Common Desktop Environment's Calender Manager
service.
According to the security research organisation, the vulnerability
is caused by an integer overflow in the XDR code that can result in
improper memory allocations. Attackers could take advantage of the
flaw to cause buffer overflows that would let them execute code on
systems, CERT said.
Until patches become available from vendors, Havrilla said, users
could reduce the risk of exposure by disabling the affected
services where possible.