Software flaw puts multiple operating systems at risk

A security hole in software used by numerous operating systems could allow attackers to run malicious programs or cause...

A security hole in software used by numerous operating systems could allow attackers to run malicious programs or cause denial-of-service problems on unprotected servers

Developers at the Massachusetts Institute of Technology have identified a number of operating system affected by the vulnerability.

These include the Unix operating systems from companies such as Sun Microsystems and IBM, as well as Red Hat's versions of Linux and Apple Computer's Mac OS X Server software.

Microsoft and Hewlett-Packard have said they are investigating whether their operating systems are at risk.

Jeff Havrilla, a member of the CERT Coordination Center at Carnegie Mellon University, said, "The problem is large enough that pretty much every single major operating system vendor has reported being affected by it."

The vulnerability involves a communication protocol that was developed by Sun and is based on its SunRPC remote procedure call technology. The flaw exists in a program function distributed as part of an External Data Representation (XDR) library that's used by Sun and other vendors to provide platform-independent methods for sending data between disparate systems.

The problem was first publicised by Internet Security Systems (ISS), an Atlanta-based security software vendor that posted an advisory on its Web site late last month. ISS said it had found Sun Solaris and the open-source FreeBSD and OpenBSD versions of Unix to be vulnerable to the hole.

CERT followed with its advisory last week and broadened the warning to include other vendors, as well as popular applications that are compiled using the flawed library. Those include MIT's Kerberos 5 software, the DMI Service Provider daemon for remote desktop management and the Common Desktop Environment's Calender Manager service.

According to the security research organisation, the vulnerability is caused by an integer overflow in the XDR code that can result in improper memory allocations. Attackers could take advantage of the flaw to cause buffer overflows that would let them execute code on systems, CERT said.

Until patches become available from vendors, Havrilla said, users could reduce the risk of exposure by disabling the affected services where possible.

Read more on Operating systems software