The vulnerability could give hackers and online vandals the ability to take control of Solaris-based systems, stated an advisory released late Monday by security software developer Internet Security Systems. Sun Microsystems' spokesman Brett Smith confirmed that the company knew of the flaw.
"We are aware of the problem, and we are working on a patch," he said, adding that Sun had been working with ISS on a patch, but problems during testing had delayed the fix. "We are trying to get it up as soon as possible."
The flaw, a memory problem known as a buffer overflow, appears in the X Windows Font Server (XFS) software known as fs.auto, a key component of the Solaris desktop system. However, the problem doesn't just affect workstations, said Jay Dyson, senior security consultant with security software Web site Treachery Unlimited.
"The problem is that it comes turned on with default Solaris," he said. "And 90 percent of the people don't turn it off."
The flaw affects every version of the operating system from Solaris 2.5.1 to Solaris 9 on both Sun's Sparc and Intel's x86 architectures, stated ISS in its advisory. A representative from the US-based security company was not immediately available.
ISS recommends that administrators turn off the Solaris software unless absolutely necessary. On any computer that needs the software, the company recommends that administrators block the port to keep outside attackers from using the flaw to get control of a computer within the network. A port is a software data channel that applications use to communicate with other computer via a network.
