Security flaw hits Windows, Mac, Linux

ZDNet ^ | August 7, 2002, 6:03 AM PT | Matthew Broersma

[HAL9000]

Security researchers have warned of a flaw in communications software that could allow attackers to take over computers running Windows, Unix-based operating systems and Mac OS X, as well as Kerberos authentication systems.

The problem is widespread because it affects some implementations of XDR (external data representation) libraries, used by many applications as a way of sending data from one system process to another, regardless of the system's architecture. The affected libraries are derived from Sun Microsystems' SunRPC remote procedure call technology, which has been taken up by many vendors.

The Computer Emergency Response Team (CERT), a security network based at Carnegie Mellon University, warned on Tuesday that systems using the affected code should immediately apply patches or disable the affected services.

A function in Sun's XDR library contains an integer overflow that can lead to buffer overflows, according to CERT security researchers Jeffrey Havrilla and Cory Cohen. These buffer overflows can allow an attacker to crash the system, execute malicious code or steal sensitive information, Havrilla and Cohen said.

The problem also affects the administration system of Kerberos 5, a widely-used authentication tool, which could allow attackers to gain control of Kerberos Key Distribution Center authentication functions. This could allow an attacker to gain false authentication with other services. Kerberos is included in Windows 2000.

The MIT Kerberos development team issued a warning and patch on its Web site.

Apple Computer confirmed that its Mac OS X operating system contains the vulnerability, which has been fixed through a recent security update, available through the software's automatic update mechanism.

Several vendors of Unix and Unix-like operating systems, including Red Hat, Debian, FreeBSD, Sun and NetBSD said that their software was affected by the issue, and issued fixes. HP said it was investigating the bug's impact.

Microsoft said it is still investigating how Windows is affected by the problem.

The relevant patches are available from the companies' Web sites, or through the CERT advisory on its Web site.

[HAL9000]

Since the vulnerability affects several systems, it is a good test case to determine which companies have the best response time to security issues.

[WyldKard]

Surprise surprise. Everyone except for Microsoft and HP have a patch ready to go, while MS and HP are stalling for time, as per their MO.

Sheesh...

[SeaDragon]

And for those of us that have OS X, the security update is a done deal and automatic.

[Free the USA]

Index Bump

[general_re]

Have Sun's RPC's ever been considered safe?

[toupsie]

And for those of us that have OS X, the security update is a done deal and automatic.

Yea, we go that patch last friday. Windows' users can just eat cake while hackers have a field day on their CPUs.

So happy I am not trusting my systems to Bill Gates.

[jae471]

one for the penguin ping...

[Mr. Thorne]

Yep. Just got it night before last.

Wondered what that was all about...

[SeaDragon]

So happy I am not trusting my systems to Bill Gates.

Isn't that the truth? I did, for many years, but no more.

[TechJunkYard]

Heck no. Or was that a rhetorical question?

[First_Salute]

Bump.

[rdb3]

The Penguin Ping. Want on or off? Just holla!

Got root?

[B Knotts]

Have Sun's RPC's ever been considered safe?

Not by me. :-P

[Bush2000]

Yea, we go that patch last friday. Windows' users can just eat cake while hackers have a field day on their CPUs.

Tell us, Brainiac, how Windows is affected.

[Campion]

The problem also affects the administration system of Kerberos 5, a widely-used authentication tool, which could allow attackers to gain control of Kerberos Key Distribution Center authentication functions. This could allow an attacker to gain false authentication with other services. Kerberos is included in Windows 2000.

[flamefront]

RPC - I see 73 vulnerability notes on it mentioned on CERT.

Hasn't anyone read the disclaimer? </sarcasm>

People have too high expectations about this overused old code.

Here is an interestingly suggestive note from XML.com for example:

XML-RPC provides no security provisions. This may sound like a shortcoming, but in many respects it is an advantage. Since XML-RPC does not mandate any security protocol, Zope's normal security policies work just fine with XML-RPC.

I.e., you are on your own.

[Tribune7]

And for those of us who stuck with 9.x just won't worry about anything.

[Bush2000]

The problem also affects the administration system of Kerberos 5, a widely-used authentication tool, which could allow attackers to gain control of Kerberos Key Distribution Center authentication functions. This could allow an attacker to gain false authentication with other services. Kerberos is included in Windows 2000.

Sorry, dude: Windows 2000 Kerberos code isn't derived from Sun's libraries. Try again.

[SeaDragon]

And for those of us who stuck with 9.x just won't worry about anything.

This is true also. I am a recent convert so I never worked in 9.x. I started out in OS X so that is where I am. I left Windows and never looked backed.

[HalfIrish]

From the article: Microsoft said it is still investigating how Windows is affected by the problem.

What do they know that you don't know? Their track record is the same as yours: defend their crappy product at all costs and with any methods, including telling bald-faced lies.

But in this case, even the Gates propaganda machine won't claim victory without a thorough investigation. Yet here you are, as usual defending their crappy product right from the get go.

Now I've seen everything.. your mindless zealotry exceeds even theirs!