Experts warn of buffer overflow flaw in Solaris

A vulnerability in Solaris puts systems running the Sun Microsystems Inc. operating system at risk of being taken over by an attacker, experts warned late Monday.

A buffer overflow flaw lies in Sun’s implementation of the X Windows Font Service (XFS), which serves font files to clients and runs by default on all versions of Solaris, according to advisories issued by Internet Security Systems Inc. (ISS) and the Computer Emergency Response Team/Coordination Center (CERT/CC).

By formulating a specific XFS query, remote attackers can either crash the service or run arbitrary code with the privileges of the “nobody user.” This privilege level is limited and similar to a normal user. However, after gaining access an attacker could use privilege escalation flaws to attain root status, the highest privilege level, ISS said.

The XFS service ( uses a high TCP (Transmission Control Protocol) port, which mitigates the risk as such ports are typically blocked by firewalls, preventing an attack from the public Internet, Gunter Ollmann, manager of X-Force Security Assessment Services at ISS in London said.

“Normally this service would not be available over the Internet because it would be protected by a firewall, but internally this service is commonly available,” he said.

The vulnerable service exposed on a corporate network makes an attack from the inside possible, but can also facilitate an attacker on the outside, Ollmann noted. Should a host that is accessible from the Internet get compromised, an attacker could cascade his attacks and gain access to a Solaris machine by exploiting the XFS vulnerability, he said.

Sun told ISS and the CERT/CC that it is working on a software update. Meanwhile, ISS advises users to disable XFS unless it is explicitly required and investigate firewall settings.

The ISS X-Force advisory is at:

The CERT/CC advisory is at:

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now