Security Bug Doesn't Discriminate

← Back to Stories (view on slashdot.org)

Security Bug Doesn't Discriminate

Posted by timothy on Tuesday August 6, 2002 @11:55AM from the let's-see-where-it's-fixed-first dept.

An anonymous reader writes: "Despite all the fuss about Microsoft's booth at LinuxWorld next week, a security bug doesn't seem to care about the difference between open- and closed-source systems. The bug, found in a code library included in several popular applications, affects Windows 2000, Solaris, Mac OS X, and Linux, reports eWeek's Dennis Fisher."

5 of 28 comments (clear)

Min score:

Reason:

Sort:

Re:There is a difference ..... by Van+Halen · 2002-08-06 12:23 · Score: 3, Informative

According to the CERT advisory, the following (among others) have already released patches:
Apple (Mac OS X)
Debian (partial fix)
Glibc
MIT Kerberos
NetBSD
The following have not:
HP
IBM
Microsoft
RedHat
SGI
Sun
It may be interesting to see how quickly members of the second group catch up.

--
Say hello to zMac.
calloc() vuln by m0rph3us0 · 2002-08-06 12:34 · Score: 3, Informative

I believe this XDR vulnerabilty stems from a more serious problem in most implimentations of calloc()
The problem is created when the size of the ADT * numElements > a machine word
I'm parphrasing from this advisory on bugtraq
Mac OS X (client) isn't vulnerable by default by nebbian · 2002-08-06 13:02 · Score: 2, Informative
From http://www.info.apple.com/usen/security/security_u pdates.html:

Security Update 2002-08-02
- This update addresses the following security vulnerabilities which affect current shipping versions of Mac OS X Server. These services are turned off by default in Mac OS X client, however if these services are enabled then the client becomes vulnerable. It is recommended that users of Mac OS X client also apply this update.
- OpenSSL: Fixes security vulnerabilities CAN-2002-0656, CAN-2002-0657, CAN-2002-0655, and CAN-2002-0659. Details are available via: http://www.cert.org/advisories/CA-2002-23.html
- mod_ssl: Fixes CAN-2002-0653, an off-by-one buffer overflow in mod_ssl Apache module. Details are available via: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN- 2002-0653
- Sun RPC: Fixes CAN-2002-039, a buffer overflow in the Sun RPC XDR decoder. Details are available via: http://bvlive01.iss.net/issEn/delivery/xforce/aler tdetail.jsp?oid=20823
So unless you're a hardcore geek who turns on SSL, and hasn't yet updated to the latest security updates, you should be fine with your version of OS X (client). OS X Server users would probably have updated already.
--
I am artificially intelligent.
Re:Ah! Another "Derived" Work by Microsoft by Dahan · 2002-08-06 14:47 · Score: 3, Informative

FYI, MS's TCP stack isn't BSD-derived. Where do they use zlib, btw?
Re:Ah! Another "Derived" Work by Microsoft by Evro · 2002-08-06 16:20 · Score: 2, Informative

http://news.com.com/2100-1001-860328.html
at least nine of Microsoft's major applications--including Microsoft Office, Internet Explorer, DirectX, Messenger and Front Page--appear to incorporate borrowed code from the compression library and could be vulnerable to a similar attack.

--
rooooar