Experts flag security flaw in Solaris

Plus: news on Siebel Systems, Hitachi, AOL and more.

A vulnerability in Solaris puts systems running the Sun operating system at risk of being taken over by an attacker, experts warned last week.

A buffer overflow flaw lies in Sun’s implementation of the X Windows Font Service, which serves font files to clients and runs by default on all versions of Solaris, according to advisories that Internet Security Systems and CERT/Coordination Center issued. By formulating a specific XFS query, remote attackers could crash the service or run arbitrary code with the privileges of the “nobody user.” This privilege level is limited and similar to that of a normal user. But after gaining access an attacker could use privilege escalation flaws to attain root status, the highest privilege level, ISS said.

Sun told ISS and the CERT/CC that it is working on a software update. Meanwhile, ISS advises users to disable XFS unless it is required and to investigate firewall settings

The Securities and Exchange Commission last week took its first enforcement actions under a fair disclosure rule enacted in 2000, citing Siebel Systems for violations. On Nov. 5, 2001, Siebel CEO Tom Siebel told attendees at an invitation-only Goldman Sachs conference that he was optimistic because Siebel’s business was returning to normal. That was in contrast to his statements three weeks earlier that the IT market was tough and the company expected to face that climate for the rest of the year, according to the SEC. Siebel’s cheery remarks, to which most investors had no access, pushed Siebel’s share price up about 20% higher than the previous day’s close. Regulation full disclosure bars companies from selectively disclosing material information before releasing the information publicly. The SEC has filed a cease-and-desist order against Siebel. It also has sought in federal court a $250,000 fine for the infraction, a penalty to which Siebel has agreed, according to the SEC. The commission also took action against Raytheon and its CFO, Franklyn Caine, and Secure Computing and its CEO, John McNulty, for similar violations.

Storage vendor Hitachi Data Systems is expected to announce this week that it has partnered with Network Appliance to create a storage-area network/network-attached storage gateway for enterprise customers who want to view block-level data on the Hitachi Lightning 9900 Series arrays from a file-oriented Network Appliance file server. Hitachi’s fortunes have improved in the past year. According to AG Edwards, at the end of the third quarter, Hitachi had overtaken EMC in the high-end RAID market with a 38.7% market share compared to EMC’s 37.8% slice.

A bill expected to be introduced in the U.S. Senate early next year is being promoted to encourage the expansion of broadband Internet access by making more broadcast spectrum available to devices that incorporate new technologies such as wireless LAN connectivity. Sen. Barbara Boxer (D-Calif.) and Sen. George Allen (R-Va.) are spearheading the effort.

The Boxer-Allen proposal would require the Federal Communications Commission to make more broadcast spectrum available to devices that incorporate new technologies. The bill also would require the FCC to develop guidelines for the expanded portion of the broadcast spectrum that these devices would use, to avoid signal congestion and interference. Current regulations limit wireless LANs and similar technologies to a small portion of the spectrum, which in turn limits their development, Boxer said. Another goal of Boxer and Allen’s legislation is to give people in rural communities new ways of accessing the Internet.

AOL is developing a stand-alone e-mail client with integrated instant-messaging software, presumably aimed at competing with Microsoft’s Outlook application. Dubbed AOL Communicator, the software is targeted at heavy users of AOL’s Instant Messenger and advanced e-mail users, an AOL spokeswoman confirmed last week. Communicator is in the early beta-testing phase, and it is too early to say what features the product will have or when it will be released, the company said. AOL’s move into the stand-alone e-mail market could enable it to hit three birds with one stone – letting the Internet giant grab more corporate users, diversify its revenue stream and nip at one of rival Microsoft’s strongholds. The ISP recently launched a corporate instant-messaging product, just as Microsoft was preparing to unveil its own.