Sun Works On Patch For Solaris Zero-Day Bug - InformationWeek
IoT
IoT
Software // Enterprise Applications
News
2/12/2007
06:05 PM
50%
50%
RELATED EVENTS
Building Security for the IoT
Nov 09, 2017
In this webcast, experts discuss the most effective approaches to securing Internet-enabled system ...Read More>>

Sun Works On Patch For Solaris Zero-Day Bug

Sun Microsystems is preparing to issue an alert to users on the vulnerability the SANS Institute called a "major zero-day bug."

Sun Microsystems says it has verified the zero-day bug in Solaris 10 and 11, and company researchers are working on a fix that they hope to release within a few days.

The vulnerability -- which the SANS Institute on its site on Monday called a "major zero-day bug" -- allows hackers to easily gain remote access to computers running the operating systems. The problem lies in the way Telnet, a network protocol, uses parameters during the authentication process, said Johannes Ullrich in an interview with InformationWeek on Monday morning. Ullrich is the CTO for the Internet Storm Center, a cooperative cyberthreat monitoring and alert system.

Sun is preparing to issue an alert to its users later Monday, a company spokesman says.

"We're not aware that anyone has actually experienced this exploit," he adds. "It doesn't mean it hasn't happened but we haven't heard about it."

Ullrich explains that by simply adding what he calls a "trick" or simple text to the Telnet command, the system will skip asking for a user name and password. No exploit needs to be downloaded. If the systems are installed out of the box, they automatically come Telnet enabled.

Solaris 10 came out in 2005, and more than 7 million users have reportedly registered for it with Sun. Solaris 11, or what Sun code-named Solaris Next, is in beta.

The Sun spokesman says earlier versions of Solaris 10 had Telnet automatically enabled out of the box, but the latest version does not. He says for both the latest version of Solaris 10 and for the beta version of Solaris 11, users would have to specifically turn Telnet on to enable it. He adds that Sun is recommending that customers use Solaris Secure Shell as the protocol of choice.

He also says he does not know if Sun will take Telnet out of Solaris 11 all together.

Internet Storm Center analysts are recommending that Telnet be disabled on the Solaris systems.

While Ullrich calls Telnet out of date and problematic, he says this specific zero-day bug is caused by the way Solaris is designed.

Ullrich and other researchers at the Internet Storm Center are warning users to not use Telnet anymore -- on any system. "It's archaic at this point," says Ullrich. "Never use Telnet to log in to a system. Use SSH instead. There's just no reason to use Telnet. I don't know why they keep it enabled. They really shouldn't."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
[Interop ITX 2017] State Of DevOps Report
[Interop ITX 2017] State Of DevOps Report
The DevOps movement brings application development and infrastructure operations together to increase efficiency and deploy applications more quickly. But embracing DevOps means making significant cultural, organizational, and technological changes. This research report will examine how and why IT organizations are adopting DevOps methodologies, the effects on their staff and processes, and the tools they are utilizing for the best results.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll