Leftovers: Solaris workaround, Patch Tuesday
In response to public disclosure of a code execution hole affecting default installations of Sun Solaris, the company is recommending users turn off the X font server until a patch is ready.
The advice comes from Alan Coopersmith (left), a member of Sun's X Engineering group, who notes that the critical bug only affects Solaris versions up through Solaris 10 6/06 :
Our sustaining teams are producing patches and a Sun Alert covering this issue, but until then, if you don't need the X font server (on Solaris it's really only used for remote desktop sessions from computers without the standard Solaris fonts already installed - unlike some Linux'es, local sessions don't use it), you can easily turn it off in several ways:
- On all Solaris releases: “
/usr/openwin/bin/fsadmin -d
”, which will either break the link that inetd uses (Solaris 2.6-Solaris 9) or use inetadm to disable thesvc:/application/x11/xfs
service (Solaris 10 & later).- On Solaris 10 and later, you can do the same thing explicitly with “
/usr/sbin/inetadm -d svc:/application/x11/xfs:default
”.- On Solaris 2.6 through 9, you can do the traditional editing of
/etc/inetd.conf
to disable it, then “kill -HUP inetd
”.- If you'll never need it, and want to be sure it's gone, remove the xfs package with “
pkgrm SUNWxwfs
”.
MICROSOFT PATCH TUESDAY
According to a note from Symantec, Microsoft has pulled one of security bulletins from the batch being released tomorrow (October 9).
Microsoft's advance notice still lists seven bulletins -- four rated critical -- but a note from Symantec's DeepSight service says one has been withdrawn. If this is accurate, it would be the second successive month that Microsoft has yanked security patches at the eleventh hour.
A Microsoft spokesman would only confirm "a minor change to the release schedule" since the advance notice was issued last Thursday. "[There] remains the possibility that a security update could be removed from the release schedule. Generally speaking, a removal could occur because of last minute quality issues," he said.
This batch of patches will cover multiple holes in Windows, Internet Explorer, Microsoft Office, Outlook Express and Vista's Windows Mail.