----------------------------------------------------------------------------- SUN MICROSYSTEMS SECURITY BULLETIN: #00132, 28 February 1995 ----------------------------------------------------------------------------- BULLETIN TOPICS In this bulletin Sun announces a potential security vulnerability which can result from interrupting the installation script on several demo CD's. We describe how to determine if your system is affected, and how to remove the potential security vulnerability with one or two simple commands. No patches are needed. In addition to issuing this bulletin, Sun is sending letters to those customers known to have received the CD's. I. Who is affected and what to do II. Understanding the vulnerability III. Acknowledgments APPENDICES A. How to obtain Sun security patches B. How to report or inquire about Sun security problems C. How to obtain Sun security bulletins /\ Send Replies or Inquiries To: \\ \ \ \\ / Mark Graff / \/ / / Sun Security Coordinator / / \//\ MS MPK17-103 \//\ / / 2550 Garcia Avenue / / /\ / Mountain View, CA 94043-1100 / \\ \ Phone: 415-786-5274 \ \\ Fax: 415-786-7994 \/ E-mail: security-alert@Sun.COM ----------- Permission is granted for the redistribution of this Bulletin for the purpose of alerting Sun customers to problems, as long as the Bulletin is not edited and is attributed to Sun Microsystems. Any other use of this information without the express written consent of Sun Microsystems is prohibited. Sun Microsystems expressly disclaims all liability for any misuse of this information by any third party. ----------------------------------------------------------------------------- SUN MICROSYSTEMS SECURITY BULLETIN: #00132, 28 February 1995 ----------------------------------------------------------------------------- I. Who is affected and what to do Sun has discovered that installation scripts in several SunSoft demo CD's contain a flaw which could weaken the security of systems on which the demo software is installed. We are alerting our customers so that those who are affected can take appropriate action. Date Title Part # ---- ----- ------ Sep-Dec '95 Catalyst CDWARE (Sparc) 724-1308-03, Rev D Jan-Mar '96 Catalyst CDWARE (Sparc) 724-1308-03, Rev E Jan-Mar '96 Catalyst CDWARE (x86) 724-1433-05, Rev C Dec '95 SunSoft Developer CD, Premiere Issue 95459-001 Jan '96 Business Solutions 95536-001 You need only be concerned if you: * Received one of the listed CD's; and * Installed the software on it, using the installation script; and * Interrupted the installation script before it could exit normally. If you did install the software, you should check whether the string "x-spam-sh" appears in the ".mailcap" file in your home directory, by issuing a command such as: grep x-spam-sh $HOME/.mailcap If the string appears in the file, use a text editor to delete any lines which include it, then exit any Web browsers you are currently running. When you have completed these steps, the potential security weakness is gone. You can then restart a browser without reopening the vulnerability. II. Understanding the vulnerability The potential security weakness arises only when the installation script is interrupted, causing it to terminate before undoing a temporary modification to the ".mailcap" file. If you were to use a Web browser while the ".mailcap" modification was in effect, your browser might be caused to execute commands on your system without your knowledge--if you happened to visit a Web page which exploited this flaw. (We believe no such sites exist at this time.) It might also be possible under these circumstances for such hidden commands to be executed on your behalf as the result of an electronic mail message. However, all of the mail programs we have tested would require your confirmation before executing the commands. We apologize for any inconvenience this problem may have caused. We have taken steps to ensure that it will not happen again. III. Acknowledgments Sun would like to thank Steve Neruda, of Nationwide Insurance, and CERT/CC for their assistance. APPENDICES A. How to obtain Sun security patches 1. If you have a support contract Customers with Sun support contracts can obtain any patches listed in this bulletin (and any other patches--and a list of patches) from: - Local Sun answer centers, worldwide - SunSITEs worldwide - SunSolve Online The patches are available via World Wide Web at http://sunsolve1.sun.com. You should also contact your answer center if you have a support contract and: - You need assistance in installing a patch - You need additional patches - You want an existing patch ported to another platform - You believe you have encountered a bug in a Sun patch - You want to know if a patch exists, or when one will be ready 2. If you do not have a support contract Customers without support contracts may now obtain security patches, "recommended" patches, and patch lists via SunSolve Online. Sun also makes its security patches available via anonymous ftp, from the directory /systems/sun/sun-dist on the system ftp.uu.net. However, the ftp.uu.net repository will be discontinued in the near future. The availability of security patches via the SunSolve patch database has made it redundant. Sun does not furnish patches to any external distribution sites other than the ones mentioned here. 3. About the checksums Patches announced in a Sun security bulletin are uploaded to the ftp.*.net sites just before the bulletin is released, and seldom updated. In contrast, the "supported" patch databases are refreshed nightly, and will often contain newer versions of a patch incorporating changes which are not security-related. So that you can quickly verify the integrity of the patch files themselves, we supply checksums for the tar archives in each bulletin. The listed checksums should always match those on the ftp.*.net systems. (The rare exceptions are listed in the "checksums" file there.) Normally, the listed checksums will also match the patches on the SunSolve database. However, this will not be true if we have changed (as we sometimes do) the README file in the patch after the bulletin has been released. In the future we plan to provide checksum information for the individual components of a patch as well as the compressed archive file. This will allow customers to determine, if need be, which file(s) have been changed since we issued the bulletin containing the checksums. If you would like assistance in verifying the integrity of a patch file please contact this office or your local answer center. B. How to report or inquire about Sun security problems If you discover a security problem with Sun software or wish to inquire about a possible problem, contact one or more of the following: - Your local Sun answer centers - Your representative computer security response team, such as CERT - This office. Address postal mail to: Sun Security Coordinator MS MPK17-103 2550 Garcia Avenue Mountain View, CA 94043-1100 Phone: 415-786-5274 Fax: 415-786-7994 E-mail: security-alert@Sun.COM We strongly recommend that you report problems to your local Answer Center. In some cases they will accept a report of a security bug even if you do not have a support contract. An additional notification to the security-alert alias is suggested but should not be used as your primary vehicle for reporting a bug. C. How to obtain Sun security bulletins 1. Subscription information Sun Security Bulletins are available free of charge as part of our Customer Warning System. It is not necessary to have a Sun support contract in order to receive them. To receive information or to subscribe or unsubscribe from our mailing list, send mail to security-alert@sun.com with a subject line containing one of the following commands. Subject Information Returned/Action Taken ------- --------------------------------- HELP An explanation of how to get information LIST A list of current security topics QUERY [topic] The mail containing the question is relayed to a Security Coordinator for a response. REPORT [topic] The mail containing the text is treated as a security bug report and forwarded to a Security Coordinator for handling. Please note that this channel of communications does not supersede the use of Sun Solution Centers for this purpose. Note also that we do not recommend that detailed problem descriptions be sent in plain text. SEND topic Summary of the status of selected topic SUBSCRIBE Sender is added to the CWS (Customer Warning System) list. The subscribe feature requires that the sender include on the subject line the word "cws" and the reply email address. So the subject line might look like the following: SUBSCRIBE cws graff@sun.com UNSUBSCRIBE Sender is removed from the CWS list. Should your email not fit into one of the above subjects, a help message will be returned to you. Due to the volume of subscription requests we receive, we cannot guarantee to acknowledge requests. Please contact this office if you wish to verify that your subscription request was received, or if you would like your bulletin delivered via postal mail or fax. 2. Obtaining old bulletins Sun Security Bulletins are archived on ftp.uu.net (in the same directory as the patches) and on SunSolve. Please try these sources first before contacting this office for old bulletins. ------------