New Worm Causes Solaris to Attack Windows

The Computer Emergency Response Team (CERT) issued an advisory today detailing a new worm that causes a Sun Microsystems Solaris system to attack a Windows system. The worm exploits a vulnerability under Solaris to install a worm that attempts to seek out and attack Internet Information Server (IIS)–based systems. According to the advisory, the problem stems from a 2-year-old buffer overflow condition in the Solstice sadmind program and a 7-month-old directory traversal vulnerability common to unpatched IIS 4.0 and 5.0 systems.

To call the worm into action, intruders compromise a vulnerable Solaris system and install the worm on that system. Once running, the worm seeks out other Solaris systems to further spread the worm and IIS systems to infect. Upon finding a vulnerable IIS system, the worm replaces the server's home page with profanity aimed at the U.S. government.

Sun issued Security Bulletin #00191 in response to the sadmind buffer problem in December 1999, and Microsoft issued Security Bulletin MS00-078 in response to the IIS directory traversal problem in October 2000. CERT maintains its own bulletins regarding the two problems with Solaris and IIS and advises all Windows 2000 and NT and Solaris users to patch their systems against these long-known issues.