Note: This is an archival copy of Security Sun Alert 258928 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1020463.1.
Date of Resolved Release
A Security Vulnerability May Allow Popup Windows to Appear Through the Solaris XScreenSaver Program on Xorg(1) Servers
A security vulnerability in the Solaris XScreenSaver (see xscreensaver(1)) program may allow popup windows to appear through the lock screen and expose sensitive data on Xorg(1) servers (or Xnewt(1M) servers in the case of Sun Ray setups).
2. Contributing Factors
This issue can occur in the following releases:
$ uname -vNotes:
1. This issue only occurs when the XScreenSaver program is used with the Xorg server (or derivatives such as Xnewt(1M) from the Sun Ray software), however, this includes the scenario where the Xorg server is used remotely, therefore releases such as Solaris 8 and 9 which do not include the Xorg server may still be impacted if they are used remotely to connect to another host that does contain the Xorg server.
To determine if the system is running Xorg, the following command can be run:
$ ps -ef | grep Xorg2. Systems are only impacted by this issue if they have the package SUNWxwsvr installed. To determine if SUNWxwsvr is installed, the following command can be run:
$ pkginfo SUNWxwsvr3. Symptoms
There are no predictable symptoms that would indicate the described vulnerability has been exploited to reveal sensitive information.
There is no workaround for this issue. Please see the Resolution section below.
This issue is addressed in the following releases:
Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
Solaris 10 Operating System
Solaris 9 Operating System
Solaris 8 Operating System
This solution has no attachment