New Mac OS X update fixes flaws

* Patches from Apple, Trustix, SCO, others * Beware virus that spreads through message that looks like Spanish and has an attachment called "bailando.vbe"

Today's bug patches and security alerts:

New update from Apple fixes numerous Mac OS X flaws

A new update from Apple fixes flaws in ImageIO, Mail, malloc, QuickDraw Manager, QuickTime for Java, Ruby, Safari, SecurityAgent and securityd. The most serious of the flaws could be exploited to gain elevated privileges and run arbitrary code on the affected machine. For more, go to:

http://docs.info.apple.com/article.html?artnum=302413

**********

Trustix patches ClamAV

A buffer overflow has been found in the process that scans UPX-packed executables. There's also a denial-of-service flaw in the way FSG-packed executables are processed. For more, go to:

http://www.trustix.org/errata/2005/0051/

**********

SCO patches TCP Remote ICMP Denial Of Service Vulnerabilities

A couple of denial-of-service vulnerabilities have been found in the ICMP implementation for SCO OpenServer. For more, go to:

ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.38

**********

Mandriva patches masqmail

Two flaws have been found in masqmail. Both could be exploited to run arbitrary code on the affected machine. For more, go to:

http://www.mandriva.com/security/advisories?name=MDKSA-2005:168

Mandriva releases fix for XFree86

An integer overflow in XFree86's pixmap could be exploited to gain elevated privileges on the affected machine. For more, go to:

http://www.mandriva.com/security/advisories?name=MDKSA-2005:164

Mandriva issues MySQL update

A stack-based buffer overflow in one of the MySQL functions could be exploited to run arbitrary code on the affected machine. For more, go to:

http://www.mandriva.com/security/advisories?name=MDKSA-2005:163

**********

More Mozilla updates available

A number of vulnerabilities have been found in various Mozilla-based packages, including Firefox. The most serious of the flaws could be exploited to run arbitrary code. For more, go to:

Fedora (Mozilla):

http://www.networkworld.com/go2/0926bug1g.html

Gentoo:

http://security.gentoo.org/glsa/glsa-200509-11.xml

Ubuntu (Mozilla, Firefox):

http://www.networkworld.com/go2/0926bug1f.html

HP has also releases a fix for OpenVMS related to these Mozilla issues:

http://h71000.www7.hp.com/openvms/products/ips/cswb/cswb.html

**********

Ubuntu patches umount

A flaw in one of the umout options could be exploited by a local user to run malicious code on the affected machine. For more, go to:

http://www.networkworld.com/go2/0926bug1e.html

**********

Debian patches courier

According to an alert from Debian, "Jakob Balle discovered that with 'Conditional Comments' in Internet Explorer it is possible to hide javascript code in comments that will be executed when the browser views a malicious email via sqwebmail. Successful exploitation requires that the user is using Internet Explorer." For more, go to:

http://www.debian.org/security/2005/dsa-820

Debian releases Python updates

Both Version 2.1 and 2.2 of Debian's Python implementation are vulnerable to the integer over flow in the PCRE library. An attacker could exploit this to run arbitrary code on the affected machine. For more, go to:

Python 2.1:

http://www.debian.org/security/2005/dsa-819

Pythod 2.2:

http://www.debian.org/security/2005/dsa-817

Debian issues fix for kdeedu

The langen2kvhtml application from the kvoctrain package in kdeedu does not properly create temporary files. An attacker could exploit this in a symlink attack. For more, go to:

http://www.debian.org/security/2005/dsa-818

Debian patches kdebase

A lock file handling error in kcheckpass could be exploited to gain elevated privileges on the affected machine. For  more, go to:

http://www.debian.org/security/2005/dsa-815

Debian issues patch for lm-sensors

The lm-sensors application creates temporary files with predictable names, which could be exploited in a symlink attack. For more, go to:

http://www.debian.org/security/2005/dsa-814

Debian patches centericq

Several flaws have been found in centericq, a text-mode multi-protocol instant messenger client. The flaws could be exploited to run arbitrary code on the affected machine. For more, go to:

http://www.debian.org/security/2005/dsa-813

Debian releases patch for turqstat

According to a Debian advisory, "Peter Karlsson discovered a buffer overflow in Turquoise SuperStat, a program for gathering statistics from Fidonet and Usenet, that can be exploited by a specially crafted NNTP server." For more, go to:

http://www.debian.org/security/2005/dsa-812

Debian patches common-lisp-controller

A flaw in the common-lisp-controller, a Common Lisp source and compiler manager, could be exploited by a local user to run malicious script. For more, go to:

http://www.debian.org/security/2005/dsa-811

**********

HP patches System Management Homepage

A flaw in the System Management Homepage could be exploited by a remote user in a denial-of-service or cross-scripting attack. For more, go to:

Windows:

http://www.networkworld.com/go2/0926bug1d.html

Linux:

http://www.networkworld.com/go2/0926bug1c.html

HP fixes Tru64 libXpm flaw

Multiple denial-of-service vulnerabilities have been found in the libXpm and dximageview module for Tru64. In some cases, an attacker could run malicious code on the affected machine. For more, go to:

http://www.securityfocus.com/archive/1/411324/30/30/threaded

HP patches ftp daemon for Tru64

A denial-of-service vulnerability has been found in the HP Tru64 FTP daemon. A fix is available. For more, go to:

http://www.securityfocus.com/archive/1/411225/30/30/threaded

**********

Fedora updates squirrelmail

A flaw in the way squirrelmail handles the $_POST could be exploited by an attacker using a malicious URL. If clicked, the flaw could be exploited to change squirrelmail preferences. For more, go to:

http://www.networkworld.com/go2/0926bug1b.html

Fedora releases update for Zlib

A buffer overflow flaw in Zlib could be exploited in a denial-of-service attack against the affected machine. For more, go to:

http://www.networkworld.com/go2/0926bug1a.html

**********

Gentoo issues patch for Webmin, Usermin

According to a Gentoo advisory, "If Webmin or Usermin is configured to use full PAM conversations, it is vulnerable to the remote execution of arbitrary code with root privileges." For more, go to:

http://security.gentoo.org/glsa/glsa-200509-17.xml

Gentoo patches Mantis

A SQL injection vulnerability could be exploited to access or change data in the database. For more, go to:

http://security.gentoo.org/glsa/glsa-200509-16.xml

Gentoo releases fix for Zebedee

A bug in Zebedee, an application for creating an encrypted TCP tunnel between two machines, is vulnerable to a denial-of-service attack. For more, go to:

http://security.gentoo.org/glsa/glsa-200509-14.xml

Gentoo issues fix for Apache, mod_ssl

Flaws in the Apache-mod_ssl tandem could be exploited to bypass the access control list and potentially gain elevated privileges on the affected machine. For more, go to:

http://security.gentoo.org/glsa/glsa-200509-12.xml

Gentoo patches mailutils

According to a Gentoo advisory, "An authenticated IMAP user could exploit the format string error in imap4d to execute arbitrary code as the imap4d user, which is usually root." For more, go to:

http://security.gentoo.org/glsa/glsa-200509-10.xml

Gentoo releases fix in Py2Play

A "design flaw" in Py2Play, a peer-to-peer network game engine written in Python, could be exploited to run malicious code on the affected machine. For more, go to:

http://security.gentoo.org/glsa/glsa-200509-09.xml

**********

Today's roundup of virus alerts:

Troj/GrayBird-X -- A backdoor Trojan that can connect with remote sites via HTTP. It drops "svchost.exe" in the Windows folder. (Sophos)

W32/Pegas-A -- A virus that spreads via e-mail and can be used to steal local information as well as delete files. It spreads through message that looks like Spanish and has an attachment called "bailando.vbe". (Sophos)

W32/Mytob-EL -- Another Mytob e-mail worm, which spreads through messages that look like an account or password warning. The message will have an attachment with a double extension. It drops "servicces.exe" in the Windows System folder. (Sophos)

W32/Mytob-CU -- This Mytob variant spreads in a similar fashion to Mytob-EL above. It drops "xxx.exe" in the Windows System folder. (Sophos)

VBS/Cazdeg-D -- A virus that attempts to infect VBScript, JavaScript, ZIP, HTML, Word Document and Excel Spreadsheet files. It spreads through peer-to-peer networks and can setup an IRC accessbile backdoor. (Sophos)

W32/Rbot-AJO -- An Rbot variant that spreads through network shares by exploiting a number of known Windows vulnerabilities. It drops a randomly named file in the Windows System folder. It can be used for a number of malicious applications and allows backdoor access via IRC. (Sophos)

W32/Rbot-SQ -- Another Rbot variant that targets Windows machines that do not have all the proper patches installed. This version drops "mcafeee.exe" in the Windows System folder. (Sophos)

Troj/Sharp-J -- A backdoor worm that can inject code into running processes and be used to download additional code from remote sites. It drops "win32.exe" and "winlog.exe" in the Windows System folder. (Sophos)

W32/Traxg-E -- A mass mailing worm that also can spread via network shares. It creates "FOLDER.HTT" in the root directory and attempts to add an "admin" account to the affected machine. (Sophos)

Troj/Whistler-F -- A Trojan that attempts to delete files from the infected host. It spreads through network shares, dropping "WXP" in the root directory with the message "You did a piracy, you deserve it". It also installs "whismng.exe" in the Windows System directory. (Sophos)

W32/Codbot-AA -- A backdoor Trojan that can be used to download additional code, run an FTP server and harvest system information. The bot can be controlled via an IRC channel. It drops "winjava.exe" in the Windows System folder. (Sophos)

W32/Wurmark-M -- A worm that targets Windows machines. It drops "MsUpdate.exe" in a similarly named directory off the Program Files folder. No work on what kind of damage it can cause. (Sophos)

Troj/Divo-B -- A password stealing Trojan that targets certain Internet banking sites. It displays a number of fake messages asking the user to " Please input your MEMORABLE INFORMATION." (Sophos)

Troj/Lecna-D -- A backdoor Trojan that communicates with a remote server via HTTP. It drops "WINDOWSUPDATE.EXE" in the Windows System folder. (Sophos)

W32/Sdbot-ADB -- An Sdbot IRC backdoor worm that drops "HeIp.exe" in the Windows System folder. It spreads via network shares. (Sophos)

W32/Zafi-E -- A worm that spreads via e-mail and peer-to-peer networks. When infecting a machine, it displays the message "Windows has blocked access to this image." The infected e-mail will have an attachment with CMD, SCR, PIF, COM, or ZIP as its extension. It harvests additional e-mail address from its host. (Sophos)

Related:

Copyright © 2005 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022