iDefense warns of xpdf flaws

* Patches from IBM, HP, Debian, others * Beware new, virulent Cabir mobile phone worms * Trend Micro snatches Hotmail account from McAfee, and other interesting reading

We're back, rested and ready to roll for 2005. We've got quite a few alerts to catch up on since our last mailing, so we'll be spreading them out over today's and Thursday's editions.

Happy New Year!

Today's bug patches and security alerts:

iDefense warns of xpdf flaws

A buffer overflow in Version 3.00 of the xpdf application, an open source PDF viewer, could exploited to run arbitrary code on the affected machine. For more, go to:

Related fixes:




Mandrake Linux (xpdf):

Mandrake Linux (gpdf):

Similar flaws have been fixed in the true version of Acrobat from Adobe, according to an alert from Panda Software:

Adobe Reader 6.0.3 update/Windows:

Adobe Reader 6.0.3a update/Macintosh:

Adobe Acrobat 6.0.3 Professional and Standard Update/Windows:

Adobe Acrobat 6.0.3a Professional and Standard update/Macintosh:

Acrobat Reader for Unix 5.0.10:


Two buffer overflow vulnerabilities found in IBM DB2

Buffer overflows have been found in the rec2xml function and generate_distfile procedure that are part of the IBM DB2 application. These flaws could be exploited to run malicious code on the affected server. Patches are available from IBM:

DB2 v8.1:

DB2 v7.x:


NGGSSoftware warns of Oracle flaws

NGGSSoftware is warning of multiple vulnerabilities in the Oracle 10g and 9i database applications. They're not releasing full details until the patch becomes widely distributed:


CERT warns of vulnerability in phpBB

CERT is warning of an input validation bug in the phpBB Web site tool. An attacker could exploit this to deface Web sites run on the software and potentially gain administrative privileges. For more, go to:


Vulnerability in HP-UX's FTP daemon

A buffer overflow in the user authentication system for the HP-UX FTP daemon could be exploited to bypass the authentication requirements all together. For more, go to:

Other HP flaws that have been patched:

- HP Tru64 UNIX TCP Stack

- Netscape Directory Server on HP-UX LDAP

- HP Tru64 UNIX SWS (Apache) Secure Web Server


All patches can be downloaded by logging into:


Latest patches for Debian:

The following applications/utilities have been patched by Debian over the past two weeks:

Atari800 (buffer overflow):

Cscope (insecure temporary files):

HTget (buffer overflow):

A2ps (unsanitized input):

Ethereal (infinite loop):

Xzgv (integer overflows):

Debmake (insecure temporary files):

Netkit-telnet-ssl (format string):

Tiff (insufficient input validation):

Imlib (buffer, integer overflows):

Perl (insecure temporary files, directories):

CUPS (buffer overflow):


Latest patches for Gentoo:

The following applications/utilities have been patched by Gentoo over the past couple weeks:

PHProjekt (setup flaw):

Ncpfs (buffer overflow):

Cscope (insecure temporary files):

Adobe Acrobat Reader (buffer overflow):

PHP (multiple):

Ethereal (multiple):

Kdelibs/Kdebase (multiple):

Kfax (buffer overflows):

Abcm2ps (buffer overflow):

NASM (buffer overflow):

MPlayer (buffer overflows):

Zwiki (cross scripting):

CUPS (multiple):

ViewCVS (information leak):


Flaw in Windows Media Player 9

A flaw in the way artist, album name, and song name information in a media file is retrieved could be exploited by an attacker to run code on the affected machine. An attacker could overwrite the metadata information with scripting commands, which would be executed on the target user's machine. Windows Media Player 10 fixes the flaw, but that is not available on non-XP machines. Not sure if Microsoft has released a fix for those of us not using XP. For more, go to:


Buffer overflow in Veritas Backup Exec

A buffer overflow in the Veritas Backup Exec utility could be triggered to run any code on the affected machine with the privileges of the application, usually a domain admin account. Veritas has released fixes for the problem. For more, go to:

Version 8.6:

Version 9.1:

Related iDefense advisory:


Security hole found in Google desktop search

Researchers at Rice University have discovered what they say is a flaw in the beta version of Google's Desktop Search product that could allow third parties to access users' search result summaries, providing a sneak peek at part of the content of personal files. IDG News Service, 12/20/04.


Today's roundup of virus alerts:

New, virulent Cabir mobile phone worms spotted

Two new versions of a computer virus that affects mobile phones were discovered Monday with new features that allow them to spread more quickly between vulnerable devices, according to anti-virus company F-Secure. IDG News Service, 12/28/04.

Santy.E worm poses threat to sites badly coded in PHP

The latest version of the Santy worm poses an elevated risk to many Web sites built using the PHP scripting language, and protection of those sites may involve individually recoding them, security experts warned over the weekend. IDG News Service, 12/27/04.

W32/Sdbot-SI - A backdoor worm that spreads via network shares and allows access to the infected machine via IRC. This variant drops the file "ffasd.exe" and can be used for a number of malicious purposes. (Sophos)

W32/Rbot-RY - Another backdoor worm that spreads via networks shares and uses a specific IRC server to provide backdoor access this. Rbot-RY drops the file "servic.exe" in the Windows System folder. (Sophos)

W32/Rbot-SB - This Rbot variant spreads via network shares by exploiting many well-known Windows vulnerabilities (all of which have patches available.) The virus uses the file "taksmgr.exe" in the Windows System directory as its infection point. (Sophos)

W32/Rbot-SD - Very similar to Rbot-SD above, except this version's infected file is called "iexpl0re.exe". (Sophos)

Troj/Bancban-AN - A Trojan designed to steal username and password information for banking Web sites. This variant drops the file "smss.exe" on the infected machine. (Sophos)

W32/Mkar-E - This virus infects .exe files on the target machine and installs itself to the registry. No word on any permanent damage that can be caused by this vermin. (Sophos)

W32/Agobot-OR - What would a new year be without mention of a new Agobot variant? This one too spreads via network shares and uses an IRC connection to allow backdoor access. It installs the file "hey.exe" in the Windows System directory and can be used for a number of malicious purposes. (Sophos)

W32/Rembot-A - A worm that can be used to participate in denial-of-service attacks and run code on an infected machine. It installs itself as "NAVtask.exe" and gets commands from an IRC server. (Sophos)

Troj/Bancos-AS - This worm targets Brazilian banking sites, logging keystrokes and other information entered into them. (Sophos)

Troj/Agent-ZC - A Trojan horse that can be used to send Spam from infected hosts. It creates the file "restorecrashwin32.bat" on the infected machine. (Sophos)

W32/Forbot-DH - This IRC-backdoor worm installs itself as "scvvhost.exe" in the Windows System directory and adds registry entries that look like they belong to the Windows Update service. (Sophos)

W32/Dedler-H - Another Trojan that uses common communication services to provide backdoor access. This Dedler variant uses ICQ and drops the file xxx.exe. (Sophos)

W32/Leebad-B - A worm that drops the file "system32.exe" on the infected machine after spreading via open network shares. The virus creates a batch file that is used to add the current user to the local administrators group. (Sophos)

Troj/Chum-A - A new network worm that installs "mspmspv.exe" in the Windows System folder. It too allows backdoor access via IRC. (Sophos)


From the interesting reading department:

Risk Your PC's Health for a Song? 

Ads and adware have a new way to get on your computer--through files that appear to be music and video. PC World, 12/29/04.,aid,119016,00.asp

Security jobs on the rise

While IT employment numbers may be lagging, there is a glimmer of hope. The number of cybersecurity professionals is projected to grow at an annual compound rate of nearly 14% from now until 2008, according to a study released in November. IDG News Service, 12/23/04.

Trend Micro snatches Hotmail account from McAfee

Beating out McAfee, Trend Micro has landed a deal with Microsoft's MSN Hotmail service to do anti-virus scanning for 187 million e-mail accounts. IDG News Service, 12/20/04.

Cisco snaps up security start-up

Cisco last week continued on its torrid acquisition pace, announcing the buyout of Protego Networks, a Sunnyvale, Calif., maker of security appliances. Network World, 12/20/04.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2005 IDG Communications, Inc.

IT Salary Survey 2021: The results are in