Busy week for viruses

* Patches from Microsoft, IBM, Apple, others * Beware Sasser worm * MCI strengthens security services, and other interesting reading

Today's bug patches and security alerts:

Microsoft SSL patch creating SSLowdowns

Microsoft said on Wednesday that a recently released software patch for its Windows operating system is causing some Windows 2000 machines to stop responding after it is installed. IDG News Service, 04/29/04.

http://www.nwfusion.com/news/2004/0429microssl.html?nl

Microsoft hole spawns real attacks, false alarm, Network World, 04/28/04

http://www.nwfusion.com/news/2004/0428microhole.html?nl

More attack code surfaces for recent Microsoft security holes, Network World, 04/26/04

http://www.nwfusion.com/news/2004/0426moreattac.html?nl

**********

IBM patches HTTP server

A flaw in the way IBM's HTTP server handles SSL records could be exploited in a denial-of-service attack against the affected machine. For more, go to:

http://www.nwfusion.com/go2/0503bug1a.html

**********

Apple patches QuickTime player

A flaw in the QuickTime media player could be exploited to crash the application. Users should upgrade to Version 6.5.1 to fix the problem. Downloads available here:

http://www.apple.com/quicktime/download/

**********

More Linux kernel patches available

Linux vendors are continuing to release kernel updates that fix a number of minor vulnerabilities in previous releases:

Debian Linux 2.4.16 for the ARM architecture:

http://www.debian.org/security/2004/dsa-495

EnGarde:

http://www.nwfusion.com/go2/0503bug1b.html

Mandrake Linux:

http://www.nwfusion.com/go2/0503bug1c.html

SGI ProPack v2.4:

ftp://patches.sgi.com/support/free/security/patches/ProPack/2.4/

(Download Patch 10065)

Slackware:

http://www.nwfusion.com/go2/0503bug1d.html

**********

Mandrake Linux patches sysklogd

A flaw in sysklogd could result in unallocated memory being overwritten, causing the application to crash. For more, go to:

http://www.nwfusion.com/go2/0503bug1e.html

**********

Mandrake Linux releases fix for proftpd

A flaw in Version 1.2.9 of proftpd for Mandrake Linux may allow a client access to files that the user should not have access to. For more, go to:

Mandrake Linux:

http://www.nwfusion.com/go2/0503bug1f.html

**********

Debian, Mandrake Linux, OpenPKG issue patches for libpng

A flaw in the way libpng creates error messages could be exploited in a denial-of-service attack. For more, go to:

Debian:

http://www.debian.org/security/2004/dsa-498

Mandrake Linux:

http://www.nwfusion.com/go2/0503bug1g.html

OpenPKG (png):

http://www.openpkg.org/security/OpenPKG-SA-2004.017-png.html

**********

Debian, Mandrake Linux release patches for mc

Three vulnerabilities have been found in Midnight Commander (mc), file manager for GNU/Linux operating systems. For more, go to:

Debian:

http://www.debian.org/security/2004/dsa-497

Mandrake Linux:

http://www.nwfusion.com/go2/0503bug1h.html

**********

SMC router admin flaw

A post to the BugTraq mailing list claims that certain versions of SMC routers may have remote administration turned on by default without password protection. This could allow any remote user to access the affected device via port 1900. Workarounds include enabling the router's firewall and blocking port 1900 or turn on port forwarding and forward port 1900 to an unused internal IP address. For more, go to:

http://www.nwfusion.com/go2/0503bug1i.html

**********

Today's roundup of virus alerts:

W32/Sasser-A/B/C - A new worm that attempts to exploit a vulnerability in Windows' Local Security Authority Subsystem Service (LSASS), which Microsoft released a patch for last month. Sasser does not require user intervention to spread, instead pinging TCP ports 9996 and 445 (variant B just exploits port 445). If it finds an unpatched system, Sasser infects it then downloads code from a remote site. Version C could be the most problematic, as it can launch up to 1,024 processes on the infected machine. (Sophos, Panda Software)

Related Microsoft patch:

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

ISS Alert:

http://xforce.iss.net/xforce/alerts/id/169

Related story:

Sasser worm expected to hit hard on Monday

http://www.nwfusion.com/news/2004/0503sasseworm.html

W32/Bagle-W - Another variant of the Bagle worm family that spreads via e-mail. The infected message will have a random subject line but come with an attachment containing a picture of a woman and a second file that is the worm itself. (Sophos)

W32/Bagle-AA - Another Bagle variant that uses a range of subject lines and body text to spread itself. When it infects a target, the virus displays a "Can't find a viewer associated with the file" alert. Bagle-AA attempts to terminate a number of security related applications that may be running on the infected machine. (Sophos)

W32/Bagle-AB - Same properties as Bagle-AA above with an added twist: The virus attempts to connect to remote Web sites via port 2535. (Panda Software)

W32/Netsky-AA - A variant of the NetSky mass mailer worm that spreads via a message that looks to be a response to a previous message. The infected attachment could be a number of file names, but always has a .pif extension. (Sophos)

W32/Netsky-AB - Like NetSky-AA, this virus uses a variety of subject lines and attachment names, yet all the infected files have a .pif extension. (Sophos)

VBS/Yarr-B -- Sophos only says this virus drops a copy of the W32/MimMail-V worm on the infected machine in the file c:\temp\gorf.ex0. (Sophos)

W32/Lovgate-V - A Lovegate variant that spreads via network shares, e-mail (a zip or rar file attachment) and file sharing networks. An infected e-mail starts with "It's the long-awaited film version of the Broadway hit." The virus also tried to terminate certain security related applications. (Sophos)

W32/Bugbear-F - An e-mail worm variant that takes its subject line and body text from information on the infected machine. The infected attachment is usually a ZIP file. Once it infects a target, Bugbear-F attempts to disable certain security related applications. (Sophos)

Troj/StartPa-AE - A Trojan that changes various Internet Explorer attributes (such as its Start Page) each time the infected machine is booted. The code could be dropped by another virus. (Sophos)

Troj/Psyme-U - An HTML-based script that attempts to exploit an Internet Explorer flaw to download and run executable files on the infected machine. (Sophos)

Microsoft patch:

http://www.microsoft.com/technet/security/bulletin/MS04-013.asp

W32/Sdbot-HX - This worm spreads via weakly protected network shares, installing the file DLL6DSYS.EXE in the Windows System directory. (Sophos)

Gimared.A - A virus that spreads via e-mail and displays a political message about Cuba on the infected machine. (Panda Software)

**********

From the interesting reading department:

Product palooza at N+I

A rebounding NetWorld+Interop will showcase a bevy of new switching, security and management wares two weeks from now in Las Vegas, but it will be the show's swan song at the Las Vegas Convention Center. Network World, 05/03/04.

http://www.nwfusion.com/news/2004/0503interop.html?nl

Review: When your Exchange server goes down

WANSync HA Exchange beats out three others for our Clear Choice designation in our test of Microsoft Exchange disaster-recovery wares. Network World, 05/03/04.

http://www.nwfusion.com/reviews/2004/0503rev.html?nl

MCI strengthens security services

Fresh out of bankruptcy, MCI last week introduced a slew of services that the carrier says show it is getting increasingly serious about security. Network World, 05/03/04.

http://www.nwfusion.com/news/2004/0503mci.html?nl

DoD issues wireless defense orders

After two years of internal policy debate, the U.S. Department of Defense last week issued rules that all branches of the military - as well as contractors and visitors - must follow to secure commercial wireless equipment and services. Network World, 05/03/04.

http://www.nwfusion.com/news/2004/0503dod.html?nl

IPolicy releases multifunction firewall

Security vendor iPolicy Networks this week unveiled a multifunction VPN/firewall that can let customers block viruses, spam and Web access either at the Internet perimeter or inside the corporate LAN as a partition. Network World, 05/03/04.

http://www.nwfusion.com/news/2004/0503ipolicy.html?nl

SSL appliance on tap from Check Point

Check Point is coming out with a Secure Sockets Layer remote-access appliance that screens for malicious code that might compromise corporate resources being accessed by remote users. Network World, 05/03/04.

http://www.nwfusion.com/news/2004/0503checkpoint.html?nl

Mohegan Sun won't gamble on insider threat

The Mohegan Sun casino is a business built on risk. But when it comes to the threat posed by rogue employees and internal hackers, the Connecticut mega complex, owned by the Mohegan Tribe, isn't taking any chances. IDG News Service, 04/30/04.

http://www.nwfusion.com/news/2004/0430mohegsun.html?nl

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2004 IDG Communications, Inc.