VoIP vulnerability may be over-hyped

Today’s bug patches and security alerts:

VoIP vulnerability may be over-hyped, analyst says

The surfacing of a pair of flaws in Cisco’s CallManager IP telephony servers last week raises the hot-button issue of how to secure enterprise VoIP networks from attacks. But one industry expert says the threat of an attacker or virus taking down a businesses IP PBX or VoIP network is more phantom than menace. NetworkWorld.com, 01/24/06.

http://www.networkworld.com/news/2006/012406-cisco-flaw.html

**********

More KDE updates available

As we reported earlier this week, a vulnerability in the KDE desktop environment could result in a critical hole in most Linux installations that use the platform. More related updates are available:

Gentoo:

http://security.gentoo.org/glsa/glsa-200601-11.xml

Ubuntu:

http://www.networkworld.com/go2/0123bug2e.html

**********

Gentoo patches Trac

According to a Gentoo advisory, “Trac is vulnerable to a cross-site scripting attack that could allow arbitrary JavaScript code execution.” For more, go to:

https://security.gentoo.org/glsa/glsa-200601-12.xml

**********

HP patches HP-UX flaw

A vulnerability in the HP-UX operating system could be exploited by a local user to gain elevated privileges. For more, go to:

https://www.securityfocus.com/archive/1/423125/30/0/threaded

HP releases fix for Oracle for OpenView

According to the HP advisory, “Oracle has issued a Critical Patch Update which contains solutions for a number of potential security vulnerabilities. These vulnerabilities may be exploited locally or remotely to compromise the confidentiality, availability or integrity of Oracle for OpenView (OfO).” For more, go to:

https://www.securityfocus.com/archive/1/423140/30/0/threaded

**********

Recent updates from Debian:

lsh-utils (file description leak):

https://www.debian.org/security/2006/dsa-956

mailman (denial of service):

https://www.debian.org/security/2006/dsa-955

wine (code execution):

https://www.debian.org/security/2006/dsa-954

flyspray (script execution):

https://www.debian.org/security/2006/dsa-953

clamav (heap overflow):

https://www.debian.org/security/2006/dsa-947

**********

New updates for FreeBSD:

kmem (buffer overflow, password disclosure):

http://www.networkworld.com/go2/0123bug2d.html

packet filter (system panic):

http://www.networkworld.com/go2/0123bug2c.html

**********

Recent patches from Mandriva:

ipsec-tools (denial of service):

https://wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:020

mozilla-thunderbird (code execution):

https://wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:021

**********

Today’s roundup of virus alerts:

BlackWorm Summary

Over the last week, “BlackWorm” infected more then 700,000 systems as measured using a counter Web site used by the worm to track itself. This worm is different and more serious then other worms for a number of reasons. In particular, it will overwrite a user’s files on February 3rd. ISC Handler’s Diary, 01/24/06.

https://isc.sans.org/blackworm

Troj/Haxdoor-AS — A backdoor Trojan that steals username and password data. It is installed as “satdll.dll” in the Windows System folder. (Sophos)

W32/Sdbot-ALZ — Another new variant of the Sdbot worm that allows backdoor access through IRC. This one drops an infected copy of “svchosts.exe” in the Windows System folder. (Sophos)

W32/Sdbot-AOS — A second Sdbot variant that exploits known Windows flaws as it spreads through network shares. It drops “win32ssr.exe” in the Window System folder. (Sophos)

W32/Sdbot-AQH — The third Sdbot Trojan of the day is similar to the previous two, except it places “RpcCenter.exe” in the Windows System folder. (Sophos)

W32/Doxpar-F — A Windows worm that spreads through network shares by exploiting known vulnerabilities. It drops a number of file on the host, including “Cokmgl32.dll” in the System directory. (Sophos)

Troj/Mdrop-KZ — A Trojan that seems to just drop useless files on the infected host: “cache.exe” and “brun32.exe”, both in the current folder. (Sophos)

Troj/VB-TC — A virus that steals information by popping up a dialog box claiming to from AOL asking for personal information. It uploads the captured data to a remote site via FTP. It copies itself to the Startup folder as “AOLUpdate.scr”. (Sophos)

W32/Rbot-BSC — A new Rbot variant that spreads through network shares and allows backdoor access via IRC. It installs “snddrv.exe” in the Windows System directory. (Sophos)

W32/Rbot-BKA — The second Rbot variant of the day uses the file “outlook.exe” in the Windows System directory as its infection point. It too allows backdoor access via IRC. (Sophos)

W32/Rbot-BLC — A third new Rbot variant. This one exploits a number of known Windows flaws in its attempt to spread through network shares. It drops “Acrord32.exe” in the Windows System folder. (Sophos)

W32/Feebs-E — An e-mail worm that arrives from a “Protected Message service” and through peer-to-peer networks. It drops “ms.exe” in the Windows System folder as well as “ms32.dll”. The virus pops up an HTML form that tries to collect information from the user. (Sophos)

Troj/FeebDl-A — This Trojan attempts to download and decode a number of different executables, installing them as “userinit.exe” in the “recycled” directory. (Sophos)

W32/Fasong-I — A virus that searches for running processes on the infected machine and copies itself into them to avoid detection. The code of the virus contains an SMTP engine that could be used for mailing out infected messages. (Sophos)

Troj/Zlob-BC — A virus that attempts to download additional malicious executables from a remote site. It drops “mssearch.exe” in the Windows System folder and displays a number of fake error messages on the infected host. (Sophos)

Troj/BagleDl-BJ — A Trojan that drops “im_1.exe” and “im_2.exe” in the Windows System folder of the infected host and tries to download additional malicious code from a number of predefined sites. (Sophos)

Troj/GrayBrd-BN — A Windows Trojan that installs itself as “G_Server2.0.exe” in the Windows System folder. (Sophos)

Troj/Dloadr-ADA — A downloader Trojan that can communicate with remote sites via HTTP. It drops “winupd.exe” in the Windows System directory. (Sophos)

**********

From the interesting reading department:

Harvard and Oxford team with Consumer Reports on ‘Badware’

Academic institutions Harvard University and Oxford University are teaming with Consumer Reports to launch a Web site called StopBadware.org to be an online ‘hall of shame’ for those trafficking in spyware or questionable forms of adware. Network World, 01/25/06.

http://www.networkworld.com/go2/0123bug2b.html

Most businesses don’t enforce mobile security policy

Enterprises are doing a poor job of securing workers’ handheld devices, according to a report released Thursday by Orange and Quocirca. IDG News Service, 01/26/06.

http://www.networkworld.com/news/2006/012606-mobile-security.html

Microsoft readies two-way firewall for Vista

Microsoft is readying a new highly configurable firewall for its upcoming Windows Vista operating system that is designed to give administrators much greater control over which applications are allowed to run on the systems they manage. IDG News Service, 01/25/06.

http://www.networkworld.com/go2/0123bug2a.html