• United States

Sendmail security flaw patched

Mar 23, 20065 mins

* Patches from Sendmail, HP, Debian, others * Beware new type of malicious software d믭 "rootkit hearse" * IRS, security vendors warn of tax phishers, and other interesting reading

Quick correction: In our last newsletter we mentioned a flaw in Adobe Flash player and that users should upgrade to the latest version. The latest version is 8.0.24, not 8.0.22 as we previously reported. Fortunately, once you select to upgrade Flash Player it automatically grabs the newest version.

Also, Gentoo has released an update related to this flaw.

Thanks to those of you that caught the error.

Today’s bug patches and security alerts:

Sendmail security flaw identified, patch issued

Internet Security Systems said it has uncovered a flaw in the most recent version of the Sendmail open source code used primarily in Unix-based and some Windows-based e-mail gateways., 03/22/06.

Related advisories and updates:

Sendmail advisory

ISS advisory

US-CERT advisory

FreeBSD update

Gentoo update

OpenPKG update

SuSE update


Microsoft to update IE after bugs

Microsoft is readying an update to Internet Explorer following the recent discovery of two unpatched IE vulnerabilities, including one bug that could allow attackers to seize control of a victim’s PC. IDG News Service, 03/21/06.

Microsoft note on the issue


Symantec warns of flaws in Backup Exec for Windows

A buffer overflow in Backup Exec for Windows’ job logging function could be exploited to run malicious code on the affected machine. Only implementations with job logging turned on are affected. An update is available.


HP patches usermod for HP-UX

According to an advisory from HP, “A vulnerability has been identified with certain versions of the HP-UX usermod(1M) command. A certain combination of options can result in recursively changing the ownership of all directories and files under a user’s new home directory. This may result in unauthorized access to these directories and files.” A patch is available from the HP IT Resource Center (

HP patches VirtualVault running Apache

A flaw in VirtualVault implementations run on HP-UX with Apache Web servers could be exploited by a remote user to gain unauthorized access to the infected host. Patches are available from the HP IT Resource Center (

HP patches Apache for HP-UX

Multiple vulnerabilities have been found in the Apache Web server code for HP-UX. An attacker could exploit these in a denial-of-service attack or to potentially run malicious code on the affected host. Patches are available from the HP IT Resource Center.


The latest updates from Debian:

crossfire (buffer overflow, code execution)

ilohamail (missing input sanitization, script injection)

kernel-patch-vserver (multiple flaws)

unzip (buffer overflow, code execution)

snmptrapfmt (poorly secured temp files)

libmail-audit-perl (poorly secured temp files)


New updates from FreeBSD:

IPsec (anti-replay function issues)

OPIE (arbitrary password change)


New fixes from Gentoo:

PeerCast (buffer overflow, code execution)

Pngcrush (buffer overflow, code execution)

cURL/libcurl (buffer overflow)


New patches from Mandriva:

xorg-x11 (root privileges, code execution)

cairo (denial of service)


Today’s roundup of virus alerts:

Trojan horse? Researchers warn of Trojan hearse

Security researchers at Sana Security are warning of a new type of malicious software designed to steal usernames and passwords from Web surfers. The malware, dubbed “rootkit.hearse,” uses rootkit cloaking techniques, making it extremely difficult to detect. IDG News Service, 03/21/06.

Troj/Banload-VI — A Trojan that accesses the ‘Net via HTTP and drops “defrag.exe” in the Windows System folder. (Sophos)

Troj/Clagger-K and L — This Trojan spreads through an e-mail message (Spam) that looks like it is from It drops “suhoy112.exe” in the Windows folder. (Sophos)

Troj/Bancban-OJ — This Bancban variant is very similar to its predecessors in that it can communicate with remote sites via HTTP. It is installed as “taskmam.exe” in the Windows System directory. (Sophos)

W32/Kassbot-M — A Trojan that shares access to the infected host via HTTP. It spreads through network shares by exploiting weak passwords and known Windows vulnerabilities. It is installed as “JavaPlatform” in the Windows directory. (Sophos)

Troj/Agent-ATC and ATM — A downloader Trojan that tries to grab malicious files from a preconfigured site. The Trojan is initially installed as “w.exe” in the C: root directory. (Sophos)

W32/Tilebot-EE — This Tilebot variant allows remote control of the infected host via an IRC channel. It is installed in the Windows directory as “win32ssr.exe”. (Sophos)

W32/Rbot-CSC — A backdoor worm that spreads through network shares by exploiting known Windows flaws. It is installed as “vmmon32.exe” in the Windows System folder. (Sophos)

Troj/Corpse-A — A proxy Trojan that routes Internet traffic through the infected host. It is installed as “EPLRR3.DLL” in the Windows System directory. (Sophos)

Troj/VB-API — This Trojan tries to modify the security settings for Internet Explorer. It is installed as “ntxp2.exe”. (Sophos)

Troj/Swizzor-AW — A Trojan that hides itself in the iexplorer.exe process and is used to download adware to the infected host. It also drops a number links in the Favorite folders to “preferred” sites. (Sophos)


From the interesting reading department:

IRS, security vendors warn of tax phishers

U.S. taxpayers aren’t the only ones busy as the April 15 tax filing deadline approaches. Identity thieves posing as the Internal Revenue Service (IRS) have also been active, sending out hundreds of thousands of phony “phishing” e-mail messages, according to the IRS and security vendors Symantec and Websense. IDG News Service, 03/20/06.

Panel explores roots of spyware, adware

Following the money trail behind the flood of spyware and adware on the Internet poses some sticky questions around liability, said a panel of spyware experts at a workshop in New York on Friday. IDG News Service, 03/20/06.