* Potpourri of Linux-related patches * Beware new Mytob variant spreading via e-mail with message, "your password has been updated" * Virus scanner bug cost Trend Micro $8 million, and other interesting reading
We’ve got a potpourri of mainly Linux-related patches, so we’re going to go with abbreviated descriptions to get them all out there. Happy patching!
Today’s bug patches and security alerts:
iDefense warns of flaw in Sophos anti-virus
Security researchers at iDefense have found a flaw in the way Sophos’ anti-virus system handles ZIP files. An attacker could exploit this in a denial-of-service attack. Sophos has released an update that should download automatically for most users or it can be grabbed manually from:
https://www.sophos.com/support/updates
iDenfense advisory:
http://www.networkworld.com/go2/0718bug1a.html
**********
SquirrelMail 1.4.5 released
This latest SquirrelMail release fixes a number of security vulnerabilities found in previous releases. For more, go to:
https://www.squirrelmail.org/security/issue/2005-07-13
**********
Trustix releases “multi” patch
The latest update from Trustix fixes flaws in kerberos5, the kernel and php4. The most serious of the flaws could be exploited to run malicious code on the affected machine. For more, go to:
https://www.trustix.org/errata/2005/0036/
**********
Latest Debian Linux updates:
ppxp (privilege release):
https://www.debian.org/security/2005/dsa-725
crip (insecure temporary files):
https://www.debian.org/security/2005/dsa-733
gaim (DoS):
https://www.debian.org/security/2005/dsa-734
cvs (buffer overflow):
https://www.debian.org/security/2005/dsa-742
ht (multiple overflows):
https://www.debian.org/security/2005/dsa-743
fuse (information disclosure):
https://www.debian.org/security/2005/dsa-744
drupal (arbitrary commands):
https://www.debian.org/security/2005/dsa-745
phpGroupWare (PHP script injection):
https://www.debian.org/security/2005/dsa-746
Ruby (XML-RPC script injection):
https://www.debian.org/security/2005/dsa-748
ettercap (malicious code execution):
https://www.debian.org/security/2005/dsa-749
dhcpcd (DoS flaw):
https://www.debian.org/security/2005/dsa-750
squid (IP spoofing):
https://www.debian.org/security/2005/dsa-751
gzip (multiple flaws):
https://www.debian.org/security/2005/dsa-752
gedit (format string flaw):
https://www.debian.org/security/2005/dsa-753
centericq (insecure temporary files):
https://www.debian.org/security/2005/dsa-754
tiff (buffer overflow):
https://www.debian.org/security/2005/dsa-755
squirrelmail (multiple vulnerabilities):
https://www.debian.org/security/2005/dsa-756
**********
The latest updates from Gentoo Linux:
dhcpcd (DoS flaw):
https://security.gentoo.org/glsa/glsa-200507-16.xml
PHP (XML-RPC script injection):
https://security.gentoo.org/glsa/glsa-200507-15.xml
Firefox (multiple flaws):
https://security.gentoo.org/glsa/glsa-200507-14.xml
pam_ldap and nss_ldap (authentication data leak):
https://security.gentoo.org/glsa/glsa-200507-13.xml
Bugzilla (unauthorized access):
https://security.gentoo.org/glsa/glsa-200507-12.xml
Ruby (XML-RPC script injection):
https://security.gentoo.org/glsa/glsa-200507-10.xml
Acrobat Reader (buffer overflow):
https://security.gentoo.org/glsa/glsa-200507-09.xml
phpGroupWare (PHP script injection):
https://security.gentoo.org/glsa/glsa-200507-08.xml
phpWebSite (multiple flaws):
https://security.gentoo.org/glsa/glsa-200507-07.xml
**********
Mandriva Linux updates:
ClamAV (DoS):
https://www.mandriva.com/security/advisories?name=MDKSA-2005:113
leafnode (multiple vulnerabilities):
https://www.mandriva.com/security/advisories?name=MDKSA-2005:114
mplayer (heap overflows):
https://www.mandriva.com/security/advisories?name=MDKSA-2005:115
cpio (race condition):
https://www.mandriva.com/security/advisories?name=MDKSA-2005:116
dhcpcd (DoS flaw):
https://www.mandriva.com/security/advisories?name=MDKSA-2005:117
Ruby (XML-RPC script injection):
https://www.mandriva.com/security/advisories?name=MDKSA-2005:118
Kerberos5 (multiple flaws):
https://www.mandriva.com/security/advisories?name=MDKSA-2005:119
Firefox (multiple flaws):
https://www.mandriva.com/security/advisories?name=MDKSA-2005:120
**********
Fedora Legacy recent upadtes:
openssh (insecure file creation):
http://www.networkworld.com/go2/0718bug1b.html
telnet (buffer overflows):
http://www.networkworld.com/go2/0718bug1c.html
ImageMagick (multiple flaws):
http://www.networkworld.com/go2/0718bug1d.html
dhcp (format string vulnerability):
http://www.networkworld.com/go2/0718bug1e.html
mailman (buffer overflow):
http://www.networkworld.com/go2/0718bug1f.html
gFTP (directory traversal):
http://www.networkworld.com/go2/0718bug1g.html
sharutils (symlink attack vulnerability):
http://www.networkworld.com/go2/0718bug1h.html
php (XML-RPC script injection):
http://www.networkworld.com/go2/0718bug1i.html
**********
Ubuntu advisories:
Linux AMD64 kernel (DoS flaw):
https://www.ubuntulinux.org/support/documentation/usn/usn-143-1
wget (multiple flaws):
https://www.ubuntulinux.org/support/documentation/usn/usn-145-1
Ruby (XML-RPC script injection):
https://www.ubuntulinux.org/support/documentation/usn/usn-146-1
**********
Today’s roundup of virus alerts:
Troj/Fishnat-A — A phishing Trojan that fakes a login for a specific bank, looking for user name and password information. (Sophos)
Troj/BindFil-G — A password-stealing Trojan that drops “winapi.dll” on the infected machine. (Sophos)
W32/Rbot-AGW — An Rbot variant that spreads through network shares and allows backdoor access via IRC. It drops “winupdat32.exe” in the infected machine’s Windows system folder. (Sophos)
W32/Rbot-AHZ — Another IRC backdoor Rbot variant. This one installs itself as “testtts.exe”. (Sophos)
W32/Mytob-DP — This new Mytob variant spreads through e-mail using a “your password has been updated” message. It drops “kaspersky.exe” on the infected machine, terminates certain anti-virus applications and prevents access to security sites by modifying the Windows HOSTS file. (Sophos)
Troj/FakeAle-D — A virus that changes the Internet Explorer default settings and changes the Windows background to a fake error message. It drops “wp.bmp” and “wp.exe” in the root directory. (Sophos)
WM97/Sundor-A — A Microsoft Word macro virus that displays a picture of an alien on the infected machine. It also attempts to delete documents and other files. (Sophos)
W32/Francette-T — An IRC Trojan that spreads through network shares by exploiting a number of well known Windows vulnerabilities. It targets specific Internet banking sites, looking for username and password information. (Sophos)
W32/Forbot-FD — A Forbot variant that spreads through network shares by exploiting known Windows flaws and contains a mass-mailing capability. The mail messages look like account warning messages. It will install “svchosts.exe” in the Windows system directly. (Sophos)
W32/Kalel-D — An e-mail worm that looks like an e-mail account storage warning. The infected message is titled “**NOTICE** Mailbox Limitation” and contains the attachment “mailbox_rules.zip”. It can be used to log keystrokes. (Sophos)
Troj/DlDial-A — A Trojan that terminates any existing dial-up connection and reconnects to a premium-rate service. (Sophos)
W32/Lebreat-A — An e-mail worm that attempts to exploit the Windows LSASS vulnerability. The infected message warns of a credit card charge of $500.00. It opens an FTP connection on port 8885 and attempts to download “update3.exe” from a remote site. (Sophos, F-Secure)
W32/Lebreat-B — Another similar Lebtreat variant. This one also attempts a denial-of-service attack against symantec.com. (Sophos)
W32/Lebreat-C — A third Lebtreat variant. This one uses a temporary file “xzy6.tmp”. (Sophos)
**********
From the interesting reading department:
Virus scanner bug cost Trend Micro $8 million
Anti-virus software vendor Trend Micro Thursday said that a bug in its own software that affected thousands of customers has cost the company $8 million. The issue has also forced it to lower its revenue and profit forecasts for the April to June quarter. IDG News Service, 07/14/05.
http://www.networkworld.com/go2/0718bug1j.html
VeriSign buys security researcher iDefense for $40 million
Looking to flesh out its line of managed security services products, VeriSign has snapped up network security researcher iDefense. The $40 million cash acquisition was completed Wednesday, according to VeriSign. IDG News Service, 07/14/05.
http://www.networkworld.com/go2/0718bug1k.html




