iDefense warns of flaw in Sophos anti-virus

Opinion
Jul 18, 20056 mins

* Potpourri of Linux-related patches * Beware new Mytob variant spreading via e-mail with message, "your password has been updated" * Virus scanner bug cost Trend Micro $8 million, and other interesting reading

We’ve got a potpourri of mainly Linux-related patches, so we’re going to go with abbreviated descriptions to get them all out there. Happy patching!

Today’s bug patches and security alerts:

iDefense warns of flaw in Sophos anti-virus

Security researchers at iDefense have found a flaw in the way Sophos’ anti-virus system handles ZIP files. An attacker could exploit this in a denial-of-service attack. Sophos has released an update that should download automatically for most users or it can be grabbed manually from:

https://www.sophos.com/support/updates

iDenfense advisory:

http://www.networkworld.com/go2/0718bug1a.html

**********

SquirrelMail 1.4.5 released

This latest SquirrelMail release fixes a number of security vulnerabilities found in previous releases. For more, go to:

https://www.squirrelmail.org/security/issue/2005-07-13

**********

Trustix releases “multi” patch

The latest update from Trustix fixes flaws in kerberos5, the kernel and php4. The most serious of the flaws could be exploited to run malicious code on the affected machine. For more, go to:

https://www.trustix.org/errata/2005/0036/

**********

Latest Debian Linux updates:

ppxp (privilege release):

https://www.debian.org/security/2005/dsa-725

crip (insecure temporary files):

https://www.debian.org/security/2005/dsa-733

gaim (DoS):

https://www.debian.org/security/2005/dsa-734

cvs (buffer overflow):

https://www.debian.org/security/2005/dsa-742

ht (multiple overflows):

https://www.debian.org/security/2005/dsa-743

fuse (information disclosure):

https://www.debian.org/security/2005/dsa-744

drupal (arbitrary commands):

https://www.debian.org/security/2005/dsa-745

phpGroupWare (PHP script injection):

https://www.debian.org/security/2005/dsa-746

Ruby (XML-RPC script injection):

https://www.debian.org/security/2005/dsa-748

ettercap (malicious code execution):

https://www.debian.org/security/2005/dsa-749

dhcpcd (DoS flaw):

https://www.debian.org/security/2005/dsa-750

squid (IP spoofing):

https://www.debian.org/security/2005/dsa-751

gzip (multiple flaws):

https://www.debian.org/security/2005/dsa-752

gedit (format string flaw):

https://www.debian.org/security/2005/dsa-753

centericq (insecure temporary files):

https://www.debian.org/security/2005/dsa-754

tiff (buffer overflow):

https://www.debian.org/security/2005/dsa-755

squirrelmail (multiple vulnerabilities):

https://www.debian.org/security/2005/dsa-756

**********

The latest updates from Gentoo Linux:

dhcpcd (DoS flaw):

https://security.gentoo.org/glsa/glsa-200507-16.xml

PHP (XML-RPC script injection):

https://security.gentoo.org/glsa/glsa-200507-15.xml

Firefox (multiple flaws):

https://security.gentoo.org/glsa/glsa-200507-14.xml

pam_ldap and nss_ldap (authentication data leak):

https://security.gentoo.org/glsa/glsa-200507-13.xml

Bugzilla (unauthorized access):

https://security.gentoo.org/glsa/glsa-200507-12.xml

Ruby (XML-RPC script injection):

https://security.gentoo.org/glsa/glsa-200507-10.xml

Acrobat Reader (buffer overflow):

https://security.gentoo.org/glsa/glsa-200507-09.xml

phpGroupWare (PHP script injection):

https://security.gentoo.org/glsa/glsa-200507-08.xml

phpWebSite (multiple flaws):

https://security.gentoo.org/glsa/glsa-200507-07.xml

**********

Mandriva Linux updates:

ClamAV (DoS):

https://www.mandriva.com/security/advisories?name=MDKSA-2005:113

leafnode (multiple vulnerabilities):

https://www.mandriva.com/security/advisories?name=MDKSA-2005:114

mplayer (heap overflows):

https://www.mandriva.com/security/advisories?name=MDKSA-2005:115

cpio (race condition):

https://www.mandriva.com/security/advisories?name=MDKSA-2005:116

dhcpcd (DoS flaw):

https://www.mandriva.com/security/advisories?name=MDKSA-2005:117

Ruby (XML-RPC script injection):

https://www.mandriva.com/security/advisories?name=MDKSA-2005:118

Kerberos5 (multiple flaws):

https://www.mandriva.com/security/advisories?name=MDKSA-2005:119

Firefox (multiple flaws):

https://www.mandriva.com/security/advisories?name=MDKSA-2005:120

**********

Fedora Legacy recent upadtes:

openssh (insecure file creation):

http://www.networkworld.com/go2/0718bug1b.html

telnet (buffer overflows):

http://www.networkworld.com/go2/0718bug1c.html

ImageMagick (multiple flaws):

http://www.networkworld.com/go2/0718bug1d.html

dhcp (format string vulnerability):

http://www.networkworld.com/go2/0718bug1e.html

mailman (buffer overflow):

http://www.networkworld.com/go2/0718bug1f.html

gFTP (directory traversal):

http://www.networkworld.com/go2/0718bug1g.html

sharutils (symlink attack vulnerability):

http://www.networkworld.com/go2/0718bug1h.html

php (XML-RPC script injection):

http://www.networkworld.com/go2/0718bug1i.html

**********

Ubuntu advisories:

Linux AMD64 kernel (DoS flaw):

https://www.ubuntulinux.org/support/documentation/usn/usn-143-1

wget (multiple flaws):

https://www.ubuntulinux.org/support/documentation/usn/usn-145-1

Ruby (XML-RPC script injection):

https://www.ubuntulinux.org/support/documentation/usn/usn-146-1

**********

Today’s roundup of virus alerts:

Troj/Fishnat-A — A phishing Trojan that fakes a login for a specific bank, looking for user name and password information. (Sophos)

Troj/BindFil-G — A password-stealing Trojan that drops “winapi.dll” on the infected machine. (Sophos)

W32/Rbot-AGW — An Rbot variant that spreads through network shares and allows backdoor access via IRC. It drops “winupdat32.exe” in the infected machine’s Windows system folder. (Sophos)

W32/Rbot-AHZ — Another IRC backdoor Rbot variant. This one installs itself as “testtts.exe”. (Sophos)

W32/Mytob-DP — This new Mytob variant spreads through e-mail using a “your password has been updated” message. It drops “kaspersky.exe” on the infected machine, terminates certain anti-virus applications and prevents access to security sites by modifying the Windows HOSTS file. (Sophos)

Troj/FakeAle-D — A virus that changes the Internet Explorer default settings and changes the Windows background to a fake error message. It drops “wp.bmp” and “wp.exe” in the root directory. (Sophos)

WM97/Sundor-A — A Microsoft Word macro virus that displays a picture of an alien on the infected machine. It also attempts to delete documents and other files. (Sophos)

W32/Francette-T — An IRC Trojan that spreads through network shares by exploiting a number of well known Windows vulnerabilities. It targets specific Internet banking sites, looking for username and password information. (Sophos)

W32/Forbot-FD — A Forbot variant that spreads through network shares by exploiting known Windows flaws and contains a mass-mailing capability. The mail messages look like account warning messages. It will install “svchosts.exe” in the Windows system directly. (Sophos)

W32/Kalel-D — An e-mail worm that looks like an e-mail account storage warning. The infected message is titled “**NOTICE** Mailbox Limitation” and contains the attachment “mailbox_rules.zip”. It can be used to log keystrokes. (Sophos)

Troj/DlDial-A — A Trojan that terminates any existing dial-up connection and reconnects to a premium-rate service. (Sophos)

W32/Lebreat-A — An e-mail worm that attempts to exploit the Windows LSASS vulnerability. The infected message warns of a credit card charge of $500.00. It opens an FTP connection on port 8885 and attempts to download “update3.exe” from a remote site. (Sophos, F-Secure)

W32/Lebreat-B — Another similar Lebtreat variant. This one also attempts a denial-of-service attack against symantec.com. (Sophos)

W32/Lebreat-C — A third Lebtreat variant. This one uses a temporary file “xzy6.tmp”. (Sophos)

**********

From the interesting reading department:

Virus scanner bug cost Trend Micro $8 million

Anti-virus software vendor Trend Micro Thursday said that a bug in its own software that affected thousands of customers has cost the company $8 million. The issue has also forced it to lower its revenue and profit forecasts for the April to June quarter. IDG News Service, 07/14/05.

http://www.networkworld.com/go2/0718bug1j.html

VeriSign buys security researcher iDefense for $40 million

Looking to flesh out its line of managed security services products, VeriSign has snapped up network security researcher iDefense. The $40 million cash acquisition was completed Wednesday, according to VeriSign. IDG News Service, 07/14/05.

http://www.networkworld.com/go2/0718bug1k.html