Flaw in Novell GroupWise Webaccess

Opinion
Jul 25, 20055 mins

* Patches from Debian, HP, Gentoo, others * Beware latest Mytob variants

Today’s bug patches and security alerts:

Flaw in Novell GroupWise Webaccess

A cross-scripting vulnerability has been discovered in the Novell GroupWise Webaccess client. An attacker could send a specially crafted message that when opened through the Webaccess client, could execute on the local system. For more, go to:

https://securitytracker.com/alerts/2005/Jul/1014515.html

Novell advisory:

http://www.networkworld.com/go2/0725bug1a.html

**********

Debian patches heimdal

A buffer overflow in Debian’s implementation of Heimdal could be exploited to run malicious code on the affected machine. For more, go to:

https://www.debian.org/security/2005/dsa-765

Debian issues fix for ekg

A number of flaws have been found in ekg, a instant messenger application. The most serious of the flaws could be exploited to run malicious code on the affected machine. For more, go to:

https://www.debian.org/security/2005/dsa-760

Debian updates phppgadmin

According to an alert from Debian, “A vulnerability has been discovered in phppgadmin, a set of PHP scripts to administrate PostgreSQL over the WWW, that can lead to disclose sensitive information. Successful exploitation requires that “magic_quotes_gpc” is disabled.” For more, go to:

https://www.debian.org/security/2005/dsa-759

Debian patches krb5

Two flaws in the MIT Kerberos 5 system (krb5) could be exploited to run arbitrary code on the affected machine. For more, go to:

https://www.debian.org/security/2005/dsa-757

**********

HP patches TCP/IP stack flaw in HP-UX

According to an alert from HP, “Several potential security vulnerabilities have been identified in the HP Tru64 UNIX TCP/IP including ICMP, and Initial Sequence Number generation (ISN). These exploits could result in a remote denial-of-service from network throughput reduction for TCP connections, the reset of TCP connections, or TCP spoofing.” For more, go to:

https://www.securityfocus.com/archive/1/405647/30/60/threaded

**********

KDE warns of flaw in Kate

A flaw in the way file permissions are set when Kate restores files to system could allow more liberal access to files after a restore. For more, go to:

https://www.kde.org/info/security/advisory-20050718-1.txt

Related patches:

Mandriva:

https://www.mandriva.com/security/advisories?name=MDKSA-2005:122

Ubuntu:

https://www.ubuntulinux.org/support/documentation/usn/usn-150-1

**********

Zlib flaw patched

A flaw in the way zlib, a file compression/decompression utility, handles compressed files could be exploited to crash the application. For more, go to:

Debian:

https://www.debian.org/security/2005/dsa-763

Gentoo:

https://security.gentoo.org/glsa/glsa-200507-19.xml

Mandriva:

https://www.mandriva.com/security/advisories?name=MDKSA-2005:124

Ubuntu:

https://www.ubuntulinux.org/support/documentation/usn/usn-151-1

**********

Gentoo patches Mozilla Thunderbird

A new update for the Mozilla-based Thunderbird browser could be exploited to run script with elevated privileges on the affected machine. For more, go to:

https://security.gentoo.org/glsa/glsa-200507-17.xml

**********

Mandriva patches nss_ldap

According to Mandriva, “Rob Holland, of the Gentoo Security Audit Team, discovered that pam_ldap and nss_ldap would not use TLS for referred connections if they are referred to a master after connecting to a slave, regardless of the “ssl start_tls” setting in ldap.conf.” For more, go to:

https://www.mandriva.com/security/advisories?name=MDKSA-2005:121

**********

Today’s roundup of virus alerts:

W32/Opanki-F — A backdoor Trojan that allows access via IRC and spreads through AOL Instant Messenger using the text “hehe i promise it wasn’t me “. It installs itself as “taskbar.exe”. (Sophos)

W32/Kelvir-AQ — Another worm that spreads through instant messaging, this time Microsoft Messenger with the text “wtff why are you in this crazy site?”. (Sophos)

W32/Kelvir-AR — Another Kelvir variant that attempts to direct people to a malicious Web site, which has been taken offline. (Sophos)

Troj/Brospy-A — A worm that harvests passwords and username information from the infected machine, sending the data to a specified e-mail address. It drops “appwiz.dll” in the Windows System folder. (Sophos)

Troj/Bancos-DH — This worm displays fake login pages for banking sites as a means of gathering username and password data. It drops “comdlg32.ocx” in the Windows System folder. (Sophos)

W32/Rbot-AGW — A new Rbot variant that spreads through network shares, dropping “winupdat32.exe” in the Windows System folder. It allows backdoor access through an IRC channel. (Sophos)

Troj/Borobot-I — This backdoor worm spreads through network shares and drops “msupdate.exe” on its host. (Sophos)

Troj/Iyus-N — A downloader Trojan that drops two files, “setting.inf” and “install.exe”. It also disables security applications running on the infected machine. (Sophos)

Troj/Bancban-DV — A password stealing Trojan that targets Brazilian banking sites. It drops “imgrt.scr” in the Windows System folder. (Sophos)

W32/Mytob-DU — The latest Mytob variant spreads through e-mail, exploiting the Windows LSASS vulnerability. It drops “taskgmrs.exe” in the Windows System folder. (Sophos)

W32/Mytob-IN — Another Mytob variant. This one uses a message that looks like something sent to a member of a group, alerting of them of a password update. It drops “memloader.exe” in the Windows System folder, prevents access to security site by modifying the Windows HOSTS file and disables security applications. (Sophos)