Major fixes from Microsoft, Cisco and others

Opinion
Jul 14, 20057 mins

* Patches from Microsoft, Cisco, Oracle, others * Beware hackers exploiting the London terrorist attacks with e-mail worm * Cybercrooks lure citizens into international crime

I wanted to share this quote from the New York Times’ John Tierney regarding the recent sentencing of the Sasser worm author:

“Make the hacker spend 16 hours a day fielding help desk inquiries in an AOL chat room for computer novices. Force him to do this with a user name at least as uncool as KoolDude and to work on a vintage IBM PC with a 2400-baud dial-up connection. Most painful of all for any geek, make him use Windows 95 for the rest of his life.”

Exactly. You can read the whole thing here:

https://www.nytimes.com/2005/07/12/opinion/12tierney.html

[Full disclosure: I originally saw the quote in the GMSV newsletter from the San Jose Mercury news.]

Today’s bug patches and security alerts:

Microsoft patches IE, Word, Windows

Microsoft has released three software updates that patch critical security flaws in its products, including a patch for an Internet Explorer vulnerability that was first reported last week. The company also released patches for Microsoft Word and for a feature of the Windows operating system that is used by a number of applications. All three of the patches, which Microsoft calls “updates,” are rated “critical,” meaning that the flaws they fix could allow malicious code to be installed on a user’s computer with very little user action. The updates affect current versions of Window sand Internet Explorer as well as certain older versions of Word, according to Stephen Toulouse, security program manager with Microsoft’s security response center. IDG News Service, 07/12/05.

http://www.networkworld.com/news/2005/071205-microsoft-patch.html

Microsoft advisories:

Vulnerability in JView Profiler Could Allow Remote Code Execution:

https://www.microsoft.com/technet/security/Bulletin/MS05-037.mspx

Vulnerability in Microsoft Color Management Module Could Allow Remote Code Execution:

https://www.microsoft.com/technet/security/Bulletin/MS05-036.mspx

Vulnerability in Microsoft Word Could Allow Remote Code Execution:

https://www.microsoft.com/technet/security/Bulletin/MS05-035.mspx

Related advisories:

CERT:

https://www.us-cert.gov/cas/techalerts/TA05-193A.html

ISS – Microsoft Image Color Management flaw:

https://xforce.iss.net/xforce/alerts/id/199m

iDefense – Microsoft Word 2000 and Word 2002 Font Parsing Buffer Overflow:

http://www.networkworld.com/go2/0711bug2a.html

**********

Cisco patches CallManager flaws

Cisco has released an update for its popular CallManager voice over IP system that fixes a number of flaws. According to an advisory from the company, “Cisco CallManager 3.3 and earlier, 4.0, and 4.1 are vulnerable to denial-of-service attacks, memory leaks, and memory corruption which may result in services being interrupted, servers rebooting, or arbitrary code being executed.” For more, go to:

https://www.cisco.com/warp/public/707/cisco-sa-20050712-ccm.shtml

Related ISS advisory:

https://xforce.iss.net/xforce/alerts/id/200

Cisco fixes ONS 15216 OADM Telnet Denial-of-Service

According to Cisco, “The Cisco ONS 15216 OADM (Optical Add/Drop Multiplexer) contains a vulnerability in the handling of telnet sessions that can cause a denial-of-service condition in the management plane. Traffic going through the Cisco ONS 15216 OADM (i.e. transit traffic), is not affected when the management plane is under a denial-of-service condition. However, clearing the denial-of-service condition on the management plane requires resetting the device, which impacts transit traffic.” For more, go to:

https://www.cisco.com/warp/public/707/cisco-sa-20050713-ons.shtml

Cisco issues fix for Security Agent vulnerability

Cisco’s Security Agent network security software is vulnerable to a denial-of-service attack. The attacker would have to continually send specially crafted IP packets through the system in order to exploit the flaw. For more, go to:

https://www.cisco.com/warp/public/707/cisco-sa-20050713-csa.shtml

**********

Oracle releases critical security updates

Oracle has released its latest quarterly batch of security updates, offering fixes for several dozen security flaws in its database, application server, business applications and other products. IDG News Service, 07/13/05.

http://www.networkworld.com/news/2005/071305-oracle-security.html

Oracle advisory:

http://www.networkworld.com/go2/0711bug2b.html

Related CERT advisory:

https://www.us-cert.gov/cas/techalerts/TA05-194A.html

**********

Mozilla patches bugs in Firefox, Thunderbird

The Mozilla Foundation Tuesday fixed a number of security bugs in its Firefox Web browser, many of which will also be patched in upcoming releases of Mozilla’s Thunderbird e-mail client and Mozilla Internet software suite. IDG News Service, 07/12/05.

http://www.networkworld.com/news/2005/071205-mozilla-patch.html?nl

**********

Flaw in Lotus Notes Webmail interface

SecurityTracker is warning of flaw in the Lotus Notes Webmail interface that could allow HTML attachments to be opened and executed without warning. An attacker could exploit this by adding malicious code to the  HTML page. For more, go to:

https://securitytracker.com/alerts/2005/Jul/1014440.html

**********

Apple releases Mac OS X v10.4.2 update

A new Mac OS X update from Apple fixes flaws in Dashboard and the TCP/IP stack. The most serious of the flaws could be exploited to run malicious code. For more, go to:

https://docs.info.apple.com/article.html?artnum=301948

Apple patches DoS flaw in Darwin Streaming Server

The Darwin Streaming Server’s Web-based administration console is vulnerable to a denial-of-service attack. A fix is available. For more, go to:

https://developer.apple.com/darwin/projects/streaming/

**********

MIT patches Kerberos 5

MIT is reporting a number of flaws in its Kerberos 5 Key Distribution Center. Attackers could exploit the flaws in denial-of-service attacks against the server or potentially take control of the entire Kerberos realm. For more, go to:

https://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-002-kdc.txt

Related fix from Gentoo:

https://security.gentoo.org/glsa/glsa-200507-11.xml

**********

Today’s roundup of virus alerts:

Troj/Spexta-A — This one should probably fall under the heading “scum of the week.” Hackers are exploiting the London terrorist attacks with an e-mail worm that claims to have video of the attack’s aftermath in a ZIP file (LondonTerrorMovie.zip). It’s really a worm. (F-Secure, Sophos)

W32/Codbot-P — A new Codbot Trojan that spreads through network shares and can be used for a number of malicious applications, including running FTP servers and logging keystrokes. (Sophos)

W32/Rbot-AHT — Another new Rbot variant that spreads through network shares by exploiting a number of well known Windows vulnerabilities. It can allow backdoor access through IRC. It installs itself as “service.exe” in the Windows System folder. (Sophos)

W32/Rbot-BWI — A new Rbot variant that is very similar to Rbot-AHT above. This one uses “SetPoint.exe” as the infected file. (Sophos)

Troj/Zlob-L — A downloader Trojan that drops “notepad.exe” and “msmsgs.exe” on the infected machine and can be used to download additional code. (Sophos)

W32/Mytob-DJ — A new Mytob e-mail worm that provides backdoor IRC access and disables access to security related Web sites by modifying the Windows HOSTS file. It drops “winsvc32.exe” in the Windows System folder. (Sophos)

W32/Mytob-DK — Another Mytob variant. This one displays a bunch of fake messages on the infected system and drops “fuuuucktttttt.exe”. (Sophos)

W32/Mytob-DM — Yet another Mytob variant. This one if very similar to Mytob-DJ above, except its infected file is “winNTsys32.exe”. (Sophos)

Troj/RNWatch-A — A backdoor Trojan that copies “winierun.exe” and “bfwinier.exe” to the infected host. No word on what damage it could cause or purposes it could be used for. (Sophos)

W32/Sdbot-AAL — This new Sdbot variant spreads through network shares, exploiting weak or non-existent passwords. It drops “msnup32.exe” in the Windows System folder and attempts to delete network shares every 2 minutes. (Sophos)

W32/Agobot-TA — This Agobot variant provides backdoor access to the infected machine and drops “windowsfw.exe” in the Windows System folder. It spreads through weakly protected network shares. (Sophos)

**********

From the interesting reading department:

Cybercrooks lure citizens into international crime

Karl and other ordinary citizens are being widely recruited by international crime groups to serve as unwitting collaborators — referred to as mules — in Internet scams to convert stolen personal and financial data into tangible goods and cash. Cybercriminals order merchandise online with stolen credit cards and ship the goods overseas — before either the credit card owner or the online merchant catches on. The goods then are typically sold on the black market. USA Today, 07/10/05.

http://www.networkworld.com/go2/0711bug2c.html