New worms exploit Windows PnP flaw

Opinion
Aug 18, 20056 mins

* Patches from Apple, Cisco, Novell, others * Beware Windows 2000 worms * McAfee readies home Wi-Fi security tool

Today’s bug patches and security alerts:

Apple releases major bug fix update

A new update for most newer versions of the Mac OS X operating system is available from Apple. The new update fixes flaws in Apache 2, AppKit, Bluetooth, CoreFoundation, CUPS, Directory Services, HItoolbox, Kerberos, loginwindow, Mail, MySQL, OpenSSL, ping, QuartzComposerScreenSaver, Safari, SecurityInterface, servermgrd, servermgr_ipfilter, SquirrelMail, traceroute, WebKit, Weblog Server, X11, and zlib. For more, go to:

https://docs.info.apple.com/article.html?artnum=302163

Related CERT advisory:

https://www.us-cert.gov/cas/techalerts/TA05-229A.html

**********

Cisco patches Clean Access Unauthenticated API Access

According to an advisory from Cisco, “Cisco Clean Access (CCA) is a software solution that can automatically detect, isolate, and clean infected or vulnerable devices that attempt to access your network. CCA includes as part of the architecture an API. Lack of authentication while invoking API methods can allow an attacker to bypass security posture checking, change the assigned role for a user, disconnect users and can also lead to information disclosure on configured users.” For more, go to:

https://www.cisco.com/warp/public/707/cisco-sa-20050817-cca.shtml

**********

Novell fixes GroupWise Password Caching flaw

Versions 5.x and 6.x of the Novell GroupWise client may cache username and password information in memory while running. According to Novell, a “hostile” administrator with rights to the affected machine could create a memory dump to find the username/password information for any logged in user. For more, go to:

https://support.novell.com/servlet/tidfinder/10098073

**********

HP issues fix for HP-UX Ignite-UX Remote Unauthorized Access flaw

According to an advisory from HP, “A potential security vulnerability has been identified with HP-UX running Ignite-UX, where unsafe file permissions could be remotely exploited to allow an unauthorized user to access and alter Ignite-UX client data on the Ignite-UX server.” For more, go to:

https://www.securityfocus.com/archive/1/408273/30/0/threaded

Original Corsaire advisory:

https://www.corsaire.com/advisories/c041123-002.txt

**********

Symantec patches Veritas bug

Symantec has released software that fixes critical vulnerabilities in the company’s Veritas Backup Exec and Veritas NetBackup software. IDG News Service, 08/15/05.

http://www.networkworld.com/news/2005/081505-symantec-bug.html

Symantec advisory:

http://www.networkworld.com/go2/0815bug2c.html

**********

SuSE, Fedora release updates for Apache, Apache 2

A number of vulnerabilities, ranging from “information smuggling” to buffer overflows, have been found in the code of the popular Apache Web server. SuSE, Fedora and Apple (above) have release updates. For more, go to:

SuSE:

http://www.networkworld.com/go2/0815bug2b.html

Fedora:

http://www.networkworld.com/go2/0815bug2a.html

**********

Gentoo, Mandriva patch gaim

A new update for Gaim, an open source instant messaging client, fixes a potential denial-of-service vulnerability. For more, go to:

Gentoo:

https://security.gentoo.org/glsa/glsa-200508-06.xml

Mandriva:

https://www.mandriva.com/security/advisories?name=MDKSA-2005:139

**********

Gentoo patches Xpdf, Kpdf, and GPdf

A bug in the xpdf, kpdf and gpdf PDF document view applications could cause all system resources to be consumed, resulting in a denial of service. For more, go to:

https://security.gentoo.org/glsa/glsa-200508-08.xml

**********

Today’s roundup of virus alerts:

CA: Windows 2000 worms now affecting 250,000

Malicious software that takes advantage of a recently disclosed vulnerability in Microsoft’s Windows operating system has spread rapidly and has now infected more than 250,000 systems, primarily Windows 2000 systems being run in corporate environments, according to security vendor Computer Associates. IDG News Service, 08/17/05.

http://www.networkworld.com/news/2005/081705-ca-worms.html

Experts see new variants of Windows 2000 worm

Security vendors have reported several new variants of the worm infecting PCs running Microsoft’s Windows 2000 operating system. Groups of virus writers are competing to cause the most damage, according to one security company, although the worm appears less severe than some first feared. IDG News Service, 08/17/05

http://www.networkworld.com/news/2005/081705-worms.html

Windows worm beginning to spread

A variety of worms that exploit a Windows vulnerability disclosed last week are hitting many systems worldwide, reportedly including some at cable network CNN, and could reach critical mass in the next several hours, according to anti-virus vendor Trend Micro. IDG News Service, 08/17/05.

http://www.networkworld.com/news/2005/081705-windows-worm.html

W32/Zotob-C — An Zotob variant that exploits the Windows 2000 PnP vulnerability, among others, as it spreads through e-mail. The infected message uses a number of different text attributes, but most look like a friend sending a photo. It installs itself as “per.exe”. (Sophos)

W32/Zotob-F — Another Zotob variant. This one drops “wintbpx.exe” on the infected machine and allows backdoor access through an IRC channel. (Sophos)

W32/Tilebot-F — This new Tilebot variant can also take advantage of the new Windows 2000 PnP vulnerability. It spreads through network shares, dropping a randomly named file in the Windows System folder. The virus does try to limit access to certain system tools, such as Task Manager. (Sophos)

W32/Tilebot-I — A Tilebot variant designed to exploit the Windows PnP and other common buffer overflow vulnerabilities in Windows. It drops “rdriv.sys” on the target host and can communicate with a remote server via HTTP. (Sophos)

W32/Tilebot-J — Yet another Tilebot variant that exploits the Windows PnP flaw. It allows backdoor access via IRC after installing itself in the Windows folder as “netinfo.exe”. (Sophos)

W32/Tilebot-Z — This Tilebot variant that spreads through network shares – though it does not exploit the PnP flaw. It too disables certain security applications and attempts to download code from specific remote sites. When running on the machine, it tries to hide itself as a Windows Sound driver service. (Sophos)

W32/Tpbot-A — A new bot that tries to exploit the Windows PnP and LSASS flaws as it spreads by network share. It drops “wintbp.exe” and allows backdoor access via IRC. (Sophos)

W32/Forbot-FI — A Forbot variant that spreads through network shares, installing “winlogons.exe” in the Windows system folder and allowing backdoor access via IRC. It can be used to execute commands, create a proxy server and steal password information. (Sophos)

W32/Antix-A — A new MSN Messenger worm that spreads through a message that tries to get the target user to download a new Messenger update by following a link. What is downloaded is “kernel32.exe”, which can disable security related programs and be used to download additional malware. (Sophos)

W32/Rbot-ALA — An Rbot variant that creates a backdoor on the infected machine by connecting to a preconfigured IRC server. It can turn the infected host into a proxy server. It drops “winmon.sys”. (Sophos)

W32/Rbot-ALI — This Rbot variant can turn the infected host into a zombie, allowing it do participate in DoS attacks, steal information and act as a Web, FTP or proxy server. It drops “windir32.exe” in the Windows System directory. (Sophos)

**********

From the interesting reading department:

McAfee readies home Wi-Fi security tool

All home Wi-Fi gear comes with the bricks and mortar to put up at least a basic security wall against intruders and eavesdroppers, but McAfee wants to sell consumers a better trowel for building it. IDG News Service, 08/15/05.

http://www.networkworld.com/news/2005/081505-mcafee-wi-fi.html