* Patches from HP, SCO, Debian, others * Beware worm that exploits the Windows LSASS vulnerability
Today’s bug patches and security alerts:
Sun warns of DHCP flaw in Solaris 10
A flaw in the Solaris 10 DHCP client could be exploited to run arbitrary code on the affected machine with root privileges. For more, go to:
https://sunsolve.sun.com/search/document.do?assetkey=1-26-101897-1
**********
HP releases patch for Veritas File System
According to an advisory from HP, “A potential vulnerability has been identified in HP-UX running the Veritas File System (VxFS) that may allow a local authorized user access to unauthorized data.” For more, go to:
https://www.securityfocus.com/archive/1/409195/30/30/threaded
HP patches Openview Network Node Manager
A remote user could exploit a flaw in the HP Openview Network Node Manager to gain privileges on the affected machine. For more, go to:
https://www.securityfocus.com/archive/1/409370/30/0/threaded
**********
SCO patches cpio for UnixWare
A race condition in cpio for UnixWare could be exploited to view unauthorized directories or potentially run arbitrary code. For more, go to:
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.32
**********
Debian patches mantis
Two vulnerabilities have been found in mantis, a bug tracking system. One flaw could be exploited in cross-scripting attack, another to drop SQL code. For more, go to:
https://www.debian.org/security/2005/dsa-778
Debian releases fix for backup-manager
Two vulnerabilities have been found in backup-manager for Debian. One could be exploited in a symlink attack, while the other could disclose sensitive information. For more, go to:
https://www.debian.org/security/2005/dsa-787
Debian patches simpleproxy
A format string vulnerability in simpleproxy could be exploited through replies from remote HTTP proxies. For more, go to:
https://www.debian.org/security/2005/dsa-786
Debian issues patch for libpam-ldap
According to an alert from Debian, “It has been discovered that libpam-ldap, the Pluggable Authentication Module allowing LDAP interfaces, ignores the result of an attempt to authenticate against an LDAP server that does not set an optional data field.” For more, go to:
https://www.debian.org/security/2005/dsa-785
Debian releases patch for mysql
A script that comes with the MySQL database does not properly secure temporary files, which could be exploited to run arbitrary SQL commands on the affected machine. For more, go to:
https://www.debian.org/security/2005/dsa-783
Debian patches Mozilla Thunderbird
Several vulnerabilities have been fixed with this update for Mozilla Thunderbird. The most serious of the flaws could be exploited to run arbitrary code on the affected machine. For more, go to:
https://www.debian.org/security/2005/dsa-781
**********
Ubuntu fixes gnupg
A flaw in part of the decryption algorithm for gnupg could theoretically be used to view an encrypted message, though the odds of this being exploited are slim. A patch is available for the ultra cautious:
https://www.ubuntulinux.org/support/documentation/usn/usn-170-1
Ubuntu releases kernel update
A number of denial-of-service vulnerabilities have been found in the Ubuntu Linux kernel. An update is available. For more, go to:
https://www.ubuntulinux.org/support/documentation/usn/usn-169-1
Ubuntu patch PHP
A number of vulnerabilities have been found in the popular PHP scripting engine. An attacker could exploit a couple of these to run arbitrary code on the affected machine. For more, go to:
https://www.ubuntulinux.org/support/documentation/usn/usn-171-1
Ubuntu issues fix for lm-sensors
A flaw in the way one of the lm-sensors utilities creates temporary files could be exploited in a symlink attack to run malicious code on the affected machine, possibly under root privileges. For more, go to:
https://www.ubuntulinux.org/support/documentation/usn/usn-172-1
**********
Gentoo issues fix for Kismet
A number of flaws have been found in Kismet, a wireless network analyzer. The flaws could be exploited to run arbitrary code. For more, go to:
https://security.gentoo.org/glsa/glsa-200508-10.xml
**********
Gentoo, Ubuntu patch pcre
The Perl library libpcre (pcre) is vulnerable to an integer overflow that could be exploited to run malicious applications on the affected machine. For more, go to:
Gentoo:
https://security.gentoo.org/glsa/glsa-200508-17.xml
Ubuntu:
https://www.ubuntulinux.org/support/documentation/usn/usn-173-2
**********
Debian, Ubuntu patch courier
According to an alert from Debian, “A problem has been discovered in the Courier Mail Server. DNS failures were not handled properly when looking up Sender Policy Framework (SPF) records, which could allow attackers to cause memory corruption.” For more, go to:
Debian:
https://www.debian.org/security/2005/dsa-784
Ubuntu:
https://www.securityfocus.com/archive/1/409322/30/0/threaded
**********
Today’s roundup of virus alerts:
Troj/SDM-C — A Trojan that exploits the Microsoft Access (JET) files vulnerability. It drops “ms.exe” on the infected machine. (Sophos)
W32/Allocu-A — A worm that exploits the Windows LSASS vulnerability as it spreads through network shares, dropping “msveup.exe” in the Windows System folder. It can be used to disable anti-virus applications, participate in distributed denial-of-service attacks and download/execute additional malicious code. (Sophos)
Troj/Sacrep-A — A keylogging Trojan that can deliver its bounty via e-mail, FTP or HTTP post. It uses a random file name as its infection point. (Sophos)
Troj/Deld-A — A Trojan that drops “svchost.exe” and “lsass.exe” in the Windows folder of the infected host. It also drops one of the Bancban variants that target data entered into banking sites. (Sophos)
Troj/Nethief-P — This Trojan can act as a keystroke logger and download/execute additional malicious code. It installs itself as “EXPLORER.exe” in the SystemShellExt directory. (Sophos)
W32/Rbot-ALG — A new Rbot variant that spreads through network shares by exploiting a number of known Windows vulnerabilities, including the recently patched PnP flaw. It installs itself as “qsecue.exe”. (Sophos)
W32/Dumaru-AK — A worm that spreads through network shares or e-mail. It drops “UPU.EXE” in the Windows System folder and modifies the HOSTS file to prevent access to security-related Web sites. It listens on port 1520 for incoming connections. (Sophos)
W32/Tilebot-N — A new Tilebot variant that tries to exploit the Windows RPC-DCOM and LSASS vulnerabilities as it spreads through network shares. It can be used to connect to a Web site via HTTP and download additional code. (Sophos)
W32/Mytob-EG — This new Mytob variant spreads through an e-mail message looking like an account warning and with an attachment that usually has a double extension. It drops “twunk_65.exe” in the Windows System folder and allows backdoor access via IRC. (Sophos)
Troj/Haxdoor-AI — A backdoor Trojan that installs “msftcpip.sys” and “tcpGDC.dll” in the Windows folder. It modifies the Windows HOSTS file to prevent access to anti-virus and other security related Web sites. (Sophos)




