New version of OpenSSH available

Opinion
Sep 5, 20055 mins

* Patches from Gentoo, Debian, others * Beware backdoor Trojan that disables security related applications running on the infected machine

Today’s bug patches and security alerts:

New version of OpenSSH available

Version 4.2 of the OpenSSH application is now available. The new update fixes a number of bugs found in previous releases, including one that could allow dynamic port forwarding without a specific IP address. For more, go to:

http://www.networkworld.com/go2/0905bug1a.html

**********

Gentoo releases Apache 2.0 update

A new update for Apache 2.0 from Gentoo fixes a denial-of-service vulnerability. For more, go to:

https://security.gentoo.org/glsa/glsa-200508-15.xml

Gentoo patches Tor

A flaw in Tor, an anonymizer program that uses Onion Routing, could result in the loss of anonymity and the disclosure of information. For more, go to:

https://security.gentoo.org/glsa/glsa-200508-16.xml

Gentoo isuess patch for PhpWiki

Gentoo’s PhpWiki implementation is vulnerable to the XML-RPC flaw, which could be used to run malicious commands on the affected machine. For more, go to:

https://security.gentoo.org/glsa/glsa-200508-18.xml

Gentoo fixes pam_ldap flaw

A bug in the way pam_ldap authenticates against an LDAP directory could result in authentication being granted to any user. A fix is available. For more, go to:

https://security.gentoo.org/glsa/glsa-200508-22.xml

Gentoo patches phpWebSite

According to the Gentoo alert, “phpWebSite is vulnerable to multiple issues which result in the execution of arbitrary code and SQL injection.” For more, go to:

https://security.gentoo.org/glsa/glsa-200508-21.xml

**********

Debian patches php4

A number of vulnerabilities have been found and fixed in PHP4, the popular server-side scripting language. The most serious of the flaws could be exploited to run arbitrary code on the affected machine. For more, go to:

https://www.debian.org/security/2005/dsa-789

Debian updates phpldapadmin

According to an alert from Debian, “Alexander Gerasiov discovered that phpldapadmin, a web based interface for administering LDAP servers, allows anybody to access the LDAP server anonymously, even if this is disabled in the configuration with the ‘disable_anon_bind’ statement.” For more, go to:

https://www.debian.org/security/2005/dsa-790

Debian releases fix for maildrop

The lockmail function for maildrop, a mail delivery agent with filtering capabilities, does not properly drop its group (mail) privileges after executing. An attacker could exploit this to run their own code and commands with the elevated group privilege. For more, to to:

https://www.debian.org/security/2005/dsa-791

Debian patches pstotext

A flaw in the pstotext, a tool for extracting text from PostScript and PDF files, executes ghostscript commands could be exploited to run malicious code on the affected machine. For more, go to:

https://www.debian.org/security/2005/dsa-792

**********

Debian, Gentoo patch phpgroupware

A number of flaws have been found in the phpgroupware application for Debian and Gentoo. The most serious of the vulnerabilities could be used to run malicious applications on the infected machine. For more, go to:

Debian:

https://www.debian.org/security/2005/dsa-789

Gentoo:

https://security.gentoo.org/glsa/glsa-200508-20.xml

**********

HP releases Java Runtime Environment, Java Web Start updates

Flaws in the Java Runtime Environment (JRE) and Java Web Start for HP could be exploited by an untrusted applet to gain elevated privileges, such as the ability to read and write local files. Updates can be downloaded from:

https://www.hp.com/go/java

**********

Today’s roundup of virus alerts:

W32/Sdbot-ACS — An Sdbot variant that allows the infected machine to be used as a proxy server, to download/execute additional code and carry our denial-of-service attacks. It spreads through network shares, dropping “help.pif” in the System folder, and allows backdoor access via IRC. (Sophos)

Troj/Bancban-EW — A Trojan that targets Internet banking sites, looking for username and password data. It installs “imgst.scr” in the Windows system folder. (Sophos)

W32/Mytob-DZ — Another Mytob variant that spreads through e-mail, usually a message that looks like some sort of account termination warning. The infected message will have an attachment with a double file extension. (Sophos)

W32/Mytob-EH — Another new Mytob variant that spreads through messages that look like account warnings. This one can allow backdoor access via IRC, giving an attacker control over a number of functions. It copies itself to “xDcc.exe” in the Windows system directory. (Sophos)

Troj/Inor-R — This is a dropper application used to install other malicious Trojans. This particular nuisance drops “fh4uh.exe” in the C: root directory. (Sophos)

Troj/PcClien-BW — A Trojan that injects itself into “winlogon.exe” to avoid detection. It could allow command shell access via a high-numbered TCP port. (Sophos)

W32/Alasrou-A — This worm harvests e-mail addresses from the infected machine, FTPing the collected data to a remote site. It spreads through network shares by exploiting the Windows LSASS vulnerability and dropping “file1.exe” in the temp directory. (Sophos)

Troj/Haxdoor-DW — A backdoor Trojan that disables security related applications running on the infected machine. It drops “avpx32.dll” and a number of other files in the Windows system folder. (Sophos)

W32/Forbot-FM — Another IRC backdoor worm that spreads through network shares. This one installs “rservers.exe” in the Windows system folder. (Sophos)

W32/Rbot-AMR — A backdoor IRC worm that spreads through network shares, exploiting a number of known Windows flaws to do so. It drops “ms-dos.pif” in the Windows system folder. (Sophos)

W32/Rbot-LT — Another Rbot variant that also spreads through network shares. This one installs itself as “LSSRV.EXE” in the Windows system folder and can be used as a keylogger. (Sophos)