* Patches from Cisco, Debian, FreeBSD, others * Beware e-mail harvesting worm that spreads through network shares, exploiting the Windows LSASS vulnerability
Today’s bug patches and security alerts:
Cisco patches IOS firewall flaw
According to a Cisco advisory, “Cisco IOS Software is vulnerable to a denial of service and potentially an arbitrary code execution attack when processing the user authentication credentials from an Authentication Proxy Telnet/FTP session. To exploit this vulnerability an attacker must first complete a TCP connection to the IOS device running affected software and receive an auth-proxy authentication prompt.” For more, go to:
https://www.cisco.com/warp/public/620/1.html
**********
KDE publishes fix for a number of flaws
A number of KDE graphical environments contain multiple flaws. The most serious of them could be exploited to gain root access on the affected machine. For more, go to:
https://www.kde.org/info/security/advisory-20050905-1.txt
Related fixes:
Mandriva (kdebase):
https://www.mandriva.com/security/advisories?name=MDKSA-2005:160
Mandriva (kdeedu):
https://www.mandriva.com/security/advisories?name=MDKSA-2005:159
Ubuntu:
https://www.ubuntu.com/usn/usn-176-1/document_view
**********
Debian, FreeBSD patch cvs
A flaw in the way temporary files are created by cvsbug, part of the CVS version control system, could be exploited to place arbitrary files on the affected machine. For more, go to:
Debian:
https://www.debian.org/security/2005/dsa-802
FreeBSD:
http://www.networkworld.com/go2/0905bug2a.html
**********
More PCRE fixes available
An integer overflow in the Perl Compatible Regular Expressions (PCRE) library could be exploited by to run malicious code on the affected machine. For more, go to:
Debian (pcre3):
https://www.debian.org/security/2005/dsa-800
Gentoo:
https://security.gentoo.org/glsa/glsa-200508-17.xml
OpenPKG:
https://www.openpkg.org/security/OpenPKG-SA-2005.018-pcre.txt
**********
OpenPKG releases OpenSSH update
As we reported in our last newsletter, there’s a new version of OpenSSH available that includes fixes for a number of flaws in previous releases. The OpenPKG version of the update is here:
https://www.openpkg.org/security/OpenPKG-SA-2005.019-openssh.txt
**********
Gentoo, Mandriva patch mplayer
A buffer overflow in mplayer, a multimedia player, could be exploited through a malicious video file, allowing the attacker to run arbitrary code on the affected machine. For more, go to:
Gentoo:
https://security.gentoo.org/glsa/glsa-200509-01.xml
Mandriva:
https://www.mandriva.com/security/advisories?name=MDKSA-2005:158
**********
Debian, Mandriva release fix for ntp
The Network Time Protocol (ntp) does not properly set its permissions. A fix is available for this bug. For more, go to:
Debian:
https://www.debian.org/security/2005/dsa-801
Mandriva:
https://www.mandriva.com/security/advisories?name=MDKSA-2005:156
**********
Debian, OpenPKG patch proftpd
Two format string vulnerabilities have been found in the proftpd server, which could be exploited to insert data into a connected SQL database. For more, go to:
Debian:
https://www.debian.org/security/2005/dsa-795
OpenPKG:
https://www.openpkg.org/security/OpenPKG-SA-2005.020-proftpd.txt
**********
Debian patches sqwebmail flaw
The sqwebmail mail application that comes in the Courier suite does not properly handle certain attachments. An attacker could exploit this to insert malicious scripts on the affected machine. For more, go to:
https://www.debian.org/security/2005/dsa-793
**********
SuSE patches kernel
A new update to the SuSE Linux kernel fixes a number of flaws found in previous releases. Most of the vulnerabilities could be exploited to crash the kernel. For more, go to:
http://www.networkworld.com/go2/0905bug2b.html
**********
Today’s roundup of virus alerts:
New Trojan swaps porn for Koran
A new Trojan horse program circulating around the Internet this week appears to be on a moral mission to stamp out adult Web sites, according to security research firm Sophos. Instead of snooping for sensitive financial information or secretly taking control of an infected computer, the Trojan, called Yusufali-A, monitors Web surfing habits. IDG News Service, 09/06/05.
http://www.networkworld.com/news/2005/090605-trojan.html
Troj/Perda-D — A Trojan horse that creates a proxy server on the affected machine. It may also mess up the Windows Firewall on XP. It uses a random file name as its infection point. (Sophos)
Troj/Sisery-A — An interesting little virus that changes a number of Windows and application characteristics. More annoying than damaging. (Sophos)
W32/Alasrou-A — An e-mail harvesting worm that spreads through network shares, exploiting the Windows LSASS vulnerability. It installs itself as “file1.exe” in the Windows temp directory. (Sophos)
W32/Tilebot-O — This Trojan can turn its infected host into a proxy server, participate in denial-of-service attacks, access remote machines via HTTP and disable security applications. It spreads through network shares, exploiting a number of known Windows vulnerabilities. It installs itself as “rdriv.sys”. (Sophos)
W32/Rbot-AGV — An Rbot variant that installs itself to look like a McAfee file (mcafee32.exe in the Windows System directory). It spreads through network shares and allows backdoor access via IRC. (Sophos)
Troj/Haxdoor-AI — An IRC backdoor worm that can be used to terminate security related applications. It drops “msftcpip.sys” on the infected machine. (Sophos)
Troj/BankAsh-J — A Trojan that harvests user names and passwords from the infected machine, sending the bounty to a remote site via FTP. It also tries to suppress firewall messages in an effort to hide its presence. (Sophos)
W32/Codbot-X — A backdoor Trojan that allows FTP access, logs keystrokes, and harvests other local system information. It installs itself as “spooler.exe” in the Windows System folder. When spreading through network shares, it exploits a number of known Windows flaws. (Sophos)
Troj/Zapchas-K — A backdoor Trojan that spreads through an IRC connection, usually as the file “postcard.gif.exe”. (Sophos)
Troj/Paymite-B — A virus that attempts to modify the Windows Start page, among other attributes. It installs itself as “paytime.exe” in the Windows System folder. (Sophos)
W32/Agobot-PI — An Agobot variant that drops “Ksrv32.exe” in the Windows System folder. It can be used for a number of malicious applications and can terminate security related utilities. (Sophos)




