* Patches from Cisco, Gentoo, SuSE, others * Beware new messenger worm that works in multiple languages * F-Secure Weblog: Eye-witness account of a global virus outbreak, and other interesting reading
Today’s bug patches and security alerts:
Windows XP also has plug-and-play vulnerability
PCs running a certain configuration of Microsoft’s Windows XP operating system have the same security vulnerability exploited by the Zotob worm that ran riot on Windows 2000 systems last week , Microsoft said. IDG News Service, 08/24/05.
http://www.networkworld.com/news/2005/082405-zotob-worm.html
Microsoft advisory:
https://www.microsoft.com/technet/security/advisory/906574.mspx
**********
CA patches security flaws in multiple products
Computer Associates [CA] has issued patches to fix security flaws involving its Message Queuing software that affect many of its products. The Register, 08/23/05.
https://www.theregister.co.uk/2005/08/23/ca_security_flap/
CA advisory:
http://www.networkworld.com/go2/0822bug2a.html
**********
Cisco releases two patches
Cisco has releases two new updates that fix security flaws in a couple of products. The first update fixes a vulnerability in Intrusion Prevention System that could allow an attacker to take full control of the IPS advice. Second, a flaw in the way CiscoWorks Management Center for IDS Sensors handles SSL certificates could be exploited by an attacker to spoof a sensor. For more, go to:
Cisco Intrusion Prevention System Vulnerable to Privilege Escalation:
https://www.cisco.com/warp/public/707/cisco-sa-20050824-ips.shtml
SSL Certificate Validation Vulnerability in IDS Management Software:
https://www.cisco.com/warp/public/707/cisco-sa-20050824-idsmc.shtml
**********
Gentoo patches Awstats
The AWstats statistics program does not properly validate certain input. An attacker could exploit this to run malicious Perl code on the affected machine. For more, go to:
https://security.gentoo.org/glsa/glsa-200508-07.xml
Gentoo releases fix for Evolution
Flaws in the Evolution e-mail client could be exploited in a denial-of-service attack or to potentially run malicious code on the affected system. For more, go to:
https://security.gentoo.org/glsa/glsa-200508-12.xml
**********
Debian, Gentoo patch bluez-utils
Bluez-utils, a tool for implementing the Bluetooth wireless standard on Linux, is not properly validating input, which could be exploited to run malicious commands on the affected machine. For more, go to:
Debian:
https://www.debian.org/security/2005/dsa-782
Gentoo:
https://security.gentoo.org/glsa/glsa-200508-09.xml
**********
Gentoo, Mandriva release fix for php-pear
According to the Mandriva advisory, “A problem was discovered in the PEAR XML-RPC Server package included in the php-pear package. If a PHP script which implements the XML-RPC Server is used, it would be possible for a remote attacker to construct an XML-RPC request which would cause PHP to execute arbitrary commands as the ‘apache’ user.” For more, go to:
Gentoo:
https://security.gentoo.org/glsa/glsa-200508-13.xml
Mandriva:
https://www.mandriva.com/security/advisories?name=MDKSA-2005:146
Related fix from Gentoo for TikiWiki, eGroupWare:
https://security.gentoo.org/glsa/glsa-200508-14.xml
**********
Gentoo, SuSE patch Adobe Reader
A buffer overflow in the Adobe Reader plug-in could be exploited in a denial-of-service attack or to potentially run arbitrary code. For more, go to:
Gentoo:
https://security.gentoo.org/glsa/glsa-200508-11.xml
SuSE:
http://www.networkworld.com/go2/0822bug2b.html
**********
Today’s roundup of virus alerts:
New Messenger worm works in multiple languages
Users of Microsoft’s MSN Messenger should be aware of a new “smart” worm that checks the configuration of their Windows client and sends a message in the appropriate language, according to security companies Akonix Systems and Symantec. Both companies published alerts on Wednesday. IDG News Service, 08/25/05.
http://www.networkworld.com/go2/0822bug2c.html
W32/Spybot-DU — A backdoor Trojan that allows backdoor access via IRC. It spreads through network shares, deploying “sysmod.exe” in the Windows System directory. (Sophos)
W32/Dref-D — A virus that spreads through IRC and e-mail, usually with a .rar, .pif or .scr attachment. It saves itself to “SysDref.exe” in the Windows System directory. (Sophos)
Troj/Keylog-AM — A Trojan that steals passwords and monitor Internet usage. It drops “sys32me.ini” and “sys32bin.ini” in the Windows system folder. (Sophos)
W32/Rbot-ALG — A new Rbot variant that spreads via network shares, exploiting a number of known Windows vulnerability including the PnP flaw. It drops “qsecue.exe” in the system folder and can be used for a number of malicious purposes, all controlled via IRC. (Sophos)
Troj/PurScan-W — A worm that changes Internet Explorer’s settings and directs the infected system to a Web site, where “installer.exe” and “mt-uninstaller.exe” are downloaded, both install adware. (Sophos)
Troj/Nailpol-A — A Trojan that injects its code into other running processes. It can can be used to monitor ‘net usage on the affected machine. (Sophos)
Troj/Litebot-D — This Trojan provides backdoor access to IRC, dropping “uninst.bat” in the Windows system folder in the process. (Sophos)
W32/Tilebot-M — A new Tilebot variant that spreads through network shares, taking advantage of the Windows PnP and other known flaws. It installs itself as “msdnupdate32” in the Windows folder. (Sophos)
Troj/Dloader-SK — A Trojan that downloads and installs additional malicious code. It initially stores itself as “dllsys.dll” in the Windows System folder. (Sophos)
Troj/Whistler-F — Another worm that blames you for piracy and attempts to delete files from infected machine. It drops “whismng.exe” in the Windows System folder. (Sophos)
W32/PrsKey-A — A password stealing Trojan that targets the Priston Tale game and Yahoo! web email accounts. It installs “Winllogo.exe” and “Win.exe” in the Program FilesCommon Files directory. (Sophos)
W32/Lebreat-F — A mass mailing worm that exploits the Windows LSASS and PnP flaws. It can act as an ftp server and drops a number of files, including “winhost.tmp”, in the various Windows directories. (Sophos)
**********
From the interesting reading department:
F-Secure Weblog: Eye-witness account of a global virus outbreak
Mikko Hypponen details the minute-by-minute account of the Zotob worm’s outbreak.
http://www.networkworld.com/go2/0822bug2d.html
Whitepaper: The Pharming Guide
This paper, extending the original material of “The Phishing Guide”, examines in depth the workings of the name services of which Internet-based customers are dependant upon, and how they can be exploited by Pharmers to conduct identity theft and financial fraud on a massive scale. NGSSoftware, 8/2005.




