* Patches from HP, Debian, Gentoo, others * Beware virus that displays the message "Press OK to install the party invitation..."
Today’s bug patches and security alerts:
Multiple flaws in HP OpenView
NGSSoftware is warning of multiple vulnerabilities in the popular HP OpenView management software. NGSSoftware is not releasing specific details of the flaws, but says, “The flaws can be exploited by attackers without valid credentials to fully compromise a vulnerable server.” Patches from HP can be downloaded from:
https://support.openview.hp.com/patches/
The NGSSoftware advisory is here:
https://www.securityfocus.com/archive/1/412576/30/0/threaded
**********
Debian, HP releases Mozilla Firefox updates
A number of buffer overflow vulnerabilities have been found in the Debian and HP implementations of the Mozilla Firefox browser. The most serious of the flaws could be exploited to run malicious code on the affected machine. For more, go to:
Debian:
https://www.debian.org/security/2005/dsa-837
https://www.debian.org/security/2005/dsa-838
HP:
https://www.securityfocus.com/archive/1/412452/30/0/threaded
**********
Mandriva updates kernel
A new update for Version 2.6 of the Mandrake Linux kernel fixes a number of flaws found in earlier releases. The most serious of the flaws could be exploited to run arbitrary files on the affected machine. For more, go to:
https://www.mandriva.com/security/advisories?name=MDKSA-2005:171
**********
Debian patches Drupal
Some versions of the Drupal content management system ship with flawed XML-RPC code libraries. An attacker could exploit this run malicious PHP code on an affected site. For more, go to:
https://www.debian.org/security/2005/dsa-840
Debian releases fix for egroupware
The same XML-RPC vulnerabilities affect the Debian eGroupware package as well. A fix is available:
https://www.debian.org/security/2005/dsa-842
Debian issues patch for apachetop
A poorly secured temporary file in apachetop, a monitoring application for Apache, could be exploited in a symlink attack to run malicious code on the affected machine. For more, go to:
https://www.debian.org/security/2005/dsa-839
Debian releases patch for arc
Two flaws have been found in the arc archival tool. Both could leave an affected system open to a symlink attack. For more, go to:
https://www.debian.org/security/2005/dsa-843
Debian patches mod-auth-shadow
A flaw in the Apache mod-auth-shadow module could be exploited to bypass certain access control lists. A fix is available. For more, go to:
https://www.debian.org/security/2005/dsa-844
**********
Gentoo patches gtkdiskfree
The gtkdiskfree utility creates temporary files with predictable names. This could be exploited to run a malicious code on the affected machine. For more, go to:
https://security.gentoo.org/glsa/glsa-200510-01.xml
Gentoo releases fix for Berkeley MPEG Tools
According to a Gentoo advisory, “The Berkeley MPEG Tools use temporary files in various insecure ways, potentially allowing a local user to overwrite arbitrary files.” For more, go to:
https://security.gentoo.org/glsa/glsa-200510-02.xml
Gentoo patches Uim
A flaw in Uim could allow be exploited through linked applications to gain elevated privileges on the affected machine. For more, go to:
https://security.gentoo.org/glsa/glsa-200510-03.xml
Gentoo updates Texinfo
A function in Texinfo, a documentation system, creates temporary files in a non-secure manner. An attacker could exploit this to run arbitrary files on the affected machine. For more, go to:
https://security.gentoo.org/glsa/glsa-200510-04.xml
**********
Ubuntu releases dia update
According to an Ubuntu advisory, “Joxean Koret discovered that the SVG import plugin did not properly sanitize data read from an SVG file. By tricking an user into opening a specially crafted SVG file, an attacker could exploit this to execute arbitrary code with the privileges of the user.” For more, go to:
http://www.networkworld.com/go2/1003bug2a.html
**********
Today’s roundup of virus alerts:
Troj/Badparty-A — A virus that displays the message “Press OK to install the party invitation…”. If the user does, the virus tries to delete the boot partition. (Sophos)
Troj/Banker-DV — Another Trojan that targets passwords entered into Brazilian banking sites. It drops “winlogin.exe” in the Windows System folder. (Sophos)
Troj/Bandler-D — A Windows Trojan that installs itself as “smss.exe” in the Windows System directory. No word on what type of damage it could cause. (Sophos)
W32/Opanki-AB — A Trojan that copies itself to “nether.exe” in the Windows folder. It provides backdoor access via IRC. It may also be used to monitor IM conversations. (Sophos)
Troj/LittleW-E — A backdoor Trojan that can be used to download additional code from a remote site. This worm drops “MiniServer.exe in the Windows directory. (Sophos)
Troj/Banload-N — A Windows Trojan that downloads code from a remote site and can be used to drop “cmrss.exe” in the System directory. (Sophos)
W32/Rbot-LT — An Rbot variant that spreads through network shares. It drops “LSSRV.EXE” in the Windows System directory and can be log keystrokes to “KEY32.TXT” in the Windows folder. (Sophos)
W32/Rbot-AQF — This Rbot variant tries to exploit a number of known Windows vulnerabilities as it spreads through network shares. It drops “msnwindows.exe” in the Windows System folder and allows backdoor access through IRC. (Sophos)
W32/Bobax-S — An e-mail worm that attempts to exploit the Windows PnP vulnerability. It spreads via a message entitled “Cool” with an attachment ending in pif, exe, scr or zip. (Sophos)
Troj/Small-QJ — A Windows Trojan that can communicate with remote servers via HTTP. It drops “winhlp32.dll” on the infected machine. (Sophos)
W32/Mytob-FT — Another Mytob variant that spreads through an e-mail message that typically looks like an account/password warning message. The infected attachment usually has a double extension with the latter ending in EXE, SCR or PIF. (Sophos)
W32/Ixbot-A — A backdoor bot that allows access via an IRC and through TCP port 5190. It spreads through AOL Instant Messenger by getting a user to click on a link to an infected file. (Sophos)
W32/Tilebot-W — A Tilebot variant that tries to exploit various Windows vulnerabilities, including the RPC DCOM flaw, as it spreads via network shares. It drops “csrss.exe” in the Windows System folder. (Sophos)
W32/Kassbot-I — This Kassbot variant tries to prevent access to various Kaspersky anti-virus sites by modifying the Windows HOSTS file. It spreads through network shares by exploiting the Windows LSASS vulnerability. “spools.exe” is dropped in the Windows System folder. (Sophos)




