* Patches from Trustix, Ubuntu, Gentoo, others * Beware Trojan named Radium that can be used for a number of malicous purposes * Online safety threats lurk in instant messages, and other interesting reading
Today’s bug patches and security alerts:
iDefense warns of flaws in Helix Player
Multiple vulnerabilities have been found in RealNetworks Helix Player. The most serious of the flaws could be exploited to run malicious code on the affected machine. For more, go to:
http://www.networkworld.com/go2/1003bug1a.html
RealNetworks advisory:
https://service.real.com/help/faq/security/050930_player/EN/
Related fix from Debian:
https://www.debian.org/security/2005/dsa-826
**********
Trustix, Ubuntu patch unzip
A race condition has been found in the unzip file decompression utility. An attacker could exploit this in “hard link attack” on a file being unzipped. For more, go to:
Trustix:
https://www.trustix.org/errata/2005/0053/
Ubuntu:
http://www.networkworld.com/go2/1003bug1b.html
**********
Gentoo, Ubuntu patch AbiWord
AbiWord, a free word processing program, is vulnerable to a buffer overflow when an RTF file is being imported. An attacker could exploit this to run malicious code on the affected machine. For more, go to:
Gentoo:
https://security.gentoo.org/glsa/glsa-200509-20.xml
Ubuntu:
http://www.networkworld.com/go2/1003bug1c.html
**********
DoS flaws in Squid
A couple of denial-of-service vulnerabilities have been found in Squid, the open source proxy server. Patches are available:
Debian:
https://www.debian.org/security/2005/dsa-809
https://www.debian.org/security/2005/dsa-828
Ubuntu:
http://www.networkworld.com/go2/1003bug1d.html
**********
Debian fixes MySQL flaws
A number of vulnerabilities have been found in various MySQL implementations for Debian. The most serious of the flaws could be exploited to run malicious code on the affected machine. For more, go to:
MySQL:
https://www.debian.org/security/2005/dsa-829
mysql-dfsg:
https://www.debian.org/security/2005/dsa-831
mysql-dfsg 4.1:
https://www.debian.org/security/2005/dsa-833
Debian patches cfengine, cfengine2
According to an alert from Debian, “Javier Fernandez-Sanguino Pena discovered several insecure temporary file uses in cfengine, a tool for configuring and maintaining networked machines, that can be exploited by a symlink attack to overwrite arbitrary files owned by the user executing cfengine, which is probably root.” For more, go to:
cfengine:
https://www.debian.org/security/2005/dsa-835
cfengine2:
https://www.debian.org/security/2005/dsa-836
Debian releases fix for Gopher
Multiple buffer overflow vulnerabilities have been found in Gopher, the text-based Hypertext application. An attacker could exploit the flaw through a malicious Gopher server. For more, go to:
https://www.debian.org/security/2005/dsa-832
Debian patches ntlmaps
A flaw in the configuration files of ntlmaps leaves certain system files word-writeable and may be exploited to grab username and password information. For more, go to:
https://www.debian.org/security/2005/dsa-830
Debian issues fix for backupninja
A new update for backupninja fixes a flaw in the way temporary files are created. An attacker could exploit the temporary files in a symlink attack against the affected machine. For more, go to:
https://www.debian.org/security/2005/dsa-827
Debian patches prozilla
A buffer overflow in prozilla, multi-threaded download accelerator, could be exploited to run malicious applications on the affected machine. For more, go to:
https://www.debian.org/security/2005/dsa-834
Debian releases patch for ClamAV
A buffer overflow has been found in the process that scans UPX-packed executables. There’s also a denial-of-service flaw in the way FSG-packed executables are processed. For more, go to:
https://www.debian.org/security/2005/dsa-824
Debian updates zsych
A new update for zsynch fixes a previous fix that inadvertently added a new flaw. For more, go to:
https://www.debian.org/security/2005/dsa-797
Debian patches util-linux
According to a recent Debian advisory, “David Watson discovered a bug in mount as provided by util-linux and other packages such as loop-aes-utils that allows local users to bypass filesystem access restrictions by re-mounting it read-only.” For more, go to:
util-linux:
https://www.debian.org/security/2005/dsa-823
loop-aes-utils:
https://www.debian.org/security/2005/dsa-825
Debian issues patch for gtkdiskfree
Debiab: “Eric Romang discovered that gtkdiskfree, a GNOME program that shows free and used space on filesystems, creates a temporary file in an insecure fashion.” For more, go to:
https://www.debian.org/security/2005/dsa-822
**********
Ubuntu releases fix for cpio
A race condition in the way cpio outputs files could be exploited to change the permissions of arbitrary files on the affected machine. For more, go to:
http://www.networkworld.com/go2/1003bug1e.html
Ubuntu issues SNMP update
A denial-of-service vulnerability has been found in the Ubuntu SNMP implementation. A new update is available to patch the flaw. For more, go to:
http://www.networkworld.com/go2/1003bug1f.html
**********
Gentoo patches Hylafax
The Hylafax fax server package does not create temporary files in a secure manner. A local attacker could exploit this to overwrite files on the affected machine. For more, go to:
https://security.gentoo.org/glsa/glsa-200509-21.xml
**********
Today’s roundup of virus alerts:
W32/Mytob-EQ — A Mytob variant that disables certain system processes and limits access to security related Web sites by modifying the Windows HOSTS file. It spreads through e-mail with a double-extension attachment and drops “Lien Van de Kelder.exe” in the Windows System folder. (Sophos)
W32/Rbot-AJO — An Rbot variant that uses a randomly named file as its point of infection. It spreads through network shares by exploiting a number of known Windows flaws. Backdoor access is provided via IRC. (Sophos)
W32/Rbot-APN — This Rbot variant installs itself as “Internet.exe” in the Windows System folder. It also targets peer-to-peer networks. (Sophos)
W32/Rbot-APT — Yet another Rbot variant. This one uses “win.pif” in the Windows System directory as its infection point. It exploits a number of known Windows vulnerabilities as spreads through network shares. (Sophos)
W32/Rbot-APW — The fourth Rbot Trojan of the day drops “winsass.exe” in the Windows System folder and can be used for a number of malicious purposes, including scanning ports, stealing information and download additional information. (Sophos)
W32/Rbot-APU — Our fifth Rbot variant uses the filename “WinSGR32.exe” to infected the Windows System directory of the target machine. (Sophos)
W32/Rbot-AQA — The sixth Rbot variant uses a randomly named file placed in the Windows System folder as its infection point. It too can provide access via IRC and be used for a number of malicious purposes. (Sophos)
Troj/GrayBird-Z — A backdoor Trojan that drops “G_Server1.2.exe” in the Windows folder. (Sophos)
W32/Eyeveg-M — An e-mail worm that spreads through a message with a one word subject. It attempts to direct the user to one of four Web sites to download code (all of the sites are down). If installed, Eyeveg-M can be used to log keystrokes, send e-mail and steal passwords. (Sophos)
Troj/Radium-A — Radium is a Trojan that can be used for a number of malicious purposes, including deleting files, executing code and kill running programs. It drops “HelpSvc.exe” in the Windows System folder and listens for commands on TCP port 8192. (Sophos)
Troj/Wirefa-A — A Windows Trojan that drops “update.exe” in the Windows System folder. It can download additional code from a remote location. (Sophos)
**********
From the interesting reading department:
Online safety threats lurk in instant messages
By now you know to be leery of e-mail attachments, even when they seem to come from a friend or colleague. These days, however, you also have to be careful of IM attachments and links – because the virus writers are already there, too. PC World, 09/30/05.
http://www.networkworld.com/go2/1003bug1g.html
Novell downplays server hack
An internal Novell investigation of an apparent hack involving one of its computers revealed that the incident was less serious than was described by the security consultant who reported it to the company, a spokesman said Friday. Computerworld, 09/30/05.
http://www.networkworld.com/news/2005/093005-novell-hack.html?nl
Hackers fail to break into Via’s StrongBox
Hackers at a security conference in Malaysia failed to break into Via Technologies’ StrongBox security application during a competition, Via officials said Friday, but the company gathered some valuable feedback from participants. IDG News Service, 09/30/05.
http://www.networkworld.com/news/2005/093005-via-strongbox.html?nl




