Microsoft releases nine patches

Opinion
Oct 13, 20059 mins

* Patches from Microsoft, Mandriva, Gentoo, others * Beware six new Rbot variants * Securing mobile data more important than viruses, and other interesting reading

Today’s bug patches and security alerts:

Windows 2000 vulnerability could lead to new outbreak

Microsoft has released nine security updates for vulnerabilities in its software products, including three critical fixes for Windows and Internet Explorer. Among the updates is a patch for bugs in two separate components of the Windows operating system that security researchers believe could be exploited in by attackers in much the same way that the Zotob family of worms were used two months ago. IDG News Service, 10/11/05.

http://www.networkworld.com/go2/1010bug2f.html

Microsoft advisories:

MS05-052: Cumulative Security Update for Internet Explorer

https://www.microsoft.com/technet/security/Bulletin/MS05-052.mspx

MS05-051: Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution

https://www.microsoft.com/technet/security/Bulletin/MS05-051.mspx

MS05-050: Vulnerability in DirectShow Could Allow Remote Code Execution

https://www.microsoft.com/technet/security/Bulletin/MS05-050.mspx

MS05-049: Vulnerabilities in Windows Shell Could Allow Remote Code Execution

https://www.microsoft.com/technet/security/Bulletin/MS05-049.mspx

MS05-048: Vulnerability in the Microsoft Collaboration Data Objects Could Allow Remote Code Execution

https://www.microsoft.com/technet/security/Bulletin/MS05-048.mspx

MS05-047: Vulnerability in Plug and Play Could Allow Remote Code Execution and Local Elevation of Privilege

https://www.microsoft.com/technet/security/Bulletin/MS05-047.mspx

MS05-046: Vulnerability in the Client Service for NetWare Could Allow Remote Code Execution

https://www.microsoft.com/technet/security/Bulletin/MS05-046.mspx

MS05-045: Vulnerability in Network Connection Manager Could Allow Denial of Service

https://www.microsoft.com/technet/security/Bulletin/MS05-045.mspx

MS05-044: Vulnerability in the Windows FTP Client Could Allow File Transfer Location Tampering

https://www.microsoft.com/technet/security/Bulletin/MS05-044.mspx

Other related advisories:

ISS advisory:

https://xforce.iss.net/xforce/alerts/id/206

CERT advisory:

https://www.us-cert.gov/cas/techalerts/TA05-284A.html

**********

Mandriva patches openssh

A flaw in the way GSSAPI credentials are handled could allow the information to be exposed to unauthorized users. For more, go to:

https://www.mandriva.com/security/advisories?name=MDKSA-2005:172

Mandriva releases fixes for Mozilla Firefox, Thunderbird

A new update for Firefox fixes a bug that could impact cursor movement and patches a potential symlink vulnerability that could be exploited to overwrite files. A similar vulnerability affects Thunderbird. For more, go to:

Firefox update:

https://www.mandriva.com/security/advisories?name=MDKSA-2005:173

Thunderbird update:

https://www.mandriva.com/security/advisories?name=MDKSA-2005:174

Mandriva issues patch for Hylafax

The Hylafax fax server package does not create temporary files in a secure manner. A local attacker could exploit this to overwrite files on the affected machine. For more, go to:

https://www.mandriva.com/security/advisories?name=MDKSA-2005:177

Mandriva patches webmin

According to an alert from Mandriva, “Miniserv.pl in Webmin 1.220, when ‘full PAM conversations’ is enabled, allows remote attackers to bypass authentication by spoofing session IDs via certain metacharacters (line feed or carriage return).” For more, go to:

https://www.mandriva.com/security/advisories?name=MDKSA-2005:176

**********

Debian, Gentoo patch weex

A format string vulnerability in weex, an FTP client for updating Web sites, could be exploited to run malicious code on the affected machine. For more, go to:

Debian:

https://www.debian.org/security/2005/dsa-855

Gentoo:

https://security.gentoo.org/glsa/glsa-200510-09.xml

**********

FreeBSD, Gentoo, Mandriva patch OpenSSL

A flaw in the way OpenSSL handles a newer version of the SSL protocol could result in a less secure version of SSL to be used. An attacker could exploit this to tamper with the data being transmitted. For more, go to:

FreeBSD:

http://www.networkworld.com/go2/1010bug2e.html

Gentoo:

https://security.gentoo.org/glsa/glsa-200510-11.xml

Mandriva:

https://www.mandriva.com/security/advisories?name=MDKSA-2005:179

**********

Linux vendors patch xine-lib

A format string in xine-lib, a multimedia code library that handles audio CD information, could be exploited to run malicious code on the affected machine. For more, go to:

Debian:

https://www.debian.org/security/2005/dsa-863

Gentoo:

https://security.gentoo.org/glsa/glsa-200510-08.xml

Mandriva:

https://www.mandriva.com/security/advisories?name=MDKSA-2005:180

Ubuntu:

http://www.networkworld.com/go2/1010bug2d.html

**********

Debian, Ubuntu patch Shorewall

A flaw in the way the Shorewall firewall generates iptables could allow greater permissions than originally specified. For more, go to:

Debian:

https://www.debian.org/security/2005/dsa-849

Ubuntu:

http://www.networkworld.com/go2/1010bug2c.html

**********

Debian, Ubuntu patch Ruby

Ruby, a scripting language, does not properly enforce the “safe level” mechanism, allowing attackers to gain elevated privileges and potentially run arbitrary code on the affected machine. For more, go to:

Debian (Ruby):

https://www.debian.org/security/2005/dsa-860

Debian (Ruby 1.6):

https://www.debian.org/security/2005/dsa-862

Ubuntu:

http://www.networkworld.com/go2/1010bug2b.html

**********

Debian patches masqmail

Two vulnerabilities have been found in the masqmail mailer application. One could lead to files being overwritten in a symlink attack, the other to malicious files being executed on the affected machine. For more, go to:

https://www.debian.org/security/2005/dsa-848

**********

Today’s roundup of virus alerts:

W32/Agobot-TP — An Agobot variant that moves through network shares and exploits a number of known Windows vulnerabilities to infect a host. It drops “svchost32.exe” in the Windows System folder and can be used a SOCKS proxy, for port scanning and in denial-of-service attacks – all remotely controlled through IRC. (Sophos)

W32/Agobot-TR — This Agobot variant allows control over a number of malicious applications via IRC. In addition, it modifies the Windows HOSTS file to limit access to security related Web sites. It drops “winlogoff.exe” in the Windows System folder. (Sophos)

W32/Kangaroo-B — A virus that monitors the windows title bar, looking for drive letters. When it finds one, it copies “kangen.exe” to that file. The virus puts a Word file on the machine that has an Indonesian pop song embedded. (Sophos)

W32/Erkez-G — An e-mail and peer-to-peer worm that seeks out directories that start with “musi”, “shar”, or “uploa” and drops files in there. The infected files are “AntiVirus Update.exe” and “antivirus_update.exe” in the Windows System folder. The e-mail message uses a number of characteristics, but most of the potential subject lines are foreign. (Sophos)

Troj/Mirchack-A — This a hacked version of the mIRC32 client that allows a backdoor to the IRC network. (Sophos)

W32/Rbot-AQQ — A new Rbot variant that drops “lsasss.exe” in the Windows System folder. It allows backdoor access via IRC. (Sophos)

32/Rbot-AQW — Yet another Rbot variant that exploits a number of known Windows flaws to infect a machine. It allows backdoor access via IRC. (Sophos)

W32/Rbot-ARD — Another Rbot variant that provides backdoor access via IRC. It spreads through network shares with weak passwords or to machines infected with another virus or non-patched Windows flaws. (Sophos)

W32/Rbot-ARE — The fourth Rbot variant uses IRC to provide backdoor access to the infected host. It drops “expl0rer.pif” in the Windows System folder. (Sophos)

W32/Rbot-ARH — The fifth Rbot variant works in similar fashion to the other four we’ve covered today. This one installs “mswi32.pif” in the Windows System folder. (Sophos)

W32/Rbot-ARI — Rbot number six this week drops “up32.pif” in the Windows System folder. (Sophos)

W32/Codbot-AD — A network worm that installs “winjava.exe” in the Windows System directory and can be used to control the infected host via IRC. (Sophos)

Troj/Iyus-N — A virus that arrives as a CAB file containing “setting.inf” and “install.exe”. The virus tries to download additional code from a remote Web site and attempts to terminate security related applications. (Sophos)

Troj/Lecna-D — A backdoor Trojan that tries to download an additional executable (netscv.exe) from a remote site via HTTP. It does install “USBTest.sys” in the WindowsSystemsdrivers folder. (Sophos)

W32/Brontok-A — An e-mail worm that searches for addresses on the infected host. It spreads through a message with “Kangen.exe” attached. It will restart the infected machine each time it encounters a certain string in the Windows title bar. (Sophos)

W32/Forbot-CI — A Forbot variant that allows the infected machine to be used for a number of malicious purposes, including starting and HTTP and FTP server, executing commands and stealing passwords. It installs itself as “svshost.exe” in the Windows System directory. (Sophos)

W32/Alasrou-A — An e-mail harvesting worm that exploits the Windows LSASS flaw to infect a machine as it spreads through network shares. It drops “file1.exe” in the Temp directory and FTPs its bounty to a remote site. (Sophos)

W32/Mytob-DW — This Mytob variant can spread through network shares and e-mail. It creates “hellmsn.exe” in the root directory and can allow backdoor access via IRC. (Sophos)

W32/Lebreat-A — A virus that spreads via e-mail and can be used in a denial-of-service attack against www.symantec.com. It uses port 8885 to do so. The infected message looks like an account warning (i.e. “Your credit card was charged for $500 USD. For additional information see the attachment.” (Sophos)

W32/Spybot-DX — A backdoor Trojan that allows access to the infected machine via IRC. It installs “rundll.exe” in the Windows System folder. No other word on what damage can be caused by Spybot-DX. (Sophos)

W32/Stubbot-D — A virus that exploits Windows vulnerabilities and other machines infected with the MyDoom virus as it spreads through network shares. It drops “stubbish.exe” in the Windows folder and allows backdoor access through IRC. (Sophos)

**********

From the interesting reading department:

Securing mobile data more important than viruses

Enterprises with workers that can access corporate data from mobile devices should be less concerned about mobile viruses and more focused on setting and enforcing rules for securing the data, said speakers at Symbian’s Smartphone Show in London on Tuesday. IDG News Service, 10/12/05.

http://www.networkworld.com/news/2005/101205-mobile-data.html?nl

Is security software the next battle for Microsoft?

Microsoft’s moves into the security software market could be an agitator for more anti-trust concerns over how it uses its market strength for other software offerings. IDG News Service, 10/12/05.

http://www.networkworld.com/go2/1010bug2a.html