‘Critical’ Windows patch coming Tuesday

Today’s bug patches and security alerts:

Microsoft plans one critical patch on Tuesday

Microsoft is planning two software security fixes — at least one of them rated as critical — as part of December’s release of security updates. Both patches are for the Windows operating system, according to information on Microsoft’s Web site. A critical rating for a bug means that a worm could take advantage of it without the user taking any action. IDG News Service, 12/09/05.

http://www.networkworld.com/news/2005/120905-microsoft-patch.html

**********

Trustix releases “multi”

A new update from Trustix fixes flaws in the kernel and Perl. The most serious of the flaws could be exploited by an attacker to run malicious code on the affected machine. For more, go to:

https://www.trustix.org/errata/2005/0070/

**********

Debian, Ubuntu patch courier

The authentication module for the Courier Mail Server grants access to deactivated accounts. A fix is available. For more, go to:

Debian:

https://www.debian.org/security/2005/dsa-917

Ubuntu:

http://www.networkworld.com/go2/1212bug1a.html

**********

Debian patches osh

According to an alert from Debian, “Several security related problems have been discovered in osh, the operator’s shell for executing defined programs in a privileged environment.” For more, go to:

https://www.debian.org/security/2005/dsa-918

**********

Mandriva releases patch for OpenVPN

Two denial-of-service vulnerabilities have been found in the open-source OpenVPN client. One of the flaws could be further exploited to run malicious code on the affected device. For more, go to:

http://www.networkworld.com/go2/1212bug1b.html

Mandriva patches curl

A buffer overflow has been found in curl’s URL parser function. An attacker could exploit this to break out of PHP’s safe mode. For more, go to:

https://wwwnew.mandriva.com/security/advisories?name=MDKSA-2005:224

Mandriva releases update for Perl

Format string errors in the Perl programming language could be exploited to run malicious code on the affected machine. For more, go to:

https://wwwnew.mandriva.com/security/advisories?name=MDKSA-2005:225

**********

HP patches Tru64 Unix Secure Web Server

According to an HP advisory, “A potential security vulnerability has been identified in the Secure Web Server for Tru64 Unix (powered by Apache) 6.4.1 and earlier when running PHP/XMLRPC. The vulnerability could be exploited by a remote unauthorized user to execute arbitrary code.” The update kit can be downloaded from:

https://h30097.www3.hp.com/internet/download.htm

**********

Today’s roundup of virus alerts:

Secret code lurks in Sober variant

Security vendors have discovered a variant of the Sober worm that they say is programmed to download an unknown piece of code from various Internet addresses early next month, launching a potential barrage of traffic on the Internet. IDG News Service, 12/08/05.

http://www.networkworld.com/news/2005/120805-sober-worm.html?nl

Troj/Graybrd-AU — A Trojan that communicates with remote servers via HTTP. It is installed as “oyhskycn.scr” in the Windows System folder. (Sophos)

Troj/Danmec-G — Another Danmec variant that can be used to send system information to a remote site and download additional malicious code. It drops a number of files on the infected host, including “checkreg.exe” in the Windows System folder. (Sophos)

W32/Rbot-BAL — An Rbot variant that installs itself as “svshost.exe” in the Windows System folder. It spreads via network shares, exploiting a number of known Windows flaws and can allow backdoor access via IRC. (Sophos)

W32/Rbot-BBA — Our second Rbot variant of the day drops a number of files on its host, including “Internet.exe” in the Windows folder. (Sophos)

W32/Mytob-GC — A new Mytob variant that spreads through an e-mail message entitled “Account Alert” and has an attachment called “Confirmation_Sheet.pif”. It drops “netsvc.exe” in the Windows System folder, disables access to security related Web sites by modifying the Windows HOSTS file and terminates certain system processes. (Sophos)

W32/Mytob-FZ — This Mytob variant acts similar to Mytob-GC above except it uses variable subject lines and drops “msconfgh.exe” in the Windows System directory. (Sophos)

W32/Sdbot-AGC — Another IRC backdoor worm that spreads through network shares by exploiting a number of known Windows flaws. It is installed as “taskmgr.exe” in the Windows folder. (Sophos)

W32/Sdbot-AGG — This Sdbot variant drops “clsass32.exe” in the Windows System folder after spreading through a network share. It too allows backdoor access via IRC. (Sophos)

W32/Tilebot-CB — The Tilebot worm spreads through network shares by exploiting well-known Windows flaws and AOL Instant Messenger. It can be used for a number of malicious purposes, including monitoring the system, scanning other machines and allowing backdoor access via IRC. It’s installed as “lsass.exe” in the Windows System folder. (Sophos)

W32/Tilebot-CC — A second Tilebot variant with similar characteristics. This one drops “wincmdXP.exe” in the Windows System folder. (Sophos)

Troj/Mipbot-A — A Trojan that is used to send spam from the infected host. It is installed as a randomly named DLL file and communicates with specific remote servers. (Sophos)

Troj/Dloadr-ABJ — This downloader Trojan drops “winloadhh.dll” in the root folder of the infected machine. (Sophos)

Troj/Funot-A — A virus that overwrites existing files with the text “Fun X27 .::@li-RNo.H.::.VasVase”. (Sophos)

Troj/Bancban-LB — A virus that gathers data entered into Internet banking Web sites and sends the data to a remote site. It is installed as “svch0st.exe” in the Windows System folder. (Sophos)

W32/Loosky-E — A Trojan that allows backdoor access via IRC and can act as a proxy server for routing Internet traffic. Multiple files are dropped on the infected machine, including “sachostx.exe” in the Windows System folder. (Sophos)

Troj/Zapchas-AD — Another Trojan that allows backdoor access to the infected machine via IRC. It is installed as “svchost.exe” in the Windows System folder. (Sophos)

**********

From the interesting reading department:

Users try to balance security, IT needs

As networks and digital data come under increasing attack and government regulations hold corporations to stricter standards when it comes to information security, IT managers are looking for ways to balance the need for security with the demand for IT flexibility. NetworkWorld.com, 12/08/05.

http://www.networkworld.com/news/2005/120805-security-balance.html

Intel working on rootkit detection techniques

Intel is working on a research project that would immediately notify PC users if they inadvertently download a rootkit like the XCP (extended copy protection) software found on certain music CDs shipped by Sony, researchers said Tuesday. IDG News Service, 12/07/05.

http://www.networkworld.com/news/2005/120705-intel-rootkit.html?nl