* Patches from Gentoo, Mandriva, Trustix, others * Beware seven latest Rbot variants * Researchers, vendors, ISPs attack 'Net attackers, and other interesting reading
Today’s bug patches and security alerts:
Cisco 7940/7960 phone flaw reported
SecurityTracker is warning of a flaw in the Cisco 7940/7960 phones. An attacker could send specially crafted SIP messages to change the message-waiting indicator on the affected phone. For more, go to:
https://securitytracker.com/alerts/2005/Jul/1014406.html
**********
Flaw in Oracle’s April update?
Security research David Litchfield is warning of a vulnerability in a patch that Oracle released back in April. The patch does not properly load the correct Java classes, leaving the patched system exposed to the same exploits. For more, go to:
https://www.securityfocus.com/archive/1/404536/30/30/threaded
**********
Gentoo, Mandriva, OpenPKG and Ubuntu patch zlib
Linux vendors have released fixes for a buffer overflow in zlib, a file compression utility. An attacker could exploit the flaw in a denial-of-service attack or to potentially run malicious code on the affected machine. For more, go to:
Gentoo:
https://security.gentoo.org/glsa/glsa-200507-05.xml
Mandriva:
https://www.mandriva.com/security/advisories?name=MDKSA-2005:112
OpenPKG:
https://www.openpkg.org/security/OpenPKG-SA-2005.013-zlib.html
Ubuntu:
https://www.ubuntulinux.org/support/documentation/usn/usn-148-1
**********
Another “multi” patch from Trustix
Trustix rolled out a new update that fixes flaws in zlib (see above) and net-snmp. The flaws in these applications could be exploited to run arbitrary code on the affected machine. For more, go to:
https://www.trustix.org/errata/2005/0034/
**********
Linux vendors patch PHP PEAR::XML_RPC flaw
A flaw in the PHP PEAR::XML_RPC library could be exploited to pass PHP code through the eval() function. A number of third-party applications could be impacted as well. For more, go to:
Gentoo:
https://security.gentoo.org/glsa/glsa-200507-01.xml
Mandriva:
https://www.mandriva.com/security/advisories?name=MDKSA-2005:109
SuSE:
http://www.networkworld.com/go2/0711bug1b.html
Ubuntu:
https://www.ubuntulinux.org/support/documentation/usn/usn-147-1
Other applications impacted by PHP PEAR::XML_RPC flaw
Gentoo’s TikiWiki:
https://security.gentoo.org/glsa/glsa-200507-06.xml
Drupal 4.6.2 and 4.5.4:
https://www.drupal.org/security/drupal-sa-2005-003/advisory.txt
**********
Drupal patches input validation error
A input validation error has been found in Drupal, the open source content management system. An attacker could exploit the flaw to run arbitrary PHP code on the affected machine. For more, go to:
https://www.drupal.org/security/drupal-sa-2005-002/advisory.txt
**********
Mandriva releases kernel updates
Multiple vulnerabilities have been found in versions 2.4 and 2.6 of the Mandriva Linux kernel. The flaws could be exploited in a denial-of-service attack against the affected machine. For more, go to:
Kernel 2.6:
https://www.mandriva.com/security/advisories?name=MDKSA-2005:110
Kernel 2.4:
https://www.mandriva.com/security/advisories?name=MDKSA-2005:111
Mandriva patches SquirrelMail
A number of cross-scripting vulnerabilities have been found in SquirrelMail, a PHP-based Webmail application. An attacker could exploit this by sending specially crafted URLs to the intended victim, allowing the attacker to take control of the user’s session. For more, go to:
https://www.mandriva.com/security/advisories?name=MDKSA-2005:108
Mandriva issues fix for ImageMagick
According to a Mandriva advisory, “A heap-based buffer overflow was found in the way that ImageMagick parses PNM files. If an attacker can trick a victim into opening a specially crafted PNM file, the attacker could execute arbitrary code on the victim’s machine.” A denial-of-service vulnerability has also been found. For more, go to:
https://www.mandriva.com/security/advisories?name=MDKSA-2005:107
**********
NetBSD patches Crypto leaks
A flaw in the way the NetBSD operating system interacts with Intel HyperThreaded processors could be exploited by an attacker to access cached memory. For more, go to:
http://www.networkworld.com/go2/0711bug1a.html
**********
SCO patches Mozilla for UnixWare
SCO has rolled out a bug fix update for the Mozilla browser that runs on Unixware. It fixes a number of flaws in versions 1.7.7 and 1.7/8. For more, go to:
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.29
**********
New Bugzilla update available
Two vulnerabilities have been found in Bugzilla, a bug tracking system. An attacker could exploit the flaws to change bug information without authorization and potentially view “leaked” information. For more, go to:
https://www.bugzilla.org/security/2.18.1/
**********
Debian patches sudo
A race condition in Sudo could be exploited to run applications with the privileges on another user. For more, go to:
https://www.debian.org/security/2005/dsa-735
Debian patches SpamAssassin 3 and Vipul’s Razor
An attacker could send malformed messages through SpamAssassin or Vipul’s Razor, causing the filtering applications to crash. For more, go to:
SpamAssassin:
https://www.debian.org/security/2005/dsa-736
Razor:
https://www.debian.org/security/2005/dsa-738
Debian issues fix for Bzip2
Bzip2, another compression tool, contains flaws in the way it extracts compressed files. An attacker could exploit this to send the application into an infinite loop or potentially overwrite files on the affected machine. For more, go to:
https://www.debian.org/security/2005/dsa-740
**********
Today’s roundup of virus alerts:
W32/Gatina-A — A virus that spreads through e-mail using multiple message characteristics. The infected attachment will have a double extension of “.doc.exe”. The virus harvests e-mail addresses from the infected host and disables anti-virus application. (Sophos)
W32/Rbot-AGQ — A new Rbot variant that spreads through network shares and allows backdoor access via IRC. It drops “syscfg.exe” in the Windows System folder and can be used for a number of malicious applications. (Sophos)
W32/Rbot-AGT — This Rbot variant exploits a number of well known Windows vulnerabilities as it spreads through network shares. It drops “scrsave.scr” on the infected host and can allow backdoor access through IRC. (Sophos)
W32/Rbot-AGI — This particular Rbot variant uses a randomly named file as its infection point. It exploits the Windows LSASS vulnerability in order to infect a host. (Sophos)
W32/Rbot-AGV — Yet another Rbot variant. This one installs itself as “mcafee32.exe” in the Windows System directory. (Sophos)
W32/Rbot-AGW — Our fifth Rbot variant of day drops “winupdat32.exe” on the infected machine. (Sophos)
W32/Rbot-AHE — The sixth Rbot variant uses the file “wininit32.exe” as its infection point. It too allows backdoor access via IRC and can be used for a number of malicious applications, including starting an FTP server, acting as a proxy, logging keystrokes and participating in denial-of-service attacks. (Sophos)
W32/Rbot-BWI — Lucky number seven! This Rbot variant can also be used for a number of malicious purposes, all remotely controlled via IRC. It installs “SetPoint.exe” on the infected machine. (Sophos)
W32/Mytob-CT — An e-mail variant that looks like a message from a system administrator. It uses a double extension on the infected attachment. It installs itself as “Lien Vande Kelder.exe”, disables security applications and limits access to security Web sites by modifying the Windows HOSTS file. (Sophos)
W32/Mytob-DB — Another Mytob variant that uses infected e-mail messages that look like system administrator or password warnings. This particular variant drops “winmon.exe” on its host. (Sophos)
W32/Mytob-DF — Yet another Mytob variant that uses “Lien Van de Kelder.exe” as its infection point. (Sophos)
W32/Mytob-DE — This variant of the Mytob e-mail worm installs “win32bat.exe” on the infected machine. (Sophos)
Troj/Banker-EB — A password stealing Trojan that targets certain banking Web sites. No word on how it spreads. (Sophos)
Troj/Banker-ED — Another password stealing Trojan targeting banking Web sites. It drops “svchosts.exe” in the Windows System folder. (Sophos)
Troj/ByteVeri-M — A Java Applet that exploits a Windows vulnerability to infect a machine and download additional malicious code. (Sophos)
Troj/GrayBird-M — A Trojan that allows intruders access to the infected machine (no word on if access is through an open port or IRC channel). It drops “yak_tw.exe” in the Windows System folder. (Sophos)
Troj/Tompai-B — A Trojan that reports its infection to a remote Web site and via e-mail. It drops “mapserver.exe” in the infected machine’s Windows folder and allows backdoor access. (Sophos)
W32/MyDoom-AL — This new MyDoom variant spreads through e-mail and ICQ channels. It copies itself to “services.exe”, “winlogon.exe”, “csrss.exe” and “smss.exe”. It uses a varient of message characteristics, but the infected attachment will have a .pif or .zip extension. (Sophos)
W32/Randon-AO — A network worm that spreads through network shares by exploiting the Windows LSASS vulnerability. It installs a number of files on the infected machine and adds a registry entry for “AERVICESN.exe”. (Sophos)
W32/Randon-AN — Another Randon variant. This one uses a registry entry called “ansjava” that points at the local mirc application. (Sophos)
W32/Kelvir-CB — A new Windows Messenger worm variant that spreads through a message of “Doesnt this kind of look like you?” followed by a URL. Click the URL and malicious code is downloaded. (Sophos)
W32/Kelvir-AF — Another Kelvir Windows Messenger worm. This one uses the message “f**ker … you are on this picture and you never told me” followed by a malicious URL. (Sophos)
Troj/Bancsde-E — A password stealing Trojan that targets German banking sites. It arrives as the file “xx.exe” and installs “xxsrsrv.exe” on the infected machine. XX is two random characters. (Sophos)
Troj/Baglet-D — This Trojan harvests e-mail addresses from the infected machine, then sends its bounty to a remote site (probably for spamming.) (Sophos)
Troj/LegMir-AK — A password stealing Trojan that also tries to disable security applications. No word on how it spreads. (Sophos)
Troj/Bancban-DO — Another banking Trojan that monitors what Web sites are being visiting and steal passwords used for financial sites. It drops “scvhost.exe” on the infected machine. (Sophos)
W32/Forbot-EZ — A new Forbot Trojan variant that spreads through network shares and drops “mswindrv.exe” in the Windows System folder. It can be used to start an FTP server, participate in DoS attacks, portscan IP addresses and execute commands. (Sophos)
W32/Nemsi-B — A virus that tries to infect Windows executables. On the 29th of any month, the virus will try to delete a number of system files. It drops “bootcfg1.exe” on the host. (Sophos)
Troj/AdClick-AT — This Trojan attempts to display adware and porn sites on the infected machine. (Sophos)
Troj/Dloader-PZ — A Trojan that attempts to download code (“svchst.exe”) from a remote site and execute it. (Sophos)
W32/Tame-A — A virus that spreads through peer-to-peer networks and drops MyDoom variants on the infected machine. (Sophos)
Troj/Mitglie-CE — A Trojan that allows remote access to the infected machine. It drops “winudll.exe” in the Windows System folder. (Sophos)
Troj/Feutel-L — A new Trojan that can be used to capture video, listen in on the infected machine, log keystrokes and download additional code. It drops “G_Server.exe”. (Sophos)
Troj/Torpig-A — Another Windows Trojan that installs “explorer.exe” in the Windows system folder and can be used to log keystrokes and more. It can also disable common anti-virus applications. (Sophos)
**********
From the interesting reading department:
Researchers, vendors, ISPs attack ‘Net attackers
Some of the best Internet minds in the world met Thursday to discuss a wide range of methods to rid the Web of malicious traffic. The Usenix invitation-only workshop, called Steps to Reducing Unwanted Traffic on the Internet (SRUTI), brought together more than 50 academics from all over the world as well as technical staff from equipment vendors and ISPs to develop methods to cut down on spam, viruses, worms and distributed denial-of-service (DDoS) attacks – methods that are practical at an operational level. (“Sruti,” by the way, is a Sanskrit word meaning “that which is heard.”) NetworkWorld.com, 07/08/05.
http://www.networkworld.com/news/2005/070805-sruti.html?nl
Sasser worm creator sentenced by German court
A German teenager who confessed to creating the Sasser computer worm has been found guilty of three counts of computer sabotage and four counts of data manipulation, and given a suspended sentence of 21 months. IDG News Service, 07/08/05.
http://www.networkworld.com/news/2005/070805-sasser-worm.html?nl




