Cisco 7940/7960 phone flaw reported

Opinion
Jul 11, 200510 mins

* Patches from Gentoo, Mandriva, Trustix, others * Beware seven latest Rbot variants * Researchers, vendors, ISPs attack 'Net attackers, and other interesting reading

Today’s bug patches and security alerts:

Cisco 7940/7960 phone flaw reported

SecurityTracker is warning of a flaw in the Cisco 7940/7960 phones. An attacker could send specially crafted SIP messages to change the message-waiting indicator on the affected phone. For more, go to:

https://securitytracker.com/alerts/2005/Jul/1014406.html

**********

Flaw in Oracle’s April update?

Security research David Litchfield is warning of a vulnerability in a patch that Oracle released back in April. The patch does not properly load the correct Java classes, leaving the patched system exposed to the same exploits. For more, go to:

https://www.securityfocus.com/archive/1/404536/30/30/threaded

**********

Gentoo, Mandriva, OpenPKG and Ubuntu patch zlib

Linux vendors have released fixes for a buffer overflow in zlib, a file compression utility. An attacker could exploit the flaw in a denial-of-service attack or to potentially run malicious code on the affected machine. For more, go to:

Gentoo:

https://security.gentoo.org/glsa/glsa-200507-05.xml

Mandriva:

https://www.mandriva.com/security/advisories?name=MDKSA-2005:112

OpenPKG:

https://www.openpkg.org/security/OpenPKG-SA-2005.013-zlib.html

Ubuntu:

https://www.ubuntulinux.org/support/documentation/usn/usn-148-1

**********

Another “multi” patch from Trustix

Trustix rolled out a new update that fixes flaws in zlib (see above) and net-snmp. The flaws in these applications could be exploited to run arbitrary code on the affected machine. For more, go to:

https://www.trustix.org/errata/2005/0034/

**********

Linux vendors patch PHP PEAR::XML_RPC flaw

A flaw in the PHP PEAR::XML_RPC library could be exploited to pass PHP code through the eval() function. A number of third-party applications could be impacted as well. For more, go to:

Gentoo:

https://security.gentoo.org/glsa/glsa-200507-01.xml

Mandriva:

https://www.mandriva.com/security/advisories?name=MDKSA-2005:109

SuSE:

http://www.networkworld.com/go2/0711bug1b.html

Ubuntu:

https://www.ubuntulinux.org/support/documentation/usn/usn-147-1

Other applications impacted by PHP PEAR::XML_RPC flaw

Gentoo’s TikiWiki:

https://security.gentoo.org/glsa/glsa-200507-06.xml

Drupal 4.6.2 and 4.5.4:

https://www.drupal.org/security/drupal-sa-2005-003/advisory.txt

**********

Drupal patches input validation error

A input validation error has been found in Drupal, the open source content management system. An attacker could exploit the flaw to run arbitrary PHP code on the affected machine. For more, go to:

https://www.drupal.org/security/drupal-sa-2005-002/advisory.txt

**********

Mandriva releases kernel updates

Multiple vulnerabilities have been found in versions 2.4 and 2.6 of the Mandriva Linux kernel. The flaws could be exploited in a denial-of-service attack against the affected machine. For more, go to:

Kernel 2.6:

https://www.mandriva.com/security/advisories?name=MDKSA-2005:110

Kernel 2.4:

https://www.mandriva.com/security/advisories?name=MDKSA-2005:111

Mandriva patches SquirrelMail

A number of cross-scripting vulnerabilities have been found in SquirrelMail, a PHP-based Webmail application. An attacker could exploit this by sending specially crafted URLs to the intended victim, allowing the attacker to take control of the user’s session. For more, go to:

https://www.mandriva.com/security/advisories?name=MDKSA-2005:108

Mandriva issues fix for ImageMagick

According to a Mandriva advisory, “A heap-based buffer overflow was found in the way that ImageMagick parses PNM files.  If an attacker can trick a victim into opening a specially crafted PNM file, the attacker could execute arbitrary code on the victim’s machine.” A denial-of-service vulnerability has also been found. For more, go to:

https://www.mandriva.com/security/advisories?name=MDKSA-2005:107

**********

NetBSD patches Crypto leaks

A flaw in the way the NetBSD operating system interacts with Intel HyperThreaded processors could be exploited by an attacker to access cached memory. For more, go to:

http://www.networkworld.com/go2/0711bug1a.html

**********

SCO patches Mozilla for UnixWare

SCO has rolled out a bug fix update for the Mozilla browser that runs on Unixware. It fixes a number of flaws in versions 1.7.7 and 1.7/8. For more, go to:

ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.29

**********

New Bugzilla update available

Two vulnerabilities have been found in Bugzilla, a bug tracking system. An attacker could exploit the flaws to change bug information without authorization and potentially view “leaked” information. For more, go to:

https://www.bugzilla.org/security/2.18.1/

**********

Debian patches sudo

A race condition in Sudo could be exploited to run applications with the privileges on another user. For more, go to:

https://www.debian.org/security/2005/dsa-735

Debian patches SpamAssassin 3 and Vipul’s Razor

An attacker could send malformed messages through SpamAssassin or Vipul’s Razor, causing the filtering applications to crash. For more, go to:

SpamAssassin:

https://www.debian.org/security/2005/dsa-736

Razor:

https://www.debian.org/security/2005/dsa-738

Debian issues fix for Bzip2

Bzip2, another compression tool, contains flaws in the way it extracts compressed files. An attacker could exploit this to send the application into an infinite loop or potentially overwrite files on the affected machine. For more, go to:

https://www.debian.org/security/2005/dsa-740

**********

Today’s roundup of virus alerts:

W32/Gatina-A — A virus that spreads through e-mail using multiple message characteristics. The infected attachment will have a double extension of “.doc.exe”. The virus harvests e-mail addresses from the infected host and disables anti-virus application. (Sophos)

W32/Rbot-AGQ — A new Rbot variant that spreads through network shares and allows backdoor access via IRC. It drops “syscfg.exe” in the Windows System folder and can be used for a number of malicious applications. (Sophos)

W32/Rbot-AGT — This Rbot variant exploits a number of well known Windows vulnerabilities as it spreads through network shares. It drops “scrsave.scr” on the infected host and can allow backdoor access through IRC. (Sophos)

W32/Rbot-AGI — This particular Rbot variant uses a randomly named file as its infection point. It exploits the Windows LSASS vulnerability in order to infect a host. (Sophos)

W32/Rbot-AGV — Yet another Rbot variant. This one installs itself as “mcafee32.exe” in the Windows System directory. (Sophos)

W32/Rbot-AGW — Our fifth Rbot variant of day drops “winupdat32.exe” on the infected machine. (Sophos)

W32/Rbot-AHE — The sixth Rbot variant uses the file “wininit32.exe” as its infection point. It too allows backdoor access via IRC and can be used for a number of malicious applications, including starting an FTP server, acting as a proxy, logging keystrokes and participating in denial-of-service attacks. (Sophos)

W32/Rbot-BWI — Lucky number seven! This Rbot variant can also be used for a number of malicious purposes, all remotely controlled via IRC. It installs “SetPoint.exe” on the infected machine. (Sophos)

W32/Mytob-CT — An e-mail variant that looks like a message from a system administrator. It uses a double extension on the infected attachment. It installs itself as “Lien Vande Kelder.exe”, disables security applications and limits access to security Web sites by modifying the Windows HOSTS file. (Sophos)

W32/Mytob-DB — Another Mytob variant that uses infected e-mail messages that look like system administrator or password warnings. This particular variant drops “winmon.exe” on its host. (Sophos)

W32/Mytob-DF — Yet another Mytob variant that uses “Lien Van de Kelder.exe” as its infection point. (Sophos)

W32/Mytob-DE — This variant of the Mytob e-mail worm installs “win32bat.exe” on the infected machine. (Sophos)

Troj/Banker-EB — A password stealing Trojan that targets certain banking Web sites. No word on how it spreads. (Sophos)

Troj/Banker-ED — Another password stealing Trojan targeting banking Web sites. It drops “svchosts.exe” in the Windows System folder. (Sophos)

Troj/ByteVeri-M — A Java Applet that exploits a Windows vulnerability to infect a machine and download additional malicious code. (Sophos)

Troj/GrayBird-M — A Trojan that allows intruders access to the infected machine (no word on if access is through an open port or IRC channel). It drops “yak_tw.exe” in the Windows System folder. (Sophos)

Troj/Tompai-B — A Trojan that reports its infection to a remote Web site and via e-mail. It drops “mapserver.exe” in the infected machine’s Windows folder and allows backdoor access. (Sophos)

W32/MyDoom-AL — This new MyDoom variant spreads through e-mail and ICQ channels. It copies itself to “services.exe”, “winlogon.exe”, “csrss.exe” and “smss.exe”. It uses a varient of message characteristics, but the infected attachment will have a .pif or .zip extension. (Sophos)

W32/Randon-AO — A network worm that spreads through network shares by exploiting the Windows LSASS vulnerability. It installs a number of files on the infected machine and adds a registry entry for “AERVICESN.exe”. (Sophos)

W32/Randon-AN — Another Randon variant. This one uses a registry entry called “ansjava” that points at the local mirc application. (Sophos)

W32/Kelvir-CB — A new Windows Messenger worm variant that spreads through a message of “Doesnt this kind of look like you?” followed by a URL. Click the URL and malicious code is downloaded. (Sophos)

W32/Kelvir-AF — Another Kelvir Windows Messenger worm. This one uses the message “f**ker … you are on this picture and you never told me” followed by a malicious URL. (Sophos)

Troj/Bancsde-E — A password stealing Trojan that targets German banking sites. It arrives as the file “xx.exe” and installs “xxsrsrv.exe” on the infected machine. XX is two random characters. (Sophos)

Troj/Baglet-D — This Trojan harvests e-mail addresses from the infected machine, then sends its bounty to a remote site (probably for spamming.) (Sophos)

Troj/LegMir-AK — A password stealing Trojan that also tries to disable security applications. No word on how it spreads. (Sophos)

Troj/Bancban-DO — Another banking Trojan that monitors what Web sites are being visiting and steal passwords used for financial sites. It drops “scvhost.exe” on the infected machine. (Sophos)

W32/Forbot-EZ — A new Forbot Trojan variant that spreads through network shares and drops “mswindrv.exe” in the Windows System folder. It can be used to start an FTP server, participate in DoS attacks, portscan IP addresses and execute commands. (Sophos)

W32/Nemsi-B — A virus that tries to infect Windows executables. On the 29th of any month, the virus will try to delete a number of system files. It drops “bootcfg1.exe” on the host. (Sophos)

Troj/AdClick-AT — This Trojan attempts to display adware and porn sites on the infected machine. (Sophos)

Troj/Dloader-PZ — A Trojan that attempts to download code (“svchst.exe”) from a remote site and execute it. (Sophos)

W32/Tame-A — A virus that spreads through peer-to-peer networks and drops MyDoom variants on the infected machine. (Sophos)

Troj/Mitglie-CE — A Trojan that allows remote access to the infected machine. It drops “winudll.exe” in the Windows System folder. (Sophos)

Troj/Feutel-L — A new Trojan that can be used to capture video, listen in on the infected machine, log keystrokes and download additional code. It drops “G_Server.exe”. (Sophos)

Troj/Torpig-A — Another Windows Trojan that installs “explorer.exe” in the Windows system folder and can be used to log keystrokes and more. It can also disable common anti-virus applications. (Sophos)

**********

From the interesting reading department:

Researchers, vendors, ISPs attack ‘Net attackers

Some of the best Internet minds in the world met Thursday to discuss a wide range of methods to rid the Web of malicious traffic. The Usenix invitation-only workshop, called Steps to Reducing Unwanted Traffic on the Internet (SRUTI), brought together more than 50 academics from all over the world as well as technical staff from equipment vendors and ISPs to develop methods to cut down on spam, viruses, worms and distributed denial-of-service (DDoS) attacks – methods that are practical at an operational level. (“Sruti,” by the way, is a Sanskrit word meaning “that which is heard.”) NetworkWorld.com, 07/08/05.

http://www.networkworld.com/news/2005/070805-sruti.html?nl

Sasser worm creator sentenced by German court

A German teenager who confessed to creating the Sasser computer worm has been found guilty of three counts of computer sabotage and four counts of data manipulation, and given a suspended sentence of 21 months. IDG News Service, 07/08/05.

http://www.networkworld.com/news/2005/070805-sasser-worm.html?nl