SquirrelMail flaws fixed

Opinion
Jun 23, 20056 mins

* Patches from Gentoo, Mandriva, others * Beware new Mytob variants * Computers' Insecure Security

Today’s bug patches and security alerts:

SquirrelMail flaws fixed

A number of cross-scripting vulnerabilities have been found in SquirrelMail, a PHP-based Webmail application. An attacker could exploit this by sending specially crafted URLs to the intended victim, allowing the attacker to take control of the user’s session. For more, go to:

https://www.squirrelmail.org/security/issue/2005-06-15

Related Gentoo fix:

https://security.gentoo.org/glsa/glsa-200506-19.xml

**********

Gentoo releases fix for MediaWiki

A flaw in the way MediaWiki, a tool for editing wikipedia entries, handles inclusions on template pages could be exploited in a cross-scripting attack. Malicious code could be run via an unsuspecting user’s browser. For more, go to:

https://security.gentoo.org/glsa/glsa-200506-12.xml

Gentoo patches webapp-config

The Gentoo application install utility webapp-config does not create temporary files in a secure manner. An attacker could exploit this to run potentially malicious code on the affected machine. For more, go to:

https://security.gentoo.org/glsa/glsa-200506-13.xml

Gentoo issues patch for PeerCast

The PeerCast multimedia streaming engine for Gentoo contains a format string vulnerability that could be exploited to run malicious applications on the affected machine. A fix is available. For more, go to:

https://security.gentoo.org/glsa/glsa-200506-15.xml

Gentoo fixes cpio flaw

A directory traversal vulnerability has been found in Gentoo’s implementation of cpio, a file archiving tool. An attacker could exploit this to view virtually any directory on the affected system. For more, go to:

https://security.gentoo.org/glsa/glsa-200506-16.xml

**********

Mandriva, Ubuntu patch tcpdump

A number of the tcpdump protocol decoders contain flaws that could send the network monitoring application into an infinite loop, resulting in a denial of service. For more, go to:

Mandriva:

https://www.mandriva.com/security/advisories?name=MDKSA-2005:101

Ubuntu:

https://www.ubuntulinux.org/support/documentation/usn/usn-141-1

**********

Mandriva patches gedit

According to a Mandriva security advisory, “A vulnerability was discovered in gEdit where it was possible for an attacker to create a file with a carefully crafted name which, when opened, executed arbitrary code on the victim’s computer. It is highly unlikely that a user would open such a file, due to the file name, but could possibly be tricked into opening it.” For more, go to:

https://www.mandriva.com/security/advisories?name=MDKSA-2005:102

**********

Gentoo, SuSE patch Java flaw

As we reported last week, Sun found a couple flaws in its Java Runtime environment that could allow an attacker to take control of the infected machine. Gentoo and SuSE have released updates for their respective Linux platforms to fix these Java vulnerabilities. For more, go to:

Gentoo:

https://security.gentoo.org/glsa/glsa-200506-14.xml

SuSE:

http://www.networkworld.com/go2/0620bug2b.html

**********

Gentoo, Mandriva, Ubuntu release Sudo patch

A race condition in Sudo could be exploited to run applications with the privileges on another user. Fixes are available. For more, go to:

Gentoo:

https://security.gentoo.org/glsa/glsa-200506-22.xml

Mandriva:

https://www.mandriva.com/security/advisories?name=MDKSA-2005:103

Ubuntu:

https://www.ubuntulinux.org/support/documentation/usn/usn-142-1

**********

Today’s roundup of virus alerts:

Downloader.DCM – A Trojan Horse that installs Dumador.BC (below) on the infected machine. The Downloader.DCM code must be spread manually and attempts to hide from firewalls and other security applications. (Panda Software)

Dumador.BC – A remote control tool that is dropped by Download.DCM. It also disables anti-virus applications on the affected machine. (Panda Software)

Looxee – A hacker tool that can be used to monitor activity on an infected machine, including e-mails, chats and other applications. (Panda Software)

W32/Mytob-BI – A new variant of the Mytob e-mail/network share worm. This version drops “winsys33.exe” on the infected machine and can limit access to security Web sites by modifying the Windows HOSTS file. The infected e-mail message looks like an account suspended warning. (Sophos)

W32/Mytob-GZ – Another Trojan that can be controlled through an IRC connection. This Mytob variant drops “taskmr.exe” on the infected machine. It’s e-mails look like a status report or delivery failure message. (Sophos)

W32/Mytob-BQ – Batting for a triple with Mytob, that variant installs itself as “winxpserv.exe” on the infected machine. It too limits access to the security Web sites by modifying the Windows HOSTS file. (Sophos)

W32/Rbot-KX – An Rbot variant that allows backdoor access through IRC and can be used for a number of malicious purposes, including running proxy servers on the infected machine and logging keystrokes. It spreads through network shares and drops “iiexplorer.exe” in the Windows System folder. (Sophos)

W32/Rbot-AFR – This Rbot variant exploits a couple different Windows vulnerabilities as it spreads through shared network drives. It too can allow control through IRC and be used for a number of malicious purposes. It installs “syspci32.exe” in the Windows System folder. (Sophos)

W32/Sdbot-ZM – A Trojan that installs itself as “nawdll32.exe” in the Windows System directory. It spreads through network shares and allows backdoor access via IRC. It can act as an FTP server and download/execute additional code. (Sophos)

W32/Sdbot-YW – Another Sdbot variant that allows control of the infected machine via IRC. YW drops “hmusvc32.exe” in the Windows System folder. (Sophos)

W32/Sdbot-ZO – Our third Sdbot variant today acts much the same way as the previous two. It’s infected file is “burndl32.exe”. (Sophos)

Troj/Bizves-B – A downloader Trojan that installs as “popcorn.exe”. (Sophos)

W32/Randon-AN – Another Trojan horse application that attempts to provide access to the infected host through IRC. It drops a number of files on the target machine, including “app.exe” and “netservup.exe”. (Sophos)

**********

From the interesting reading department:

Computers’ Insecure Security

A new Yankee Group report, to be released June 20, shows the number of vulnerabilities found in security products increasing sharply for the third straight year – and for the first time surpassing those found in all Microsoft products. The majority of these weaknesses are found by researchers, academics, and security companies. Trouble is, hackers then take those findings and use it for nefarious purposes. BusinessWeek Online, 06/17/05.

http://www.networkworld.com/go2/0620bug2a.html