New IE hole

Today’s bug patches and security alerts:

New Internet Explorer holes causing alarm

Four new holes have been discovered in the Internet Explorer (IE) Web browser that could allow malicious hackers to run attack code on Windows systems, even if those systems have installed the latest software patches from Microsoft, security experts warn. IDG News Service, 06/11/04.

https://www.nwfusion.com/news/2004/0611newie.html?nl

Related CERT advisory:

https://www.us-cert.gov/cas/techalerts/TA04-163A.html

**********

Vulnerability in RealPlayer

EEye Digital Security has found a heap overflow in most versions of RealNetworks RealPlayer media client. The flaw could be exploited to run arbitrary code on the affected machine. A patch can be downloaded by selecting “Update Player” from the tools menu. For more, go to:

EEye advisory:

https://www.eeye.com/html/research/advisories/AD20040610.html

RealNetworks advisory:

https://service.real.com/help/faq/security/040610_player/EN/

Related NGSSoftware advisory:

https://www.nextgenss.com/advisories/realra.txt

**********

Gentoo patches Ethereal

Multiple vulnerabilities have been found in Ethereal, a network monitoring tool. One buffer overflow vulnerability could be exploited to run arbitrary code or crash the affected machine. For more, go to:

https://forums.gentoo.org/viewtopic.php?t=181809

Gentoo releases fix for tripwire

A flaw that could be exploited to run arbitrary code has been found in tripwire, an open source file integrity checker. For more, go to:

https://forums.gentoo.org/viewtopic.php?t=181821

**********

Squid patches available

A buffer overflow in the Squid NTLM authentication helper could be exploited by sending an extra long password to the system. An attacker exploiting this flaw may be able to run their code of choice on the affected system. For more, go to:

Mandrake Linux:

https://www.nwfusion.com/go2/0614bug1a.html

SuSE:

https://www.suse.com/de/security/2004_16_squid.html

Trustix:

https://www.trustix.org/errata/2004/0033

**********

More cvs patches available

A heap overflow in the cvs version control system could be remotely exploitable. For more, go to:

Debian:

https://www.debian.org/security/2004/dsa-517

Gentoo:

https://forums.gentoo.org/viewtopic.php?t=184163

Mandrake Linux:

https://www.nwfusion.com/go2/0614bug1b.html

OpenPKG:

https://www.openpkg.org/security/OpenPKG-SA-2004.027-cvs.txt

**********

Patches for subversion available

Subversion, a version control system, is potentially vulnerable to a denial-of-service attack or may be exploited to run malicious code on the affected machine. For more, go to:

Gentoo:

https://forums.gentoo.org/viewtopic.php?t=184254

OpenPKG:

https://www.openpkg.org/security/OpenPKG-SA-2004.028-subversion.txt

**********

Today’s roundup of virus alerts:

W32/Agobot-JP – An Agobot variant that spreads via weakly protected network shares and installs itself as “windns32.exe” in the Windows System directory. It uses IRC to allow backdoor access and attempts to prevent access to security-related Web sites by modifying the HOSTS file. (Sophos)

W32/Agobot-JX – Another Agobot variant that tried to infect machines already infected with a MyDoom variant. It installs itself as “wupdate.exe” in the Windows System directory and connects to an IRC server to allow backdoor access. The virus limit access to security-related Web sites by modifying the HOSTS file. (Sophos)

W32/Agobot-JT – Another Agobot variant that installs itself as “NAVAPSVC.EXE” in the Windows System directory. No word on how it spreads, but it does use IRC to allow backdoor access and attempts to steal application registration keys. (Sophos)

W32/Agobot-JW – Yet another Agobot variant that spreads via weakly protected network shares and installs itself in the Windows System directory as “wrtx.exe”. The virus attempts to disable a number of security-related applications running that may be running on the infected machine. (Sophos)

W32/Agobot-XX – Similar to Agobot-JP, this variant too spreads via weakly protected networks shares and uses IRC to allow potential backdoor access. Access to security-related sites is limited as well by a modified HOSTS file. (Sophos)

W32/Korgo-I – A Korgo variant that spreads by exploiting the Windows LSASS vulnerability, which there is a patch available for. The virus listens on certain TCP ports from remote commands and tries to prevent a system shutdown. (Sophos)

VBS/Pub-A – A mass-mailing worm that overwrite certain files on the infected machine and on specific dates tries to delete files on local and network-attached drives. It spreads via a message with a subject line of “RE”, no body text and a random attachment name. (Sophos)

W32/Rbot-AE – A virus that spreads via network shares and contains backdoor functionality accessible via IRC. It installs itself as “WINSYS.EXE ” in the Windows System folder. The virus may also try to disable access to network shares. (Sophos)

**********

From the interesting reading department:

Switches taking on new security roles

Security innovations being built into switches are attracting attention from buyers who not long ago focused primarily on feeds and speeds. Network World, 06/14/04.

https://www.nwfusion.com/news/2004/0614switchsecurity.html?nl

Security titans intensify rivalry

Network Associates and Symantec long to be more than anti-virus vendors. The rivals want to be one-stop security shops where businesses buy everything from intrusion prevention to spam control to firewalls. Each has invested a small fortune in pursuit of this goal, yet sweeping success is guaranteed for neither. Network World, 06/14/04.

https://www.nwfusion.com/news/2004/0614antivirus.html?nl

Management Strategies: Justifying anti-spam costs

Analyzing the toll unwanted e-mail takes on productivity, bandwidth, storage and support aids your attack. Network World, 06/14/04.

https://www.nwfusion.com/careers/2004/0614man.html?nl

Security vendors tout new wares

Network Associates, Trend Micro and eEye Digital Security this week will each unveil upgraded versions of their products aimed at protecting networks from viruses, worms and other types of attacks. Network World, 06/14/04.

https://www.nwfusion.com/news/2004/0614trendnainews.html?nl

Weblog: Convincing your boss you need to test your security

The need for Security Testing by Charles Fullerton “will help C-level executives understand what Security Testing is and how the Open Source Security Testing Methodology Manual (OSSTMM) can help raise the level of security within their organization.” Network World Fusion.

https://napps.nwfusion.com/compendium/archive/005374.html?nl

ArcSight updates SIM software

ArcSight last week rolled out its bolstered security information management product used for aggregating data from multi-vendor equipment by adding a way for customers to spot patterns of attacks and automate a response. Network World Fusion, 06/10/04.

https://www.nwfusion.com/news/2004/0610arcsight.html?nl