• United States

New IE patch

Jul 05, 20046 mins

* Patches from Microsoft, Cisco, Gentoo, others * Beware Trojan targeting user's financial information * Microsoft, under attack, aims to offer security, and other interesting reading

Today’s bug patches and security alerts:

New IE patch disables ADODB.Stream ActiveX control

The ADODB.Stream ActiveX control may be exploited to run malicious scripts from a domain to be run in the local machine zone, basically allowing access to the affected machine. For more, go to:

CERT advisory:

Microsoft advisory:


Cisco patches Cisco Collaboration Server

An advisory from Cisco warns, “Cisco Collaboration Server (CCS) versions earlier than 5.0 ship with ServletExec versions that are vulnerable to attack where unauthorized users can upload any file and gain administrative privileges.” For more, go to:


Gentoo, Mandrake Linux patch Apache2 denial-of-service vulnerability

A flaw in the Apache2 Web server software could result in the httpd process consuming all of the system memory, resulting in a denial of service. For more, go to:


Mandrake Linux:


Mandrake Linux releases Apache update

A buffer overflow in the Apache mod_proxy module could be exploited by a remote user to run arbitrary code on the affected server. This only impacts Apache servers that are using mod_proxy. For more, go to:

Mandrake Linux updates libpng

According to an alert from Mandrake Linux, “A buffer overflow vulnerability was discovered in libpng due to a wrong calculation of some loop offset values. This buffer overflow can lead to denial-of-service or even remote compromise.” For more, go to:


FreeBSD patches Linux binary

The binary module that makes FreeBSD compatible with Linux contains an input validation error that could allow a local attacker to overwrite kernel memory, which could cause a system panic. For more, go to:


nCipher warns of netHSM pass phrase vulnerability

nCipher is warning customers: “Pass phrases entered by means of the nCipher netHSM front panel, either using the built in thumbwheel or using a directly attached keyboard, are exposed in the netHSM system log.” For more, go to:


SuSE release kernel update

A new kernel update from SuSE fixes a number of vulnerabilities found in previous releases. The most serious of the flaws could be exploited by a local user to gain root privileges. For more, go to:


Today’s roundup of virus alerts:

Trojan targets user’s financial information

The Trojan horse file poses as an image file named “img1big.gif” but is actually an executable that installs a malicious add-on to Microsoft’s Internet Explorer browser. The add-on, known as a BHO, or browser helper object, then monitors for and records outbound data to the Web sites of several dozen financial institutions, according to an analysis posted on the SANS Institute’s Internet Storm Center Web site. IDG News Service, 06/30/04.

W32/Rbot-CA – Like many of its predecessor, this Rbot variant spreads via network shares and uses IRC to allow backdoor access to the infected machine. Rbot-CA uses a random filename and hides itself in the Windows System directory. (Sophos)

W32/Rbot-CC – This Rbot variant uses the name “goawv.exe” as its infection point in the Windows System directory. IRC is used to allow backdoor access to the infected machine. (Sophos)

W32/Rbot-CG – Similar to Rbot-CC except this variant uses an infected file called “USWTME.EXE”. (Sophos)

W32/Spybot-CW – A virus that uses peer-to-peer networks, Kazaa mostly, to spread.  This virus installs itself in the Windows System directory as “Navapsvcc.exe” and allows backdoor access via IRC. (Sophos) 

W32/Agobot-KE – Another virus that spreads via network shares with weak passwords. Agobot-KE installs itself as “VDISP.EXE” in the Windows System directory and disables security-related applications and access to similar sites. (Sophos)

W32/Agobot-KG – This Agobot variant spreads vie network shares and uses the filename “ASP-SRVC.EXE” to infect the Windows System folder. In addition to providing backdoor access via IRC, the virus also terminates security-related applications and may harvest e-mail addresses from the infected machine. (Sophos)

W32/Sdbot-JF – A new Sdbot variant that spreads via weakly protected network shares and installs itself in the Windows System directory as “AOLMSNGR.EXE”. The virus provides backdoor access through an IRC channel, terminates security-related applications and may try to delete network shares. (Sophos)

W32/Sdbot-JG – This Sdbot variant uses the same methods as Sdbot-JF to spread, installing itself as “MSEXPLORE.EXE” in the Windows System folder. The added wrinkle is that it tries to steal CD keys for popular games. (Sophos)

W32/Sdbot-JP – Very similar to Sdbot-JG, with the added twist of a keystroke logger. (Sophos)

W32/Lovgate-AD – A multifaceted worm that spreads via e-mail, network shares and peer-to-peer networks. The virus overwrites .exe files with copies of itself and adds the extension .ZMX. It also allows backdoor access through specific ports. (Sophos)


From the interesting reading department:

Rx for patching mired in red tape

The epidemic of Windows-based worms and viruses in the past year has put hospital IT administrators on a state of high alert to protect patient-care systems that have become reliant on Microsoft operating systems. Network World, 07/05/04.

Microsoft, under attack, aims to offer security

Two and a half years after launching its Trustworthy Computing initiative Microsoft is finding its products the target of escalating attacks, to the extent that some security experts are even warning that the company’s Internet Explorer browser is simply not safe to use. IDG News Service, 07/05/04.

Network Associates changes name back to McAfee

McAfee is McAfee once again. After a seven-year stint doing business under the name Network Associates Inc., the company formerly known as McAfee Associates Inc. has readopted its founder’s name and will be known as McAfee Inc., effective Wednesday. IDG News Service, 07/01/04.