• United States

PHP patches available

Jul 19, 20046 mins

* Patches from Conectiva, Mandrake Linux, HP, others * Beware new Bagle variant * Users, vendors treating healthcare patching ills, and other interesting reading

Today’s bug patches and security alerts:

PHP patches available

A flaw in the popular PHP server-side scripting language could be exploited remotely to cause a “memory_limit request termination” on the affected machine. An attacker could exploit this to take control of the machine and run any code they wanted. For more, go to:



Conectiva patches Webmin

A flaw in Webmin, a Web-based administration tool for Unix/Linux, could be exploited by an attacker to bypass authentication and gain read access rights to the module’s configuration information. For more, go to:


Conectiva, Gentoo update respective kernels

A new version of the Conectiva and Gentoo Linux kernels are available. The update fixes a number of bugs and security issues found in previous releases. For more, go to:




Mandrake Linux patches ipsec-tools

Two vulnerabilities have been found in racoon, an ipsec implementation. One could allow a remote attacker to launch a denial-of-service attack against the affected machine. Another could be exploited in a man-in-the-middle attack that’s used to create an unauthorized connection. For more, go to:

Mandrake Linux releases freeswan update

According to an alert from Mandrake Linux, “Thomas Walpuski discovered a vulnerability in the X.509 handling of super-freeswan, openswan, strongSwan, and FreeS/WAN with the X.509 patch applied.  This vulnerability allows an attacker to make up their own Certificate Authority that can allow them to impersonate the identity of a valid DN.  As well, another hole exists in the CA checking code that could create an endless loop in certain instances.” For more, go to:


OpenPKG issues Apache update

A flaw in the mod_ssl module for OpenPKG’s Apache implementation has been patched. For more, go to:


HP patches wu-ftpd

A flaw in the wu-ftp daemon (wu-ftpd) for HP-UX could be exploited by a local user to gain access to files they don’t have authorization to view. For more, go to:


Today’s roundup of virus alerts:

New Bagle variant seen in the wild

Anti-virus software companies late Thursday and early Friday began warning e-mail users that the persistent Bagle virus has re-emerged in a new version, Bagle.AF or Beagle.AB. IDG News Service, 07/16/04.

W32/Agobot-KS – A typical Agobot variant that allows backdoor access via IRC and spreads via network shares with weak password protection. The virus installs itself as “SYSTEMCFG.EXE” in the Windows System folder. (Sophos)

W32/Agobot-KT  – Similar to Agobot KS, except this variant tries to exploit the Windows LSASS vulnerability reported a few months ago. Installs itself as “MSAWINDOWS.EXE” in the Windows System folder. (Sophos)

W32/Agobot-KN – Like its cousins above, this Agobot variant allows backdoor access and attempts to steal user passwords. It infects the files RUNDLL.EXE or WIN.EXE in the Windows System directory. (Sophos)

W32/Agobot-KW – The same as the Agobots above in that it uses IRC and network shares to spread. It infects the file “svchosts.exe”. (Sophos)

W32/Rbot-DS – A Trojan that can be used for launching denial-of-service attacks against random targets. The virus infects network shares protected by weak passwords and infects the “CSASS.EXE” file in the Windows System directory. IRC is used to remotely control the infected machine. (Sophos)

W32/Rbot-DT – Similar to Rbot-DS above, except it infects “WINCFG32.EXE” and may also try to delete certain common network share names. (Sophos)

W32/Rbot-DY – Another Rbot variant that uses IRC as a remote control source. This variant infects the file “lmrss.exe” in the Windows System folder. (Sophos)

W32/Rbot-DP – Like other Rbot variants, W32/Rbot-DP uses network shares and IRC backdoors to spread. (Sophos)

W32/Atak-B – A mass-mailing work with reported ties to Al-Qaeda. It infects the files “svrhost.exe”, harvests e-mail addresses from the infected machines, shuts down security applications and launches a DoS attack against It also opens a TCP port to listen for more instructions. (Sophos)

WinCE4.Dust – The first proof-of-concept virus for Windows CE devices. Doesn’t sound like it’s in the wild, it’s only been passed on to the anti-virus companies. (BitDefender, Sophos)


From the interesting reading department:

Microsoft releases Remove Hidden Data 1.1

A new version of the Remove Hidden Data tool is now available from Microsoft. The tool strips comments, tracked changes and other hidden items that may be in an Office document.

Users, vendors treating healthcare patching ills

There continues to be plenty of finger-pointing over who should fix the broken process for patching Windows-based patient-care systems, but some users and vendors are at least trying to deal with the problem directly. Network World, 07/19/04.

Review: Security event management software

NetIQ’s Security Manager 5.0 does an impressive job sorting through security. Network World, 07/19/04.

Aventail goes small with SSL VPN appliance

Aventail is wheeling out a scaled-down, less-expensive version of its Secure Sockets Layer VPN security. Network World, 07/19/04.

Marriage of components called key to security

Regulatory and security pressures are fueling a rush to turn directory, identity and other network infrastructure services into components that provide a reusable security layer as part of a service-oriented architecture. Network World, 07/19/04.

IPass beefing up policy enforcement

Global service provider iPass is introducing security features this week aimed at enforcing the corporate security policies of its customers. Network World, 07/19/04.

Hacker source code shop closes its doors

An online shop that was selling the source code for two computer programs has abruptly suspended its operations, citing a “redesign” of its “business model.” IDG News Service, 07/15/04.

Secure Computing rejects CyberGuard takeover bid

Network security firm Secure Computing has rejected an unsolicited buyout bid from rival CyberGuard, saying it did not believe it was in the best interest of shareholders. IDG News Service, 07/16/04.