• United States

ISS patches CheckPoint VPN-1 flaw

Jul 29, 20045 mins

* Patches from Gentoo, Mandrake Linux, others * Beware MyDoom.O * E-commerce attack tops McAfee's threat ranking, and other interesting reading

Today’s bug patches and security alerts:

ISS patches CheckPoint VPN-1 ASN.1 Decoding Remote Compromise

According to an alert from ISS, “When establishing an encrypted connection to a VPN, it is possible for an attacker to trigger a buffer overflow vulnerability in an ASN.1 decoding library within the VPN-1 product.” For more, go to:


DoS in Microsoft System Management Server

SecuriTeam is reporting a denial-of-service vulnerability in the Microsoft System Management Server Remote Control. An attacker could send specially crafted packets to crash the system. For more, go to:


@Stakes warns of HP dced flaw

A flaw in the HP DCE implementation could be exploited by a remote user to run commands on the affected server with root privileges, according to a warning from @Stake. For more, including links to all the appropriate patches, go to:


Gentoo patches Opera

A bug in Opera could allow an attacker to spoof a Web site using frame injection. This has been fixed:


Mandrake Linux releases Samba fix

A buffer overflow has been found in SWAT, the Samba Web Administration Tool. This flaw could be exploited prior to a user being authenticated and could allow an attacker to take control of the affected machine. For more, go to:

Mandrake Linux issues mod_ssl update

A code review for mod_ssl found another “risky” call to the ssl_log file. A fix is available. For more, go to:

Mandrake Linux patches postgresql

A flaw in postgresql’s ODBC implementation could be exploited to crash the application accessing the database. For more, go to:

Mandrake Linux fixes webmin

A vulnerability in Webmin could allow an attacker to bypass the system’s access control list “and gain read access to configuration information for a module.” For more, go to:

Mandrake Linux patch available for XFree86

According to an alert from Mandrake Linux, “Steve Rumble discovered XDM in XFree86 opens a chooserFd TCP socket even when DisplayManager.requestPort is 0, which could allow remote attackers to connect to the port, in violation of the intended restrictions.” For more, go to:


Today’s roundup of virus alerts:

MyDoom.O hammering search engines

Anti-virus software companies are warning e-mail users about a new version of the MyDoom e-mail worm, dubbed MyDoom.O, which is spreading on the Internet and causing slowdowns at search engines, including those run by Lycos and Google. IDG News Service, 07/26/04.

W32/Zindos-A – This is the other foot of MyDoom.O (or MyDoom.M, depending on what vendor is doing the reporting). Zindos-A uses the backdoor opened by MyDoom to infect systems. It’s used in a DDoS attack against (Sophos)

W32/Rbot-EK – A bot that exploits older viruses, Windows vulnerabilities, SQL Servers with weak passwords and network shares to spread between machines. The bot installs itself as “scvhost.exe” in the Windows System folder and allows backdoor access via IRC. It also tries to terminate certain anti-virus applications running on the infected machine. (Sophos)

W32/Rbot-EP – Exploiting network shares, this bot installs itself as “wuamgrd.exe” in the Windows System directory. It too allows backdoor access via IRC. (Sophos)

W32/Rbot-EQ – Another Rbot variant that has similar properties to Rbot-EP above. (Sophos)

W32/Spybot-CZ – A keystroke logger that looks for passwords and other sensitive information. It installs itself as “DLL32SYS.EXE” in the Windows System folder and spreads via network shares. (Sophos)

Troj/PatchLs-A — A Trojan that tries to exploit the LSASS vulnerability by injecting code into the application. Doesn’t appear to have any malicious properties at this time. (Sophos)

OF97/Toraja-I – A macro virus for Office 97 that infects Excel spreadsheets. No word on any damage caused by the infection. (Sophos)

Troj/Small-AO – A backdoor Trojan that allows remote access of the infected machine. No word on how it spreads. (Sophos)


From the interesting reading department:

The insecure state of security

The 2004 InfoWorld Security Survey shows IT managers are worried about the effectiveness of their security systems. InfoWorld, 07/26/04.

E-commerce attack tops McAfee’s threat ranking

A rivalry between the creators of the Netsky and Bagle viruses helped cause a dramatic increase in threats against home and enterprise computers in the first half of this year, but the most serious threat was Download.Ject, a Trojan that exploited a vulnerability in Microsoft’s Internet Explorer Web browser, according to McAfee. IDG News Service, 07/26/04.

DoubleClick downed by denial-of-service attack

Internet advertising company DoubleClick was shut down Tuesday by a denial-of-service attack launched from computers on the Internet, a company spokeswoman confirmed. IDG News Service, 07/27/04.

Cybersecurity experts wanted

New worries about national cybersecurity are prompting government officials to press colleges for rigorous curricula that train future cyberprotectors. PC World, 07/23/04.

eEye lifts the lid on endpoint security product

EEye Digital Security Monday announced a new endpoint security product that it says will help organizations stop attacks launched from the Internet that use previously unknown, or “zero day,” software vulnerabilities. IDG News Service, 07/26/04.