• United States

Surprise! Holes in XP SP2

Aug 19, 20046 mins

* Patches from Gentoo, SGI, others * Beware new Trojans * Symantec releases patching tool, and other interesting reading

Today’s bug patches and security alerts:

Researchers find holes in XP SP2

Security researchers inspecting an update to Microsoft’s Windows XP found two software flaws that could allow virus writers and malicious hackers to sidestep new security features in the operating system. You just knew this was coming. IDG News Service, 08/18/04.


Cisco IOS: Malformed OSPF packet causes reload

According to a Cisco advisory, “A Cisco device running Internetwork Operating System (IOS) and enabled for the Open Shortest Path First (OSPF) protocol is vulnerable to a Denial of Service (DoS) attack from a malformed OSPF packet. The OSPF protocol is not enabled by default. The vulnerability is only present in Cisco IOS release trains based on 12.0S, 12.2, and 12.3. Releases based on 12.0, 12.1 mainlines, and all Cisco IOS images prior to 12.0 are not affected.” For more, go to:


Two vulnerabilities in KDE

Two flaws have been found in KDE, a graphical user environment for Linux. Both flaws have to do with the way temporary files are created by different processes.  These files are not created in a secure manner and could be exploited to gain elevated privileges on the affected machine. For more, go to:



Flaw in Acrobat ActiveX control

A flaw in the pdf.ocx Acrobt control could be exploited by an attacker in a denial-of-service attack or to take control of the affected machine. The iDefense advisory says Version is impacted the most, with Version 6.0.2 less affected. For more, go to:


Gentoo patch for Acroread:


Vendors patch rsync

A vulnerability in rsync could be exploited to read and write files outside the intended path. For more, go to:



Mandrake Linux:




Mandrake Linux patches Mozilla

A Mozilla update for Mandrake Linux 10 includes a number of security fixes for problems found in previous releases. For more, go to:


SGI updates Advanced Linux Environment 2.4

A comprehensive patch for SGI’s Advanced Linux Environment 2.4 fixes flaws in Ethereal, VFS, glibc, libpng and mozilla. The update is available from:

SGI releases update for Advanced Linux Environment 3

This update includes fixes for Ethereal, VFS, libpng, mozilla, ipsec-tools and sox. For more, go to:


Today’s roundup of virus alerts:

W32/MyDoom-S — Another MyDoom variant that uses e-mail as its primary vehicle to spread. The infected e-mail comes with an attachment named “photos_arc.exe”, (Sophos)

W32/Apribot-C — A bot that spreads via network shares and can be used as spam relay or launching point for other attacks. The virus uses random file names for its infection point and allows backdoor access via IRC. It also tries to limit access to anti-virus sites by modifying the Windows HOST file. (Sophos)

Troj/Padodo-Fam — A family of worms that are used for stealing passwords and providing backdoor access to infected machines. The worm can provide proxy access via random ports as well. (Sophos)

Troj/Bdoor-CHR — This Trojan installs itself as “dx32hhlp.exe” in the Windows System folder and can accept commands via IRC. It also attempts to limit access to anti-virus Web sites. (Sophos)

Troj/Daemoni-G — This malicious piece of code “is a proxy Trojan that allows a remote intruder to route internet traffic through the infected computer,” according to Sophos. (Sophos)

Troj/ProxDrop-A — Further proof that the majority of new worms are designed to make some money (illegally): This is another Trojan that acts as a proxy to help direct and obfuscate Web illegal Web traffic. It installs itself in the Windows System folder as “SUCHOSTP.EXE” and “SUCHOSTS.EXE”. (Sophos)

W32/Rbot-GF — Yet another Rbot variant that spreads via network shares and allows backdoor access via IRC. It installs itself as “wuagrd.exe” in the Windows System directory and can be used to record keystrokes and steal CD activation keys for popular games. (Sophos)

Troj/Winflux-B — Another Trojan that can turn the infected machine in to a relay for any number of activities. The virus uses random file names to infect the machine and allows backdoor access via IRC. (Sophos)


From the interesting reading department:

Symantec releases patching tool

Security company Symantec Monday plans to announce the release of a patch management product that it says will enable small and midsized businesses to stay on top of software vulnerabilities. IDG News Service, 08/16/04.

McAfee to buy Foundstone for $86 million

Anti-virus software company McAfee Monday said it is buying Foundstone, which makes software for detecting and managing software vulnerabilities, for $86 million in cash. IDG News Service, 08/16/04.

Opinion:  A matter of life and death

We need vendors to step up, the FDA to apply more pressure to get this resolved, and the finger-pointing to be replaced by collaborative effort. Network World, 08/16/04.

Opinion: Security today means playing ‘defense-in-depth’

Network managers should reassess their security architectures in the overall context of “information stewardship” – and enabling defense-in-depth is a great first step. Network World, 08/16/04.

Opinion: Problem with old e-mail server

We’re having difficulty with an open relay on the e-mail server and mail is being rejected by several recipients to avoid spamming. I’m unable to find a setting on the server that might close the relay. Network World, 08/16/04.

Opinion:  USB wireless and security adapters

As more opportunities come up for mobile workers to access corporate networks without actually having to carry a laptop, so will the opportunities for people to take advantage of that access. Internet kiosks and other computers being made convenient for workers are great, but Web browsing and e-mail checking have a way of leaving leftover data that the bad guys can exploit. A KeyPoint device solves these issues, and can help ease IT fears about having unprotected data being in the mobile computing wilderness. Network World, 08/16/04.