• United States

Flaws in WinZip

Sep 06, 20046 mins

* An assortment of advisories for Gentoo Linux * Beware Bagle and Rbot variants * Someone to watch over the 'Net, and other interesting reading

Today’s bug patches and security alerts:

Flaws in WinZip

A number of buffer overflows have been found in WinZip, the popular compression software for Windows. One could exploit the flaws to run arbitrary code on the affected machine. Users can protect themselves by downloading WinZip Version 9.0 SR-1:


NGSSoftware warns of flaws in IBM DB2

NGSSoftware released an alert saying they’ve found multiple flaws in IBM DB2, but have withheld the details until December 1st to give system administrators time install the available patches. Sounds like the clock is ticking.

NGSSoftware advisory:

IBM patches:

DB2 8.1:

DB2 v7.x:


CERT issues advisory for MIT Kerberos 5

As we reported last week, a couple of vulnerabilities have been found in the MIT Kerberos 5 code. One flaw could be exploited to run code on an affected system, the other in a denial-of-service attack. CERT has issued a warning and more vendors have released related updates:

CERT advisory:


Mandrake Linux:



Gentoo fixes

We’ve collected an assortment of advisories for Gentoo Linux and we present them here in condensed format:

Multi-gnome-terminal – An active keystroke logger could allow a local user to view password information:

Ruby – When Ruby is used for CGI scripting it may create certain temporary files in a non-secure manner:

XV – A buffer overflow has been found in the image handler:

Mozilla, Firefox, Thunderbird, Galeon, Epiphany – New versions of these Mozilla-based browsers fix a buffer overflow that was found in previous releases:

Squid – A denial-of-service vulnerability has been found and patched:

Gallery – The image upload handling code does not properly deal with temporary files and could be exploited to run arbitrary code:

eGroupWare – Multiple cross-scripting vulnerabilities have been found:

Python 2.2 – A buffer overflow has been found in the getaddrinfo() function (only affects those running IPv6):

vpopmail – A number of vulnerabilities have been found, including one that could allow for SQL injection:

MySQL – The mysqlhotcopy utility creates poorly protected temporary files that could be exploited in a symlink attack:

MoinMoin – An anonymous user could bypass the Access Control List:

kdelibs – The cookie manager component is vulnerable to data injection:

Cacti – There’s a potential for an attacker to be able to change passwords via a SQL injection:

courier-imap – A format string vulnerability has been discovered:

xine-lib – “xine-lib contains an exploitable buffer overflow in the VCD handling code,” according to Gentoo:

glibc – An information leak vulnerability has been uncovered:

Tomcat – “Improper file ownership may allow a member of the tomcat group to execute scripts as root,” according to Gentoo:

GV – A buffer overflow could be exploited by an attack to run any code on the affected machine:

Horde-IMP – An input validation vulnerability has been found:

Nessus – A race condition could be exploited to gain elevated privileges:


Today’s roundup of virus alerts:

W32/Bagle-AT – Typical of many Bagle variants, this version spreads via e-mail (subject line of “foto” and attachment called “”) and shared folders using a number of file names. It also drops a Trojan Horse application on the infected machine. (Sophos)

W32/Rbot-HT – This Rbot variant spreads via network shares, using random filenames as its infection point. It allows backdoor access via IRC. (Sophos)

W32/Rbot-MG – Very similar to Rbot-HT, except it uses the file name “WINu32.EXE” when it infects a system. (Sophos)

W32/Rbot-HU – Another run-of-the-mill Rbot variant. This one uses “servicz.exe” when it infects a machine. (Sophos)

W32/Rbot-KO – Same as the above listed Rbot variants with the only exception being the infected file: slserv32.exe. (Sophos)

W32/Rbot-IA – Of the Rbot variants we’ve covered so far, this is the most malicious. While it spreads via network shares (infecting “winxp43.exe”) and uses IRC for backdoor access, it can also be used a proxy, spam relay, FTP server and more. (Sophos)

W32/Forbot-M – This worm spreads via network shares, attempting to exploit the Windows LSASS vulnerability. It installs itself as “winusb32.exe” in the Windows System folder and tries to terminate security-related applications on the infected machine. (Sophos)


From the interesting reading department:

Someone to watch over the ‘Net

A behind-the-scenes look as the Internet Storm Center’s Johannes Ullrich battles the MyDoom-O virus. Network World, 09/06/04.

Research center plugs physical security into its network

Keeping its huge data center humming is vital at NASA Ames Research Center, where 4,000 scientists are working on aeronautics and biotechnology projects. When a new custom-built air conditioning system couldn’t keep the research outfit’s network equipment at the right temperature, it was the IT department’s equivalent of a space mission gone wrong. Network World, 09/06/04.

Celestix improves all-in-one security packages

Celestix Networks this week is introducing a security appliance built on Microsoft’s Internet Security and Acceleration Server 2004 that is designed to give users firewall, VPN and Web caching capabilities in one box. Network World, 09/06/04.

Infonet VPN service to exploit the ‘Net

Infonet Services next week will announce a low-cost, managed VPN service that uses the popular Multi-protocol Label Switching protocol and rides over the Internet. Network World, 09/06/04.

New York presents wireless security challenge for RNC

Transportation Security Administration security checkpoints, hundreds of Secret Service agents, thousands of police on foot, horses and motorcycles, city blocks barricaded by dump trucks filled with tons of sand and an invisible wireless back door that is virtually impossible to monitor and control. That was a snapshot of the security situation at this week’s Republican National Convention (RNC) at New York’s Madison Square Garden. Computerworld, 09/02/04.