• United States

Symantec patches VPN/Firewall Appliances

Sep 30, 20047 mins

* Patches from Symantec, Gentoo, Conectiva, others * Beware IM worm that exploits JPEG flaw * Gov't panel: No cybersecurity mandates needed, and other interesting reading

Today’s bug patches and security alerts:

Symantec patches VPN/Firewall Appliances

Three high-risk flaws have been fixed in Symantec’s line of VPN/Firewall Appliances, all of which are remotely exploitable. The flaws could be used in a DoS attack, to identify WAN services, and potentially change firewall configuration information. For more, go to:


Bug in CA UniCenter Management Portal

Computer Associate’s UniCenter Management Portal has a “forgot password” link that could be exploited by an attacker with a script to find valid user names. This information could be the basis for a brute force attack against the system passwords. CA recommends disabling the feature. For more, go to:


New version of Sudo available:

A new version of Sudo (1.6.8p1) is available. The release fixes a number of bugs and a security flaw that could allow an attacker to read files they wouldn’t normally have access to. For more, go to:


Gentoo patches Heimdal

According to an alert from Gentoo, “Several bugs exist in the Heimdal ftp daemon which could allow a remote attacker to gain root privileges.” For more, go to:

Gentoo patches CUPS

According to experts, an attacker can easily disable browsing in CUPS by sending a specially crafted UDP datagram to port 631 where cupsd is running. For more, go to:

Gentoo releases patch for Foomatic

A flaw in Footmatic, a system for connecting printer drivers with spooler systems, could be exploited by an attacker to take control of the system. For more, go to:


iDefense warns of flaw in Ipswitch WhatsUp Gold

A flaw in the way Ipswitch’s WhatsUp Gold handles reserved DOS names could be exploited by a remote user to crash the application. For more, go to:


Gentoo, Mandrake Linux patch XFree86

A couple of integer overflows have been found in the XFree86 application for Linux. For more, go to:


Mandrake Linux:


Conectiva patches imlib

A heap overflow error in imlib, an imaging library for X and X11, could be abused by an attacker to execute arbitrary code on the victim’s machine. For more, go to:

Conectiva releases kernel update

A missing check in the Conectiva kernel’s Discretionary Access Control in the chown system call could allow a local user to change groups. For more, go to:


Debian issues patch for wv

A buffer overflow in wv, an application that allows access to Microsoft Word files, could be exploited by an attacker to run their code of choice on the affected machine. For more, go to:


Today’s roundup of virus alerts:

Instant messaging worm exploits JPEG flaw

Security experts have spotted the first attempts to create an Internet worm that propagates using instant messages and exploits a recently disclosed flaw in Microsoft software. IDG News Service, 09/29/04.

Hackers use porn to target Microsoft JPEG hole

Malicious hackers are seeding Internet news groups that traffic in pornography with JPEG images that take advantage of a recently disclosed security hole in Microsoft’s software, according to warnings from anti-virus software companies and Internet security groups. IDG News Service, 09/28/04.

W32/Noomy-A – An e-mail virus with backdoor IRC capabilities. This virus can be used to send Spam and launch ICMP DoS attacks against Microsoft, Sophos and Kaspersky Websites. The virus uses random messages and attachment names to spread. (Sophos)

SentinelSteal – A hacking tool that can be used for keystroke logging, screen capture and blocking access to certain Websites. It uploads the information it gathers via FTP or e-mail. (Panda Software)

Bagle.BA – A new Bagle variant that spreads via e-mail entitled “photo-gallery! =)” with an attachment called “FOTO.ZIP”. It installs a keystroke logger on to the infected machine. (Panda Software)

Bagle.BB – Yet another Bagle variant that spreads via e-mail. The infected attachment is named “Joke”, “Price” or “price” with an extension of .com, .cpl, .exe or .scr. (Panda Software)

W32/Xbot-C – A new bot variant that spreads via non-secure network shares and can be accessed through an IRC channel. An attacker can use the infected machine to launch DoS attacks, execute arbitrary code on the machine and kill security-related applications. (Sophos)

W32/Forbot-AK – This Forbot variant steals game keys, IM login information, and system information details. The worm tries to delete network shares. (Sophos)

W32/Forbot-AN – Another Forbot variant that uses “sys32snd.exe” as its infection point. (Sophos)

W32/Rbot-KX  – This Rbot variant installs itself as “iiexplorer.exe” after accessing the machine via network shares. It exploits a number of known Windows vulnerabilities and can be used for a variety of malicious applications. (Sophos)

W32/Rbot-LC – Another Rbot variant. This one uses the filename “microhost.exe” in the Windows System folder as its infection point. (Sophos)


From the interesting reading department:

Microsoft To Provide IE Patches for Windows XP Only

Fortunato_NC writes “Microsoft has decided that future IE updates, including those related to security, will only be available to customers using Windows XP. This article has the complete scoop. A choice quote: ‘Microsoft may be turning the lemons of its browser’s security reputation into the lemonade of a powerful upgrade selling point.’ This should provide a huge boost to Mozilla and other alternative browser backers.” Slashdot, 09/23/04.

Gov’t panel: No cybersecurity mandates needed

Now is not the time for the U.S. government to mandate cybersecurity standards to private industry, despite significant threats and a lack of understanding by many company executives, a panel of government officials said Tuesday. IDG News Service, 09/28/04.

Dr. Internet:  A more secure version of FormMail

Your recent column on FormMail left me scratching my head. Why would anyone continue to recommend this buggy, insecure and poorly written script? Network World, 09/27/04.

Nutter’s Help Desk:  How many firewalls are enough?

Management is concerned that our more sensitive servers may not be as protected as they should be. We already have one firewall protecting our Internet connection. Should we look at an additional firewall to protect the servers that management is concerned about? Network World, 09/27/04.

On Security:  Make security personal

A significant percentage of cybercrime is actually the fault of the very companies that want to protect themselves. Many companies make timid, awkward and ineffective attempts at teaching their staff about company security policies. This occurs because most corporate security policies are boring, unintelligible tomes. Ergo: No one pays attention to them. Network World, 09/27/04.

Computer Viruses Cripple Colorado DMV

Mr. Christmas Lights writes “The Denver Post has written the last three days (Tue, Wed, Thu) about how computer viruses have crippled the Colorado Department of Motor Vehicle’s computers since last Friday. This has prevented them from issuing new/renewed licenses, so they are providing 30-day extension stickers. Slashdot, 09/23/04.