• United States

WinZip flaw

Mar 08, 20044 mins

* Patches from a variety of Linux vendors, others * Beware mass-mailing worm Hiton-A * Companies take cover as worm war breaks out, and other interesting reading

Today’s bug patches and security alerts:

Flaw in WinZip

A buffer overflow vulnerability has been found in versions of WinZip prior to 9.0. This flaw affects the way certain MIME types (not ZIP) are handled by the application. An attacker could exploit this to run arbitrary commands on the affected machine. Users should upgrade to WinZip 9.0 to fix the problem. For more, go to:


DoS vulnerability found in Cisco CSS 11000

The Cisco CSS 11000 Series Content Services Switches could be susceptible to a denial-of-service attack. An attacker would have to send malformed UDP packets to the switch’s management port. For more, go to:


NetScreen warns of flaw

A cross-site scripting vulnerability has been found in NetScreen IVE running Versions 3.0 to 3.3.1. The flaw could be used to steal session cookie information and potentially run malicious scripts on the affected machine. For more, go to:


Linux vendors patch libxml2

A flaw in the way libxml2 parses remote data retrieved using FTP or HTTP could be exploited to cause a buffer overflow. This in turn could be used to run arbitrary code on the affected machine. For more, go to:


Mandrake Linux:





Overflow in Adobe Acrobat Reader 5.1

NGSSoftware is warning of a stack overflow in Adobe Acrobat Reader 5.1. The flaw is in the way files with XML Forms Data Format (XFDF) are handled. The latest version of Acrobat Reader (ver. 6.0) fixes this vulnerability. For more, go to:

NGSSoftware advisory:

Adobe downloads page:


Debian releases kernel update for arm

Several vulnerabilities in Debian’s Linux kernel 2.2.19 for ARM-based systems have been patched. For more, go to:


Trustix patches nfs-utils

A bad DNS setup could be exploited in a remote denial-of-service attack against an affected Trustix server. For more, go to:


Today’s roundup of virus alerts:

Troj/Ranck-K – A Trojan horse that sets itself up as a proxy, allowing an attacker to route HTTP traffic through the infected machine. (Sophos)

W32/Hiton-A – We mentioned this one last week, but now we have some real details. The mass-mailing worm terminates certain security-related processes on the infected machine as well as redirects HTTP requests to anti-virus sites to the local machine. (Sophos)

Troj/HacDef-100 – A backdoor Trojan that allows an unauthorized user access to most of the infected machine’s file system. (Sophos)

W32/Cissi-B – Like many recent viruses, this one attempts to spread via e-mail or network shares with weak passwords. Once it infects a target, the virus connects to an IRC server and awaits instruction. (Sophos)


From the interesting reading department:

Microsoft’s long road to security

Company makes progress, but experts and users say it still has a long way to go. Network World, 03/08/04.

Companies take cover as worm war breaks out

An Internet gang war of sorts broke out last week as the creators of two mass-mailer computer worms battled to outdo each other by releasing a dozen variants of the worms, called Bagle and Netsky, in rapid-fire fashion. Network World, 03/08/04.

Vendors set to advance security plans

Vendors are pursuing a variety of security initiatives intended to rein in the worst effects of problems such as worm attacks, which sometimes scan at ferocious speeds for vulnerable machines. Network World, 03/08/04.

Feature: Inside the DoD’s crime lab

Whenever a U.S. government agency investigating a crime or a cybercrime has digital evidence that’s too difficult to analyze, they send it to the Department of Defense computer forensics lab. Network World, 03/08/04.

White paper: Divide and Conquer

“HTTP Response Splitting” is a new application attack technique which enables various new attacks such as web cache poisoning, cross user defacement, hijacking pages with sensitive user information and an old favorite, cross-site scripting (XSS). Sanctum, 03/2004.