• United States

TCP vulnerability uncovered

Apr 22, 20045 mins

* Patches from Debian, Mandrake Linux, Slackware, others * Beware new minmail variant * Task force issues more cybersecurity goals, and other interesting reading

Today’s bug patches and security alerts:

Experts warn of TCP vulnerability

Internet security experts Tuesday warned of a serious security vulnerability in the TCP, a critical communications protocol used on the majority of computer networks in the world, according to an advisory from the U.K.’s National Infrastructure Security Co-Ordination Centre (NISCC). IDG News Service, 04/20/04.

CERT advisory:


Cisco warns of more critical software holes

Cisco warned its customers about two critical security holes that affect almost every product the company makes. The vulnerabilities could be used by malicious hackers to create so-called “denial-of-service” attacks, causing Cisco products to abruptly restart or drop active connections with other devices. IDG News Service, 04/21/04.

Cisco warns of hijack code for VPN gear, Network World Fusion, 04/20/04.

CERT IOS SNMP advisory:

Cisco non-IOS TCP advisory:

Cisco IOS TCP advisory:

Cisco SNMP Message Processing advisory:


More CVS patches available

A flaw in CVS, a version control system for Linux, could be exploited by an attacker to overwrite arbitrary files on the affected machine. For more, go to:




Mandrake Linux, Slackware patch utempter

Utempter’s shared library is vulnerable to a symlink attack that could be used to overwrite arbitrary files. For more, go to:

Mandrake Linux:



Slackware patches tcpdump

A flaw in the way Tcpdump, a network monitoring tool, handles ISAKMP could be exploited to run arbitrary code on the affected machine. For more, go to:


Red Hat releases kernel patch

A new kernel update is available for that fixes a number of minor vulnerabilities is previous releases. For more, go to:


NetBSD patches OpenSSL

Two vulnerabilities in OpenSSL could be exploited in a denial-of-service against the affected machine. For more, go to:


Today’s roundup of virus alerts:

W32/Sdbot-CP – A worm that spreads via weakly protected network shares and uses IRC to listen for commands from a remote attacker. The virus also terminates security-related applications on the infected machine. (Sophos)

W32/Zafi-A – A worm that spreads via e-mail and collects URLs typed into Internet Explorer. The virus only spreads in April 2004 and on May 1, will display a message on the infected machine’s screen. (Sophos)

Troj/Loony-E – Another virus that infects machines and allows backdoor access via IRC. (Sophos)

W32/Agobot-ZY – Like some of its predecessors, this version of Agobot spreads via weakly protected network shares and uses IRC to allow backdoor access to the infected machine. (Sophos)

W32/Agobot-QF – Similar to Agobot-ZY above, this worm spreads via network shares, uses IRC to allow backdoor access and attempts to disable security-related applications running on the infected machine. (Sophos)

W32/Agobot-EV – A different variant of the Agobot worm. This one spreads via peer-to-peer networks and uses TCP to accept remote commands. The virus also sniffs network traffic and can be used as a denial-of-service attack drone. It also attempts to steal software keys from popular games. (Sophos)

W32/Blaster-G – A variant of the Blaster worm that attempts to exploit a Windows DCOM RPC vulnerability. The virus resets the IE start page on the infected machine. (Sophos)

Troj/DDosSmal-B – This Trojan horse is designed to run a denial-of-service attack against a remote Web site. No word on how it spreads though. (Sophos)

W32/Mimail-V – A new Mimail variant that spreads via e-mail, network shares and file sharing networks. In addition to allowing backdoor access, the virus terminates anti-virus applications and any copies of the Bagle worm running on the infected machine. (Sophos)

Netsky-V, X, Y and Z – Four new variants of the Netsky worm. All spread via e-mail and are designed to run denial-of-service attacks against specific Web sites. (Sophos, Panda Software)

MyDoom.J – Spreads via e-mail and peer-to-peer networks, exploiting a DLL used by the Bugbear.B worm. MyDoom.J opens notepad and displays junk characters on the infected machine. (Panda Software)


From the interesting reading department:

Task force issues more cybersecurity goals

IT vendors should improve default security settings in their products, a committee of the National Cyber Security Partnership Task Force (NCSP) said in a set of recommendations it has released on technical standards. IDG News Service, 04/19/04.

WS-Security receives official blessing from OASIS

Web Services Security 1.0, the foundation specification for creating a security infrastructure around Web services, officially became a standard Monday, paving the way for corporate adoption. Network World Fusion, 04/19/04.

Passwords revealed by sweet deal

More than 70% of people would reveal their computer password in exchange for a bar of chocolate, a survey has found. BBC News, 04/20/04.

Teenager comes to Microsoft’s aid

A teenage computer whiz from Aberdeen has averted a potential crisis at software giant Microsoft. BBC News, 04/15/04.