• United States

Apple patches Mac OS X flaws

May 06, 20046 mins

* Patches from Apple, Debian, OpenPKG, others * Beware latest variants of Bugbear, Netsky, Bagle, Agobot * Server Sleuths: Securing servers, and other interesting reading

Today’s bug patches and security alerts:

Apple patches Mac OS X flaws

Apple has released a patch that fixes a couple of vulnerabilities in its Mac OS X server and client operating systems. One of the flaws in the AppleFileServer is a buffer overflow that could be exploited to gain administrative privileges on the affected machine, according to an alert from @Stake. For more, go to:

Apple advisory:

@Stake AppleFileServer advisory:


Debian, Slackware and Trustix patch rsync flaw

A vulnerability in the rsync file transfer program could be exploited to write files outside the intended directory. For more, go to:



Debian patches flim

A flaw in the way flim, an emacs library for working with Internet messages, writes temporary files could be exploited to overwrite files on the affected machine. For more, go to:

Debian releases patch for eterm

A flaw in the eterm terminal emulator for Debian could be exploited to insert and execute hidden commands without the user’s knowledge. For more, go to:


SuSE releases kernel update

SuSE has release a kernel update that fixes a number of vulnerabilities in previous releases. The flaws could be exploited for privilege elevation and in denial-of-service attacks against the affected machine. For more, go to:


Trustix update fixes flaws in libpng and proftpd

A new Trustix update fixes flaws in two packages. First, a libpng flaw could be exploited in a denial-of-service attack against the affected machine. Second, a proftpd flaw could allow access to files the user would not normally have rights to. For more, go to:


OpenPKG patches proftpd

A flaw in Version 1.2.9 of proftpd for Mandrake Linux may allow a client access to files that the user should not have access to. For more, go to:


Slackware patches sysklogd

A flaw in sysklogd could result in unallocated memory being overwritten, causing the application to crash. For more, go to:

Slackware issues libpng fix

A flaw in the way libpng creates error messages could be exploited in a denial-of-service attack. For more, go to


SGI Advanced Linux Environment security update #19

This release includes updated RPMs for SGI ProPack v2.4 for the SGI Altix family of systems and fixes flaws in wu-ftpd, XFree86 and util-linux. For more, go to:


Today’s roundup of virus alerts:

Almost 1.5 million users download Sasser cleanup tool

Almost 1.5 million Windows customers downloaded a cleanup tool for the Sasser Internet worm in the first two days after Microsoft began offering the tool on Sunday, according to a Microsoft spokeswoman. IDG News Service, 05/04/04.

Download the cleanup tool:

Sasser infections hit Amex, others

Security experts are continuing to issue warnings about the Sasser Internet worm as organizations struggled to clean up the damage caused by infected hosts. IDG News Service, 05/04/04.

W32/Famus-A – A mass-mailing worm that spreads via a message with a subject line of “Que sabe el Pentagono sobreusted (What the Pentagon knows about you)” and an attachment called “PentagonSecret.xls.exe”. No word on any permanent damage caused, but it does send an e-mail to the virus author from the infected machine. (Sophos)

W32/Famus-C – An e-mail worm that comes with a subject line of “Famous / Famosos” and an attachment called “Famous.exe”. The virus displays a message on the infected machine. (Sophos)

W32/Bugbear-G – Another Bugbear variant that spreads via e-mail with an infected file attachment. The attachment is randomly named but will have a .pif extension. The virus terminates security-related applications running on the infected machine. (Sophos)

W32/Netsky-AC – A new Netsky variant that sends infected messages that look to be from an anti-virus vendor. The message will have the subject line “Escalation” and an attachment that ends with the extension .cpl. (Sophos)

W32/Bagle-AA – A new Bagle variant that uses a range of subject line and attachment names to send infected files via e-mail. The virus will display the message “Can’t find a viewer associated with the file” on the infected machine when the attachment is first opened. (Sophos)

Troj/Agobot-IB – A backdoor Trojan that allows a remote user access to the infected machine. Sophos provides no information on how it spreads. (Sophos)

Troj/Agobot-HZ – Similar to Agobot-IB in capability. No word from Sophos on how it spreads. (Sophos)

W32/Agobot-VB, GZ, NA and PV – Another Agobot variant that spreads by exploiting network shares with weak password protection. The virus attempts to block access to anti-virus vendor sites and provides backdoor access to attackers. (Sophos)

W32/Agobot-HD and GJ – A backdoor Trojan horse that spreads via network shares with weak passwords. The virus logs into an IRC server to allow attackers access to the infected machine. (Sophos)


From the interesting reading department:

Dr. Internet: Securing IIS

We’re worried about the latest IIS exploits. Are there workarounds we can use to secure the system while we further test the patch installation on our development server? Network World, 05/03/04.

Bradner: Resetting the Internet?

I guess it was too good a story to get right. The press widely reported recently that security geek Paul Watson discovered a previously unknown way to cause catastrophic disruptions of the Internet with only a few seconds of effort. Network World, 05/03/04.

Server Sleuths: Securing servers

Securing our servers is our IT organization’s biggest concern. With new regulations concerning the protection of data and new viruses popping up almost daily, what can I do to ensure that our servers are up-to-date with the latest patches and service packs? Network World, 05/03/04.

Gibbs: Getting rid of scumware. Mostly.

The most important thing you can do about scumware is learn how your organization is being affected and keep up with the best practices for solving the problem as it evolves. Good luck, and rest assured you are going to have a job for a long time to come. Network World, 05/03/04.