Flaw in Eudora

Enterprise Security Technology Tour

Keynote: Joel Snyder, NW Lab Alliance member and senior partner at Opus One

Unfortunately, network security has become a costly catch-22. Just when the stakes to your enterprise are highest, you’re flooded with waves of security technology that are hard to evaluate fully, integrate properly, or deploy effectively. The typically “safe” response is to over-spend and over-build simply because you’re overwhelmed not just with what to buy, but how to buy, when to buy, and why to buy. Find out what you need to know

at the “Enterprise Security: Failsafe Architecture” event.

https://www.nwfusion.com/events/security/index.html

Today’s bug patches and security alerts:

Eudora vulnerability

A buffer overflow in the popular Eudora e-mail client could be exploited to run arbitrary code on the affected machine. The overflow can be exploited by embedding a “file://” link of 300 or more characters in a message. For more, go to:

https://www.securitytracker.com/alerts/2004/May/1010088.html

**********

April shower of Microsoft vulnerabilities ends in May

April showers brought May flowers, at least that appears to be the story from Microsoft on the issue of software security vulnerabilities. IDG News Service, 05/11/04.

https://www.nwfusion.com/news/2004/0511aprilshowe.html?nl

Microsoft bulletin:

https://www.microsoft.com/technet/security/bulletin/ms04-015.mspx

**********

Flaw in McAfee ePolicy Orchestrator

ISS is warning of a vulnerability in McAfee ePolicy Orchestrator. The flaw could be exploited to gain Administrator privileges on an affected ePolicy Orchestrator server. For more, go to:

https://xforce.iss.net/xforce/alerts/id/173

**********

More Apache fixes

A denial-of-service vulnerability has been found in various Apache Web server implementations. The flaw is in the way SSL connections are handled. For more, go to:

Mandrake Linux:

https://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:043

OpenPKG:

https://www.openpkg.org/security/OpenPKG-SA-2004.021-apache.html

**********

Mandrake Linux patches rsync

According to an alert from Mandrake Linux, “Rsync before 2.6.1 does not properly sanitize paths when running a read/write daemon without using chroot, allows remote attackers to write files outside of the module’s path.” For more, go to:

https://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:042

**********

Debian patches exim

Two stack-based buffer overflow vulnerabilities in Debian’s exim implementation has been patched. For more, go to:

https://www.debian.org/security/2004/dsa-502

**********

Today’s roundup of virus alerts:

Yet another Sasser worm appears

A new version of the Sasser Internet worm, Sasser-F, appeared on Monday, despite claims by German authorities to have arrested the sole author of that worm on Friday. IDG News Service, 05/11/04.

https://www.nwfusion.com/news/2004/0511yetanother.html?nl

W32/Agobot-JO – Another Agobot version that uses IRC to give attackers backdoor access to the infected machine and attempts to steal passwords. It also tried to prevent access to anti-virus sites. (Sophos)

W32/Agobot-IJ – Similar to Agobot-JO, this variant also attempts to provide unauthorized access to the infected machine via IRC channels. It also terminates certain anti-virus related applications. (Sophos)

W32/Agobot-QA – Another Agobot version that uses an IRC connection to provide backdoor access to the infected machine. This  version spreads via network shares and potentially e-mail. (Sophos)

W32/Agobot-LI – Same properties as Agobot-QA above with the additional ability to launch denial-of-service attacks against remote sites. (Sophos)

Troj/Adtoda-A – A Trojan that displays a message beginning with “Setup was not able to continue the installation.” After the user clicks “OK” twice, the machine is infected. The machine will freeze and need to be rebooted. (Sophos)

W32/Rbot-I – This virus spreads via weakly protected network shares and uses IRC to allow third party users to gain unauthorized access to the infected machine. The virus also attempts to delete certain network shares on the infected machine. (Sophos)

W32/Wallon-A – An e-mail “worm” that spreads as a fake link that directs users to drs.yahoo.com//NEWS and attempts to download malware to the target machine. (Sophos)

**********

From the interesting reading department:

Sasser worm exposes patching failures

Organizations that evaded last week’s Sasser worm infestation credited vigilant patching processes and preventative measures such as installing server-based behavior-blocking software and worm filtering gateways. Network World, 05/10/04.

https://www.nwfusion.com/news/2004/0510sasser.html?nl

Testers drill down on SIP, 802.1X security and MPLS

An exclusive preview of the cutting-edge interoperability testing that will be showcased this week at NetWorld+Interop. Network World, 05/10/04.

https://www.nwfusion.com/research/2004/0510ilabs.html?nl

Start-up aims to shut down denial-of-service hits

Start-up IntruGuard Devices will use the NetWorld+Interop show this week to launch rate-based equipment designed to protect servers from denial-of-service attacks. Network World, 05/10/04.

https://www.nwfusion.com/news/2004/0510intruguard.html?nl

N+I spotlights security and apps management

A mix of new and established companies this week will use NetWorld+Interop Las Vegas 2004 to launch a slew of management products, many aimed at helping businesses safeguard networks and applications against worms or other attacks. Network World, 05/10/04.

https://www.nwfusion.com/news/2004/0510mgmtnews.html?nl

RSA adds federated ID mgmt.

RSA Security last week announced Federated Identity Manager, Java-based server software that can be used to exchange recognized “trust identities” among businesses to provide authentication and authorization for customers and employees. Network World, 05/10/04.

https://www.nwfusion.com/news/2004/0510rsa.html?nl

Sasser, Phatbot arrests coordinated, but not linked

A 21-year-old German man was arrested and has admitted to creating the ubiquitous and dangerous Trojan horse programs Agobot and Phatbot, but is not connected to the German author of the Sasser Internet worm, a police spokesman said. IDG News Service, 05/10/04.

https://www.nwfusion.com/news/2004/0510sasserphat.html?nl

Despite arrest, new variant of Sasser worm appears

Despite the arrest Friday of the suspected author of the Sasser worm which affected millions of computers worldwide last week, a new variant of the worm appeared Sunday, according to computer security organizations. IDG News Service, 05/10/04.

https://www.nwfusion.com/news/2004/0510despiarres.html?nl

Symantec does mail gateway security

Symantec Monday plans to announce an update to its Mail Security for Simple Mail Transfer Protocol product that offers new features for cleaning up after mass mailing worms and identifying trusted mail domains, as well as improved capabilities for detecting unsolicited commercial (spam) e-mail messages. IDG News Service, 05/10/04.

https://www.nwfusion.com/news/2004/0510symandoes.html?nl