[AusNOG] AusCERT Week in Review - Week Ending 13/07/2007 (AUSCERT#20073F686)

Robert Lowe rlowe at auscert.org.au
Fri Jul 13 16:46:40 EST 2007



------- Forwarded Message

AusCERT Week in Review
13 July 2007


Greetings,

This week Microsoft released its patches for a variety of its products. The 
most notable fix was a vulnerability in the Active Directory components of 
Windows Server 2000 and 2003. The vulnerability would allow remote code 
execution or a denial of service attack. By successfully exploiting this the 
attacker would have complete control of the entire forest and attached 
resources. The attacker requires valid authentication credentials for
Windows 2003 servers but anonymous is all that is required for Windows 2000
servers.

We also continued to see a reasonable volume of "Storm" (aka Tibs or Peacomm
[1]) emails (AL-2007.0081). The links contained in these emails would direct
users who click them to malicious web sites. This web site would then
attempt to use some known exploits to install that actual malware on the
system. The user was also presented with the following message:

    "Your Download Should Begin Shortly. If your download does not
    start in approximately 15 seconds, you can click here to launch
    the download."

Interestingly, if the user clicked the link they would receive the malware
from the same server as the web page and would download a file called
"patch.exe". However if the exploits were successful then the malware would
be downloaded from a different URL on the same server with a filename of
"file.php".

The web sites and malware files are all hosted on infected hosts rather than
a web server, meaning there is no central web site than can be shutdown or
blocked.


[1] Trojan.Peacomm: Building a Peer-to-Peer Botnet
http://www.symantec.com/enterprise/security_response/weblog/2007/01/trojanpeaco
mm_building_a_peert.html

Regards,
Richard Billington and Zane Jarvis

- - --
Security Analyst           |  Hotline: +61 7 3365 4417
AusCERT                    |  Fax:     +61 7 3365 7031
Australia's National CERT  |  WWW:     www.auscert.org.au
Brisbane QLD Australia     |  Email:   auscert at auscert.org.au


AusCERT in the Media:
- - ----------------------------  

.bank proposal gets lukewarm reception
Computerworld Australia, Australia 
Jul 11, 2007
http://www.computerworld.com.au/index.php/id;1058133737;fp;2;fpid;1

Storm Worm Masquerades As Phony Virus Warning
InformationWeek, NY 
Jul 10, 2007
http://www.informationweek.com/internet/showArticle.jhtml?articleID=201000483


Papers, Articles and other documents:
- - -------------------------------------


Alerts, Advisories and Updates:
- - -------------------------------
Title: AL-2007.0084 -- [Win] -- Mozilla Firefox URL protocol handling
       vulnerability 
Date:  12 July 2007
URL:   http://www.auscert.org.au/7832

Title: AL-2007.0071 -- [Win][Linux][Solaris] -- Sun Java Runtime Environment
       vulnerability allows remote compromise 
Date:  12 July 2007
URL:   http://www.auscert.org.au/7664

Title: AL-2007.0083 -- [Win] -- MS07-039 - Vulnerability in Windows Active
       Directory Could Allow Remote Code Execution 
Date:  11 July 2007
URL:   http://www.auscert.org.au/7825

Title: AL-2007.0081 -- [Win] -- High volume of email linking to the "Storm
       Worm" malware 
Date:  09 July 2007
URL:   http://www.auscert.org.au/7813


External Security Bulletins:
- - ----------------------------
Title: ESB-2007.0528 -- [RedHat] -- Critical: flash-plugin security update 
Date:  13 July 2007
OS:    Red Hat Linux 
URL:   http://www.auscert.org.au/7850

Title: ESB-2007.0527 -- [Win][UNIX/Linux] -- MySQL Community Server 5.0.45
       released 
Date:  13 July 2007
OS:    Solaris, HP Tru64 UNIX, Debian GNU/Linux, Other BSD Variants, IRIX,
       Windows 2003, OpenBSD, Windows 2000, FreeBSD, Other Linux Variants,
       Windows XP, Red Hat Linux, Mac OS X, HP-UX, AIX, Windows Vista 
URL:   http://www.auscert.org.au/7849

Title: ESB-2007.0526 -- [Win][UNIX/Linux] -- Moderate: perl-Net-DNS security
       update 
Date:  13 July 2007
OS:    Solaris, HP Tru64 UNIX, Windows 98/98SE, Debian GNU/Linux, Other BSD
       Variants, IRIX, Windows 2003, OpenBSD, Windows 2000, FreeBSD, Other
       Linux Variants, Windows XP, Red Hat Linux, Windows NT 4, Mac OS X,
       HP-UX, AIX, Windows Vista, Windows ME 
URL:   http://www.auscert.org.au/7848

Title: ESB-2007.0525 -- [RedHat] -- Moderate: xorg-x11-xfs security update 
Date:  13 July 2007
OS:    Red Hat Linux 
URL:   http://www.auscert.org.au/7847

Title: ESB-2007.0524 -- [UNIX/Linux][FreeBSD] -- Errors handling corrupt tar
       files in libarchive(3) 
Date:  13 July 2007
OS:    Solaris, HP Tru64 UNIX, Debian GNU/Linux, Other BSD Variants, IRIX,
       OpenBSD, FreeBSD, Other Linux Variants, Red Hat Linux, Mac OS X, HP-UX,
       AIX 
URL:   http://www.auscert.org.au/7846

Title: ESB-2007.0523 -- [Linux][RedHat] -- Moderate: kernel security and bug
       fix update 
Date:  12 July 2007
OS:    Debian GNU/Linux, Other Linux Variants, Red Hat Linux 
URL:   http://www.auscert.org.au/7845

Title: ESB-2007.0522 -- [Win][UNIX/Linux] -- Security Vulnerability in Java
       Web Start URL Parsing Code May Allow Untrusted Applications to Elevate
       Privileges 
Date:  13 July 2007
OS:    Windows Vista, AIX, HP-UX, Red Hat Linux, Windows XP, Other Linux
       Variants, FreeBSD, Windows 2000, OpenBSD, Windows 2003, IRIX, Other BSD
       Variants, Debian GNU/Linux, HP Tru64 UNIX, Solaris 
URL:   http://www.auscert.org.au/7844

Title: ESB-2007.0521 -- [Win][UNIX/Linux] -- Java Runtime Environment Does Not
       Securely Process XSLT Stylesheets Contained in XML Signatures 
Date:  12 July 2007
OS:    HP Tru64 UNIX, Solaris, Debian GNU/Linux, Other BSD Variants, IRIX,
       Windows 2003, OpenBSD, Windows 2000, FreeBSD, Other Linux Variants,
       Windows XP, Red Hat Linux, Mac OS X, HP-UX, AIX, Windows Vista 
URL:   http://www.auscert.org.au/7843

Title: ESB-2007.0520 -- [Win] -- Symantec AntiVirus symtdi.sys Local Privilege
       Escalation Vulnerability 
Date:  12 July 2007
OS:    Windows 2003, Windows 2000, Windows XP, Windows Vista 
URL:   http://www.auscert.org.au/7842

Title: ESB-2007.0519 -- [Solaris] -- Security Vulnerability in the rcp(1)
       Command May Allow Execution of Unintended Commands 
Date:  12 July 2007
OS:    Solaris 
URL:   http://www.auscert.org.au/7841

Title: ESB-2007.0518 -- [Win][UNIX/Linux] -- Security Vulnerability in
       Processing XSLT Stylesheets Affects Sun Java System Application Server
       and Web Server 
Date:  12 July 2007
OS:    Solaris, Debian GNU/Linux, Windows 2003, Windows 2000, Other Linux
       Variants, Windows XP, Red Hat Linux, HP-UX, Windows Vista 
URL:   http://www.auscert.org.au/7840

Title: ESB-2007.0517 -- [Win] -- Symantec Backup Exec RPC Remote Heap Overflow
       Vulnerability 
Date:  12 July 2007
OS:    Windows 2003, Windows 2000, Windows XP, Windows Vista 
URL:   http://www.auscert.org.au/7839

Title: ESB-2007.0516 -- [UNIX/Linux] -- Security Vulnerability in the Logging
       Output of Sun Java System Access Manager 
Date:  12 July 2007
OS:    Solaris, Debian GNU/Linux, Other Linux Variants, Red Hat Linux 
URL:   http://www.auscert.org.au/7838

Title: ESB-2007.0515 -- [Win][UNIX/Linux] -- Java Secure Socket Extension Does
       Not Correctly Process SSL/TLS Handshake Requests Resulting in a Denial
       of Service (DoS) Condition 
Date:  12 July 2007
OS:    HP Tru64 UNIX, Solaris, Windows 98/98SE, Debian GNU/Linux, Other BSD
       Variants, IRIX, Windows 2003, OpenBSD, Windows 2000, FreeBSD, Other
       Linux Variants, Windows XP, Red Hat Linux, Windows NT 4, Mac OS X,
       HP-UX, AIX, Windows Vista, Windows ME 
URL:   http://www.auscert.org.au/7837

Title: ESB-2007.0514 -- [Win][OSX] -- QuickTime 7.2 
Date:  12 July 2007
OS:    Windows 98/98SE, Windows 2003, Windows 2000, Windows XP, Windows NT 4,
       Mac OS X, Windows Vista, Windows ME 
URL:   http://www.auscert.org.au/7836

Title: ESB-2007.0513 -- [Win][UNIX/Linux] -- Multiple vulnerabilities in
       SquirrelMail G/PGP Plugin 
Date:  12 July 2007
OS:    Solaris, HP Tru64 UNIX, Debian GNU/Linux, Other BSD Variants, IRIX,
       Windows 2003, OpenBSD, Windows 2000, FreeBSD, Other Linux Variants,
       Windows XP, Red Hat Linux, Mac OS X, HP-UX, AIX, Windows Vista 
URL:   http://www.auscert.org.au/7835

Title: ESB-2007.0512 -- [Win][Linux] -- Cisco Unified Communications Manager
       Overflow Vulnerabilities 
Date:  12 July 2007
OS:    Windows 98/98SE, Debian GNU/Linux, Windows 2003, Windows 2000, Other
       Linux Variants, Windows XP, Cisco Products, Red Hat Linux, Windows NT
       4, Windows Vista, Windows ME 
URL:   http://www.auscert.org.au/7834

Title: ESB-2007.0511 -- [Win][Linux] -- Cisco Unified Communications Manager
       and Presence Server Unauthorized Access Vulnerabilities 
Date:  12 July 2007
OS:    Windows 98/98SE, Debian GNU/Linux, Windows 2003, Windows 2000, Other
       Linux Variants, Windows XP, Cisco Products, Red Hat Linux, Windows NT
       4, Windows Vista, Windows ME 
URL:   http://www.auscert.org.au/7833

Title: ESB-2007.0510 -- [HP Tru64] -- HP Tru64 UNIX Internet Express running
       Samba, Remote Arbitrary Code Execution or Local Unauthorized Privilege
       Elevation 
Date:  11 July 2007
OS:    HP Tru64 UNIX 
URL:   http://www.auscert.org.au/7831

Title: ESB-2007.0509 -- [Win][Netware][UNIX/Linux][OSX] -- Mulitple
       vulnerabilities in Adobe products 
Date:  11 July 2007
OS:    Solaris, HP Tru64 UNIX, Windows 98/98SE, Debian GNU/Linux, Other BSD
       Variants, IRIX, Windows 2003, Windows CE, OpenBSD, Windows 2000,
       FreeBSD, Other Linux Variants, Windows XP, Red Hat Linux, Windows NT 4,
       Mac OS X, Novell Netware, HP-UX, AIX, Windows Vista, Windows ME 
URL:   http://www.auscert.org.au/7830

Title: ESB-2007.0508 -- [Win] -- MS07-038 - Vulnerability in Windows Vista
       Firewall Could Allow Information Disclosure 
Date:  11 July 2007
OS:    Windows Vista 
URL:   http://www.auscert.org.au/7829

Title: ESB-2007.0507 -- [Win] -- MS07-037 - Vulnerability in Microsoft Office
       Publisher 2007 Could Allow Remote Code Execution 
Date:  11 July 2007
OS:    Windows 98/98SE, Windows 2003, Windows 2000, Windows XP, Windows NT 4,
       Windows Vista, Windows ME 
URL:   http://www.auscert.org.au/7828

Title: ESB-2007.0506 -- [Win] -- MS07-041 - Vulnerability in Microsoft
       Internet Information Services Could Allow Remote Code Execution 
Date:  11 July 2007
OS:    Windows XP 
URL:   http://www.auscert.org.au/7827

Title: ESB-2007.0505 -- [Win] -- MS07-040 - Vulnerabilities in .NET Framework
       Could Allow Remote Code Execution 
Date:  11 July 2007
OS:    Windows 2003, Windows 2000, Windows XP, Windows Vista 
URL:   http://www.auscert.org.au/7826

Title: ESB-2007.0504 -- [Win] -- MS07-036 - Vulnerabilities in Microsoft Excel
       Could Allow Remote Code Execution 
Date:  11 July 2007
OS:    Windows 98/98SE, Windows 2003, Windows 2000, Windows XP, Windows NT 4,
       Windows Vista, Windows ME 
URL:   http://www.auscert.org.au/7824

Title: ESB-2007.0503 -- [AIX] -- A buffer overflow vulnerability exists in
       libodm. 
Date:  10 July 2007
OS:    AIX 
URL:   http://www.auscert.org.au/7823

Title: ESB-2007.0502 -- [Win][UNIX/Linux][Debian] -- New vlc packages fix
       arbitrary code execution 
Date:  10 July 2007
OS:    Debian GNU/Linux 
URL:   http://www.auscert.org.au/7820

Title: ESB-2007.0501 -- [Win] -- WinPcap NPF.SYS Local Privilege Escalation
       Vulnerability 
Date:  10 July 2007
OS:    Windows 2003, Windows 2000, Windows XP, Windows NT 4, Windows Vista 
URL:   http://www.auscert.org.au/7819

Title: ESB-2007.0500 -- [Win][UNIX/Linux] -- Multiple Vendor GIMP Multiple
       Integer Overflow Vulnerabilities 
Date:  10 July 2007
OS:    Solaris, HP Tru64 UNIX, Windows 98/98SE, Debian GNU/Linux, Other BSD
       Variants, IRIX, Windows 2003, OpenBSD, Windows 2000, FreeBSD, Other
       Linux Variants, Windows XP, Red Hat Linux, Windows NT 4, HP-UX, AIX,
       Windows Vista, Windows ME 
URL:   http://www.auscert.org.au/7818

Title: ESB-2007.0499 -- [Debian] -- Multiple vulnerabilities in PHP packages
       to fix arbitrary code execution 
Date:  09 July 2007
OS:    Debian GNU/Linux 
URL:   http://www.auscert.org.au/7812

Title: ESB-2007.0370 -- [AIX] -- A vulnerability in the Perl interpreter may
       allow a local user to execute arbitrary code as another user 
Date:  12 July 2007
OS:    AIX 
URL:   http://www.auscert.org.au/7653

Title: ESB-2007.0270 -- [Solaris] -- Security Vulnerability in libX11 for
       Solaris 
Date:  13 July 2007
OS:    Solaris 
URL:   http://www.auscert.org.au/7523



===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert at auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

------- End of Forwarded Message






More information about the AusNOG mailing list