[AusNOG] AusCERT Week in Review - Week Ending 13/07/2007 (AUSCERT#20073F686)
Robert Lowe
rlowe at auscert.org.au
Fri Jul 13 16:46:40 EST 2007
------- Forwarded Message
AusCERT Week in Review
13 July 2007
Greetings,
This week Microsoft released its patches for a variety of its products. The
most notable fix was a vulnerability in the Active Directory components of
Windows Server 2000 and 2003. The vulnerability would allow remote code
execution or a denial of service attack. By successfully exploiting this the
attacker would have complete control of the entire forest and attached
resources. The attacker requires valid authentication credentials for
Windows 2003 servers but anonymous is all that is required for Windows 2000
servers.
We also continued to see a reasonable volume of "Storm" (aka Tibs or Peacomm
[1]) emails (AL-2007.0081). The links contained in these emails would direct
users who click them to malicious web sites. This web site would then
attempt to use some known exploits to install that actual malware on the
system. The user was also presented with the following message:
"Your Download Should Begin Shortly. If your download does not
start in approximately 15 seconds, you can click here to launch
the download."
Interestingly, if the user clicked the link they would receive the malware
from the same server as the web page and would download a file called
"patch.exe". However if the exploits were successful then the malware would
be downloaded from a different URL on the same server with a filename of
"file.php".
The web sites and malware files are all hosted on infected hosts rather than
a web server, meaning there is no central web site than can be shutdown or
blocked.
[1] Trojan.Peacomm: Building a Peer-to-Peer Botnet
http://www.symantec.com/enterprise/security_response/weblog/2007/01/trojanpeaco
mm_building_a_peert.html
Regards,
Richard Billington and Zane Jarvis
- - --
Security Analyst | Hotline: +61 7 3365 4417
AusCERT | Fax: +61 7 3365 7031
Australia's National CERT | WWW: www.auscert.org.au
Brisbane QLD Australia | Email: auscert at auscert.org.au
AusCERT in the Media:
- - ----------------------------
.bank proposal gets lukewarm reception
Computerworld Australia, Australia
Jul 11, 2007
http://www.computerworld.com.au/index.php/id;1058133737;fp;2;fpid;1
Storm Worm Masquerades As Phony Virus Warning
InformationWeek, NY
Jul 10, 2007
http://www.informationweek.com/internet/showArticle.jhtml?articleID=201000483
Papers, Articles and other documents:
- - -------------------------------------
Alerts, Advisories and Updates:
- - -------------------------------
Title: AL-2007.0084 -- [Win] -- Mozilla Firefox URL protocol handling
vulnerability
Date: 12 July 2007
URL: http://www.auscert.org.au/7832
Title: AL-2007.0071 -- [Win][Linux][Solaris] -- Sun Java Runtime Environment
vulnerability allows remote compromise
Date: 12 July 2007
URL: http://www.auscert.org.au/7664
Title: AL-2007.0083 -- [Win] -- MS07-039 - Vulnerability in Windows Active
Directory Could Allow Remote Code Execution
Date: 11 July 2007
URL: http://www.auscert.org.au/7825
Title: AL-2007.0081 -- [Win] -- High volume of email linking to the "Storm
Worm" malware
Date: 09 July 2007
URL: http://www.auscert.org.au/7813
External Security Bulletins:
- - ----------------------------
Title: ESB-2007.0528 -- [RedHat] -- Critical: flash-plugin security update
Date: 13 July 2007
OS: Red Hat Linux
URL: http://www.auscert.org.au/7850
Title: ESB-2007.0527 -- [Win][UNIX/Linux] -- MySQL Community Server 5.0.45
released
Date: 13 July 2007
OS: Solaris, HP Tru64 UNIX, Debian GNU/Linux, Other BSD Variants, IRIX,
Windows 2003, OpenBSD, Windows 2000, FreeBSD, Other Linux Variants,
Windows XP, Red Hat Linux, Mac OS X, HP-UX, AIX, Windows Vista
URL: http://www.auscert.org.au/7849
Title: ESB-2007.0526 -- [Win][UNIX/Linux] -- Moderate: perl-Net-DNS security
update
Date: 13 July 2007
OS: Solaris, HP Tru64 UNIX, Windows 98/98SE, Debian GNU/Linux, Other BSD
Variants, IRIX, Windows 2003, OpenBSD, Windows 2000, FreeBSD, Other
Linux Variants, Windows XP, Red Hat Linux, Windows NT 4, Mac OS X,
HP-UX, AIX, Windows Vista, Windows ME
URL: http://www.auscert.org.au/7848
Title: ESB-2007.0525 -- [RedHat] -- Moderate: xorg-x11-xfs security update
Date: 13 July 2007
OS: Red Hat Linux
URL: http://www.auscert.org.au/7847
Title: ESB-2007.0524 -- [UNIX/Linux][FreeBSD] -- Errors handling corrupt tar
files in libarchive(3)
Date: 13 July 2007
OS: Solaris, HP Tru64 UNIX, Debian GNU/Linux, Other BSD Variants, IRIX,
OpenBSD, FreeBSD, Other Linux Variants, Red Hat Linux, Mac OS X, HP-UX,
AIX
URL: http://www.auscert.org.au/7846
Title: ESB-2007.0523 -- [Linux][RedHat] -- Moderate: kernel security and bug
fix update
Date: 12 July 2007
OS: Debian GNU/Linux, Other Linux Variants, Red Hat Linux
URL: http://www.auscert.org.au/7845
Title: ESB-2007.0522 -- [Win][UNIX/Linux] -- Security Vulnerability in Java
Web Start URL Parsing Code May Allow Untrusted Applications to Elevate
Privileges
Date: 13 July 2007
OS: Windows Vista, AIX, HP-UX, Red Hat Linux, Windows XP, Other Linux
Variants, FreeBSD, Windows 2000, OpenBSD, Windows 2003, IRIX, Other BSD
Variants, Debian GNU/Linux, HP Tru64 UNIX, Solaris
URL: http://www.auscert.org.au/7844
Title: ESB-2007.0521 -- [Win][UNIX/Linux] -- Java Runtime Environment Does Not
Securely Process XSLT Stylesheets Contained in XML Signatures
Date: 12 July 2007
OS: HP Tru64 UNIX, Solaris, Debian GNU/Linux, Other BSD Variants, IRIX,
Windows 2003, OpenBSD, Windows 2000, FreeBSD, Other Linux Variants,
Windows XP, Red Hat Linux, Mac OS X, HP-UX, AIX, Windows Vista
URL: http://www.auscert.org.au/7843
Title: ESB-2007.0520 -- [Win] -- Symantec AntiVirus symtdi.sys Local Privilege
Escalation Vulnerability
Date: 12 July 2007
OS: Windows 2003, Windows 2000, Windows XP, Windows Vista
URL: http://www.auscert.org.au/7842
Title: ESB-2007.0519 -- [Solaris] -- Security Vulnerability in the rcp(1)
Command May Allow Execution of Unintended Commands
Date: 12 July 2007
OS: Solaris
URL: http://www.auscert.org.au/7841
Title: ESB-2007.0518 -- [Win][UNIX/Linux] -- Security Vulnerability in
Processing XSLT Stylesheets Affects Sun Java System Application Server
and Web Server
Date: 12 July 2007
OS: Solaris, Debian GNU/Linux, Windows 2003, Windows 2000, Other Linux
Variants, Windows XP, Red Hat Linux, HP-UX, Windows Vista
URL: http://www.auscert.org.au/7840
Title: ESB-2007.0517 -- [Win] -- Symantec Backup Exec RPC Remote Heap Overflow
Vulnerability
Date: 12 July 2007
OS: Windows 2003, Windows 2000, Windows XP, Windows Vista
URL: http://www.auscert.org.au/7839
Title: ESB-2007.0516 -- [UNIX/Linux] -- Security Vulnerability in the Logging
Output of Sun Java System Access Manager
Date: 12 July 2007
OS: Solaris, Debian GNU/Linux, Other Linux Variants, Red Hat Linux
URL: http://www.auscert.org.au/7838
Title: ESB-2007.0515 -- [Win][UNIX/Linux] -- Java Secure Socket Extension Does
Not Correctly Process SSL/TLS Handshake Requests Resulting in a Denial
of Service (DoS) Condition
Date: 12 July 2007
OS: HP Tru64 UNIX, Solaris, Windows 98/98SE, Debian GNU/Linux, Other BSD
Variants, IRIX, Windows 2003, OpenBSD, Windows 2000, FreeBSD, Other
Linux Variants, Windows XP, Red Hat Linux, Windows NT 4, Mac OS X,
HP-UX, AIX, Windows Vista, Windows ME
URL: http://www.auscert.org.au/7837
Title: ESB-2007.0514 -- [Win][OSX] -- QuickTime 7.2
Date: 12 July 2007
OS: Windows 98/98SE, Windows 2003, Windows 2000, Windows XP, Windows NT 4,
Mac OS X, Windows Vista, Windows ME
URL: http://www.auscert.org.au/7836
Title: ESB-2007.0513 -- [Win][UNIX/Linux] -- Multiple vulnerabilities in
SquirrelMail G/PGP Plugin
Date: 12 July 2007
OS: Solaris, HP Tru64 UNIX, Debian GNU/Linux, Other BSD Variants, IRIX,
Windows 2003, OpenBSD, Windows 2000, FreeBSD, Other Linux Variants,
Windows XP, Red Hat Linux, Mac OS X, HP-UX, AIX, Windows Vista
URL: http://www.auscert.org.au/7835
Title: ESB-2007.0512 -- [Win][Linux] -- Cisco Unified Communications Manager
Overflow Vulnerabilities
Date: 12 July 2007
OS: Windows 98/98SE, Debian GNU/Linux, Windows 2003, Windows 2000, Other
Linux Variants, Windows XP, Cisco Products, Red Hat Linux, Windows NT
4, Windows Vista, Windows ME
URL: http://www.auscert.org.au/7834
Title: ESB-2007.0511 -- [Win][Linux] -- Cisco Unified Communications Manager
and Presence Server Unauthorized Access Vulnerabilities
Date: 12 July 2007
OS: Windows 98/98SE, Debian GNU/Linux, Windows 2003, Windows 2000, Other
Linux Variants, Windows XP, Cisco Products, Red Hat Linux, Windows NT
4, Windows Vista, Windows ME
URL: http://www.auscert.org.au/7833
Title: ESB-2007.0510 -- [HP Tru64] -- HP Tru64 UNIX Internet Express running
Samba, Remote Arbitrary Code Execution or Local Unauthorized Privilege
Elevation
Date: 11 July 2007
OS: HP Tru64 UNIX
URL: http://www.auscert.org.au/7831
Title: ESB-2007.0509 -- [Win][Netware][UNIX/Linux][OSX] -- Mulitple
vulnerabilities in Adobe products
Date: 11 July 2007
OS: Solaris, HP Tru64 UNIX, Windows 98/98SE, Debian GNU/Linux, Other BSD
Variants, IRIX, Windows 2003, Windows CE, OpenBSD, Windows 2000,
FreeBSD, Other Linux Variants, Windows XP, Red Hat Linux, Windows NT 4,
Mac OS X, Novell Netware, HP-UX, AIX, Windows Vista, Windows ME
URL: http://www.auscert.org.au/7830
Title: ESB-2007.0508 -- [Win] -- MS07-038 - Vulnerability in Windows Vista
Firewall Could Allow Information Disclosure
Date: 11 July 2007
OS: Windows Vista
URL: http://www.auscert.org.au/7829
Title: ESB-2007.0507 -- [Win] -- MS07-037 - Vulnerability in Microsoft Office
Publisher 2007 Could Allow Remote Code Execution
Date: 11 July 2007
OS: Windows 98/98SE, Windows 2003, Windows 2000, Windows XP, Windows NT 4,
Windows Vista, Windows ME
URL: http://www.auscert.org.au/7828
Title: ESB-2007.0506 -- [Win] -- MS07-041 - Vulnerability in Microsoft
Internet Information Services Could Allow Remote Code Execution
Date: 11 July 2007
OS: Windows XP
URL: http://www.auscert.org.au/7827
Title: ESB-2007.0505 -- [Win] -- MS07-040 - Vulnerabilities in .NET Framework
Could Allow Remote Code Execution
Date: 11 July 2007
OS: Windows 2003, Windows 2000, Windows XP, Windows Vista
URL: http://www.auscert.org.au/7826
Title: ESB-2007.0504 -- [Win] -- MS07-036 - Vulnerabilities in Microsoft Excel
Could Allow Remote Code Execution
Date: 11 July 2007
OS: Windows 98/98SE, Windows 2003, Windows 2000, Windows XP, Windows NT 4,
Windows Vista, Windows ME
URL: http://www.auscert.org.au/7824
Title: ESB-2007.0503 -- [AIX] -- A buffer overflow vulnerability exists in
libodm.
Date: 10 July 2007
OS: AIX
URL: http://www.auscert.org.au/7823
Title: ESB-2007.0502 -- [Win][UNIX/Linux][Debian] -- New vlc packages fix
arbitrary code execution
Date: 10 July 2007
OS: Debian GNU/Linux
URL: http://www.auscert.org.au/7820
Title: ESB-2007.0501 -- [Win] -- WinPcap NPF.SYS Local Privilege Escalation
Vulnerability
Date: 10 July 2007
OS: Windows 2003, Windows 2000, Windows XP, Windows NT 4, Windows Vista
URL: http://www.auscert.org.au/7819
Title: ESB-2007.0500 -- [Win][UNIX/Linux] -- Multiple Vendor GIMP Multiple
Integer Overflow Vulnerabilities
Date: 10 July 2007
OS: Solaris, HP Tru64 UNIX, Windows 98/98SE, Debian GNU/Linux, Other BSD
Variants, IRIX, Windows 2003, OpenBSD, Windows 2000, FreeBSD, Other
Linux Variants, Windows XP, Red Hat Linux, Windows NT 4, HP-UX, AIX,
Windows Vista, Windows ME
URL: http://www.auscert.org.au/7818
Title: ESB-2007.0499 -- [Debian] -- Multiple vulnerabilities in PHP packages
to fix arbitrary code execution
Date: 09 July 2007
OS: Debian GNU/Linux
URL: http://www.auscert.org.au/7812
Title: ESB-2007.0370 -- [AIX] -- A vulnerability in the Perl interpreter may
allow a local user to execute arbitrary code as another user
Date: 12 July 2007
OS: AIX
URL: http://www.auscert.org.au/7653
Title: ESB-2007.0270 -- [Solaris] -- Security Vulnerability in libX11 for
Solaris
Date: 13 July 2007
OS: Solaris
URL: http://www.auscert.org.au/7523
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert at auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
------- End of Forwarded Message
More information about the AusNOG
mailing list