Q-CERT banner

main navigation areas

Alerts RSS

Microsoft has Revised Advisory MS08-037: Effect on ZoneAlarm and Check Point Endpoint Security

July 16, 2008

Microsoft has released an advisory in response to the adverse effect that the application of advisory MS08-037 may cause to ZoneAlarm and Check Point Endpoint Security customers. By applying Security Bulletin MS08-037, these customers face the possibility of loosing connectivity.

Microsoft recommends that affected customers review the workarounds published on the ZoneAlarm and Check Point Endpoint Security websites.

Additional Information

Vulnerability in Microsoft's ActiveX Control for the Snapshot Viewer

July 9, 2008

A vulnerability was discovered in the Microsoft Office Snapshot Viewer ActiveX control. The vulnerability could be exploited through a specially crafted web page. If a user view the web page, an attacker may be able to execute arbitrary code.

Microsoft has not announced a patch for this vulnerability; however, they have released a security advisory.

Affected Systems

  • Microsoft Office Access 2000
  • Microsoft Office Access XP
  • Microsoft Office Access 2003
  • Microsoft Office Snapshot Viewer

Recommendations

Q-CERT recommends that users apply the workarounds discussed in Microsoft's Security Advisory (955179).

Additional Information

BKDR_POKERSTLR.A

June 25, 2008

Severity Level: Low

General Overview

  • Type: Malware - Backdoor
  • This malware may be installed manually by a user or downloaded unknowingly when visiting malicious websites. As this malware executes, it displays a message asking the user to enter an administrative password, and then it sends the user name and password to a remote machine.

Systems Affected

Mac OS

Description

This malware maybe installed manually by a user or downloaded unknowingly when visiting malicious websites.

As this malware executes, it displays the following message asking the user to enter an administrative password.

A corrupt preference file has been detected and must be repaired.
Enter the password for the user account {User name} to continue:

Then it sends the user name, password hash and IP address of the victim to a remote server through an SSH access it manages to gain.

Additional Information

Highly Critical Vulnerability in Firefox 3.0

June 24, 2008

In less than 24 hours from its release, a critical vulnerability was discovered in Firefox 3.0. It has been reported that the vulnerability is so critical that it enables the execution of an attacker's arbitrary code on the compromised machine. To accomplish a successful exploitation, the victim interaction is required through clicking on a link or visiting a malicious site.

Zero Day Initiative of TippingPoint Technologies said that they will not release any details of the bug until a patch is released by Mozilla. TippingPoint added that the vulnerability is not system specific but rather browser specific for it affects Windows, Mac OS X, and Linux versions of Firefox.

Mozilla is currently working on a fix; however, there has been no specific declaration of the time of patch release.

Additional Information

BKDR_IRCBOT.BGY

June 17, 2008

Severity Level: Low

General Overview

  • Type: malware - backdoor
  • While the user is unaware of what is going on behind the scenes, this malware is downloaded from remote sites through the aid of other malware. It creates certain registry entries to allow its automatic execution every time the system starts up. This backdoor opens a random port that allows remote access to the compromised machine. Successful remote connection with that affected system enables the attacker to execute arbitrary commands on it.

Systems Affected

Windows 98, ME, NT, 2000, XP, Server 2003

Description

This malware can be downloaded from remote sites by other malware. It drops copies of itself:
%Windows%\wksvcsc.exe

It displays the following fake message to the users to convince them that the malware did not execute:
Picture can not be displayed.

To allow its automatic execution with every system startup, it creates the following registry entries:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run
  • Windows UDP Control Services = "wksvcsc.exe"

The affected machine is compromised to remote access through a random port this backdoor opens. Once the connection is established successfully to a remote machine, the following commands are executed to on the affected system:

  • Download/Upload files
  • Execute/Terminate process or thread
  • Remove malware
  • Update malware

Additional Information

VBS.Solow.G

June 15, 2008

Severity Level: Low

General Overview

  • Type: Worm
  • The worm copies itself to a certain location. It creates certain registry entries to be executed as Windows starts. The result of execution changes the title bar on Internet Explorer to display a specific message. The worm has the capability of copying itself into all removable drives.

Systems Affected

Windows:

Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

Description

The worm copies itself to the certain location:
%Windir%\winrun.dll.vbs

It creates the following registry entries to be executed as windows starts

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"winrun.dll" = "%Windir%\winrun.dll.vbs"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"officescan" = "C:\Documents and Settings\All Users\Menu Demarrer\Programmes\Demarrage\officescan.vbs"

The result of execution changes the title bar on Internet Explorer to display a specific message.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Window Title" = "// ;) anna I Liebe YOU ==> MILK@3|_!!!"

The worm has the capability of coping itself into all removable drives as the hidden file:
%DriveLetter%\winrun.vbs

In addition it creates the following file on the infected drives so that whenever the drive is accessed, the file is executed.
%DriveLetter%\autorun.inf

Additional Information

Microsoft DirectX SAMI File Parsing Stack Buffer Overflow Vulnerability

June 15, 2008

Severity Level: High

General Overview

  • Type: Vulnerability
  • Due to its failure in performing adequate boundary checks on user-supplied data, Microsoft DirectX is susceptible to stack-based buffer-overflow vulnerability.

Technologies Affected

  • Microsoft DirectX 8.1
  • Microsoft DirectX 7.0
  • Microsoft DirectX 7.0a

Description

Exploiting this vulnerability when handling malformed SAMI files, may allow arbitrary code execution when the user is running application that uses DirectX. The severity of this vulnerability does not only exist in successful exploitation, exploitation failure causes a denial-of-service condition.

Additional Information

Microsoft Windows XP Service Pack 3

May 14, 2008

On Tuesday, May 6, Microsoft released the latest Service Pack (SP3) for its Windows XP operating system. You can download it from the Windows Download Center, but note that it weighs in at a hefty 342.9 MB, which may take some time to download. If you only need to update a single computer, Q-CERT recommends that you visit Microsoft's Windows Update site to get a smaller file tailored to your system. Internet Explorer is required to access this patch. Microsoft says it will also provide SP3 via its automatic-update system later this summer.

The company's release notes offer advice about upgrade issues that may come up in some circumstances; for example, if you are running XP Media Center Edition 2002, you must have XP's Service Pack 2 update installed first. A Microsoft paper, available as a PDF, DOCX, or XPS file, summarizes the changes in SP3, including a handful of security upgrades not offered in earlier fixes. You should definitely follow Microsoft's advice before installing the upgrade.

Update Released by Opera

March 9, 2008

An updated version (9.26) of Opera for Windows had been released that addresses multiple vulnerabilities in the Opera web browser. An attacker may be able to execute arbitrary scripts in the wrong security context or trick users into uploading arbitrary files by using these vulnerabilities.

Solution
Q-CERT recommends users to read the Opera 9.26 for Windows changelog and upgrade to Opera 9.26.

Additional Information

Security Advisory Released by Mozilla

February 28, 2008

Mozilla has released a security advisory addressing a vulnerability in Thunderbird and SeaMonkey. This vulnerability, caused by errors in the way that external-body MIME types are handled, may allow unauthenticated remote attackers to execute arbitrary code by convincing a user to view a specially crafted email message.

Products Affected

  • Thunderbird
  • SeaMonkey

Solution
Q-CERT recommends that users read Mozilla Foundation Advisory 2008-12 and apply the update to Thunderbird 2.0.0.12 or SeaMonkey 1.1.8.

Additional Information

Security Advisories Released by Symantec

February 28, 2008

Symantec has released a security advisory addressing multiple vulnerabilities in various Symantec AntiVirus products. These vulnerabilities, caused by errors in the way that Symantec Decomposer handles .RAR files, may cause a denial-of-service attack or allow the execution of arbitrary code.

Products Affected

  • Symantec AntiVirus for Network Attached Storage 4.3.16.39 and earlier
  • Symantec AntiVirus Scan Engine 4.3.16.39 and earlier
  • Symantec AntiVirus Scan Engine for Caching 4.3.16.39 and earlier
  • Symantec AntiVirus Scan Engine for Clearswift 4.3.16.39 and earlier
  • Symantec AntiVirus Scan Engine for Messaging 4.3.16.39 and earlier
  • Symantec AntiVirus Scan Engine for MS ISA 4.3.16.39 and earlier
  • Symantec AntiVirus Scan Engine for MS SharePoint 4.3.16.39 and earlier
  • Symantec AntiVirus/Filtering for Domino MPE(AIX, Linux, Solaris) All
  • Symantec Mail Security for Microsoft Exchange 5.0.4.363.and earlier and 4.6.5.12 and earlier
  • Symantec Scan Engine 5.1.4.24 and earlier

Solution
Q-CERT recommends that users read Symantec Security Advisory SYM08-006, apply the update, and follow the security best practice provided in the advisory.

Additional Information

Updates for Multiple Vulnerabilities in Microsoft

February 20, 2008

Vulnerabilities in Microsoft Windows and Office could allow an attacker to take complete control of an affected system and install and run malicious code on the system.

Systems Affected

  • Microsoft Windows
  • Microsoft Internet Explorer
  • Microsoft Office

Solution
Q-CERT recommends that users apply Microsoft Update and enable Automatic Updates.

Additional Information

Public Exploit Code for Vulnerabilities in Microsoft Works

February 20, 2008

Microsoft has addressed a public exploit code for Microsoft Works 6 File Converter vulnerabilities. On an affected system, an attacker may be able to execute arbitrary code by tricking a user into opening a specially crafted Works file. Exploitation of this vulnerability could allow an attacker to take complete control of an affected system. Remote code execution could then install programs; view, change, or delete data; or create new accounts with full user rights.

Systems Affected

  • Microsoft Office 2003 Service Pack 2
  • Microsoft Office 2003 Service Pack 3
  • Microsoft Works 8.0
  • Microsoft Works Suite 2005

CVE

  • CVE-2007-0216
  • CVE-2008-0105
  • CVE-2008-0108

Solution
Q-CERT encourages users to apply any updates or workarounds and review Microsoft Security Bulletin MS08-011.

Additional Information

Mozilla Firefox and Opera Vulnerability

February 20, 2008

There are reports of a vulnerability in the Mozilla Firefox and Opera web browsers that is caused by sending a specially crafted bitmap image file to the browser. This vulnerability could allow an attacker to gain access to sensitive information or cause a denial-of-service condition.

Systems Affected

  • Mozilla Firefox
  • Opera

Solution
Q-CERT recommends Mozilla Firefox users to upgrade to Firefox 2.0.0.12 and Opera users to upgrade to Opera 9.25.

Additional Information

Microsoft Releases Security Bulletin for December 2007

January 14, 2008

Microsoft has released updates that address multiple critical vulnerabilities. The vulnerabilities affect Microsoft Windows, Internet Explorer, DirectX, DirectShow, and Windows Media Format Runtime. Exploitation of these vulnerabilities could allow elevation of privilege remotely or locally, or remote code execution. Exploitation could also crash a vulnerable system. To detect whether the system is vulnerable, users can run Microsoft Security Baseline Analyzer and apply suggested solutions for applicable systems. Q-CERT also recommends that users review the security bulletin and apply applicable updates.

Additional Information

Web Proxy Auto-Discovery Vulnerability Security Advisory Released by Microsoft

January 14, 2008

Microsoft has released an advisory that addresses a vulnerability in Web Proxy Auto-Discovery. This vulnerability may allow attackers to gain access to critical information via man-in-the-middle attacks.

Q-CERT advises users to apply the workarounds specified in Microsoft's advisory to further mitigate the risk.

Additional Information

Security Advisories Released by Cisco

January 14, 2008

Cisco has released two security advisories. One addresses a vulnerability that may cause a denial-of-service attack or an execution of an arbitrary code in Cisco Security Agent for Microsoft Windows. The other advisory addresses a vulnerability in CiscoWorks Server that may allow the injection of a malicious script into a web page by convincing the user to follow a crafted URL.

Q-CERT recommends that users read Cisco's advisories and apply the workarounds and updates provided by Cisco. Users should not follow solicited links.

Additional Information

Highly Critical Vulnerability in OpenOffice

January 14, 2008

OpenOffice is prone to a vulnerability due to an unspecific error in the HSQLDB engine. Arbitrary static Java code can be executed via a specially crafted database document to exploit this vulnerability. Exploiting this vulnerability might compromise users' systems to malicious attacks.

Affected Software

  • OpenOffice versions prior to 2.3.1

CVE: CVE-2007-4575

Solution
Q-CERT recommends that users update their software to version 2.3.1 (HSQLDB 1.8.0.9).

Additional Information

Microsoft Releases November Security Bulletins

November 29, 2007

Microsoft has released security bulletins for November. One of the issues that is addressed is a critical vulnerability in URI handling that may allow the attacker to execute an arbitrary command. The other bulletin addresses a vulnerability in DNS servers that may allow spoofing by sending specially crafted DNS requests. To detect whether the system is vulnerable or not, Microsoft recommends that users run Microsoft Security Baseline Analyzer and apply suggested solutions for applicable systems.

Additional Information

Updates for Vulnerabilities in Apple's QuickTime

November 8, 2007

Apple has released multiple updates to address vulnerabilities in QuickTime. The exploitation of these vulnerabilities can cause heap buffer overflow, multiple errors for Java in QuickTime, error in handling images, stack buffer overflow, or a denial-of-service condition. Those vulnerabilities can be exploited when the user accesses a crafted image or a media file that is hosted on a web page.

Note: Any system with iTunes can also be exploited by these vulnerabilities because iTunes installs QuickTime.

Affected Systems

  • Apple Mac OS X
  • Microsoft Windows

CVE

Solution
Q-CERT recommends that users apply the upgrade to version QuickTime 7.3 and secure their web browser.

Additional Information

Microsoft releases an advisory to address URI Vulnerability

November 1, 2007

Microsoft has released an advisory that addresses the Windows URI Protocol vulnerability. This vulnerability affects Windows XP and Windows Server 2003 with Windows Internet Explorer 7 and could allow the attacker to execute arbitrary commands remotely. Systems that have Adobe Reader and Mozilla Firefox applications are also affected. An exploit that uses Firefox is publicity available. Users are highly recommended to protect their systems by enabling the firewall, scanning with anti-virus software, and installing applicable updates.

Additional Information

Adobe Security Update

November 1, 2007

Adobe has released a new security update that addresses multiple critical vulnerabilities in Adobe Reader. The vulnerabilities could allow the attacker to execute arbitrary command and take control of the affected system. Adobe strongly recommends that the users update Reader 8.1.1 or Acrobat 8.1.1.

Additional Information

Cisco releases Security Advisories

November 1, 2007

Cisco has released four security advisories to address multiple vulnerabilities in Firewall Services Module, PIX, Adaptive Security Appliance, Unified Communications Manager, and Unified Communications Web-Based Management products. More information about the vulnerabilities can be found in the relevant product's advisory.

Additional Information

Multiple Vulnerabilities in Oracle

November 1, 2007

Problem
Oracle has announced multiple vulnerabilities in various modules. These vulnerabilities have various impacts that may allow the attacker to perform denial-of-service or SQL injection attacks and disclose sensitive information by exploiting it remotely.

Solution
Oracle has released a Critical Patch Update to mitigate the problem. Users are recommended to apply the patches.

Additional Information

Mozilla Released Security Advisory

November 1, 2007

Mozilla has released a security advisory to address multiple vulnerabilities in their products. The advisory includes some critical vulnerabilities in Firefox, Thunderbird, and SeaMonkey. These vulnerabilities may allow the attacker to apply spoofing, denial-of-service attacks, and exposure of sensitive data remotely. Q-CERT recommends users to review the advisory and install applicable updates.

Additional Information

RealPlayer Playlist Name Buffer Overflow Vulnerability

November 1, 2007

Problem
RealPlayer is prone to a stack buffer overflow vulnerability in the handling of playlist names. Exploitation of this vulnerability may be achieved by convincing the user to visit a specially crafted HTML page, which may allow the remote attacker to execute arbitrary code on a vulnerable system. Q-CERT is aware of an active exploit for this vulnerability, which makes this vulnerability critical to Microsoft Windows users. This vulnerability does not affect Macintosh and Linux versions of RealPlayer.

Affected Software

  • RealPlayer 10.5
  • RealPlayer 11 beta

CVE: CVE-2007-5601

Solution
RealNetworks has released a security update to solve this problem. Users are highly recommended to update their products to new versions of RealPlayer.

Additional Information

Microsoft Releases October Security Bulletins

October 11, 2007

Microsoft has released the monthly bulletin for October 2007, which includes four critical and two important updates. The bulletin addresses critical vulnerabilities in Microsoft Windows, Microsoft Internet Explorer, Microsoft Outlook Express and Windows Mail, Microsoft Office, Microsoft Office for Mac, and Microsoft SharePoint. If these vulnerabilities can be exploited, a remote, unauthenticated attacker may be able to execute arbitrary code or cause a denial of service on a vulnerable system.

In addition, Microsoft has released an update to Security Bulletin MS05-004, adding Windows Server 2003 Service Pack 2 and Windows Vista to the affected software. This ASP .NET path validation vulnerability may allow a remote, unauthenticated attacker to gain access to secure web site content by using a specially crafted URL.

Q-CERT recommends that users update their software to the latest version of .NET Framework.

Additional Information

Remote Command Execution Vulnerability in Apple's QuickTime

September 18, 2007

Problem
Apple's QuickTime media player, available for Microsoft Windows and Apple OS, is currently exposed to a vulnerability that enables an attacker to remotely change the set of commands that the media player usually uses. These commands include the ones that launch and display QuickTime movies. Therefore, a user who is persuaded to open a specially crafted QuickTime file may be attacked.

Solution
The vendor does not currently offer any recommended solutions for this problem. However, Q-CERT recommends that users view QuickTime movies from only trusted sources.

Additional Information

Red Hat Kernel Security Updates

September 18, 2007

Problem
Red Hat Enterprise has released multiple security updates for the Linux 5 kernel to address flaws in Intel graphics cards, connection tracking support, file system, and cpu set support. Red Hat Security Response Team rated the security impact as important. These vulnerabilities can cause a denial of service, disclose potentially sensitive information, and escalate privileges.

Affected Systems

  • Red Hat Enterprise Linux (v. 5 server)
  • Red Hat Enterprise Linux Desktop (v. 5 client)

CVE

Solution
Q-CERT recommends that users apply Red Hat's patches.

Additional Information

Microsoft Releases Security Bulletin

September 14, 2007

Microsoft has released the monthly bulletin for September 2007, and it includes three important updates and one critical update. The bulletin addresses multiple vulnerabilities in Windows, Visual Studio, Windows Services for UNIX, Subsystem for UNIX-based Applications, MSN Messenger, and Windows Live Messenger. The impact of the vulnerabilities includes remote code execution and elevation of privileges. Q-CERT recommends that users review the bulletin and apply appropriate updates.

Additional Information

Buffer Overflow Vulnerability in Oracle

September 6, 2007

Problem
Oracle JInitiator has multiple buffer-overflow vulnerabilities because the application fails to properly bound-check user-supplied data before copying it into an insufficiently sized memory buffer. This vulnerability may allow the attacker to execute arbitrary code remotely, and failed attempts will likely result in denial-of-service conditions.

Affected Software

  • Oracle JInitiator 1.1.8.16

CVE: CVE-2007-4467

Solution
Q-CERT recommends that users disable the Oracle JInitiator ActiveX control in Internet Explorer until the vendor releases related updates or patches.

Additional Information

Cisco Releases New Security Advisories

September 6, 2007

Cisco has released new security advisories that address multiple vulnerabilities in various products and services, including Video Surveillance IP Gateway, Services Platform Authentication, Content Switching Module, and CallManager/Unified Communications Manager Logon Page. The impacts of these vulnerabilities include denial of service, access to privileged controls, cross-site-scripting, and SQL injection. Q-CERT recommends that system administrators who use Cisco products review these advisories and apply the applicable workaround.

Additional Information

Vulnerabilities in Yahoo! Messenger

August 23, 2007

Problem
Two vulnerabilities have been reported in Yahoo! Messenger due to its failure in handling webcam streams. These vulnerabilities may allow a remote attacker to execute arbitrary code, cause a denial of service, or compromise a user's system.

Solution
Users are recommended to upgrade to the latest version of Yahoo! Messenger, found at http://messenger.yahoo.com/download.php.

Additional Information

Multiple Vulnerabilities in Trend Micro

August 23, 2007

Problem
Multiple buffer overflow vulnerabilities have been reported in Trend Micro ServerProtect. Successful exploitation may allow the attacker to compromise a vulnerable system.

Affected Software

  • Micro ServerProtect for Windows/NetWare 5.x

Solution
It is recommended that Trend Micro users review the update and install the fixes found in the ServerProtect Security Patch 4 release notes.

Additional Information

Microsoft Releases New Security Bulletin

August 15, 2007

Microsoft has released the Security Bulletin for August, which contains six vulnerabilities marked as critical. The vulnerabilities are in several Microsoft products, including Office, Office for Mac, Internet Explorer, XML Core Services and Visual Basic, Virtual Server, Virtual PC and Vista. The impact of the vulnerabilities includes remote code execution and escalated privileges. Q-CERT recommends that the bulletin is reviewed and that all applicable updates are installed.

Additional Information

Symantec ActiveX Control Vulnerabilities

August 15, 2007

Problem
Symantec has vulnerabilities in two ActiveX controls that are used by Norton AntiVirus, Norton Internet Security, and Norton System Works. The vulnerabilities may allow the attacker to execute arbitrary code on an affected system when the user views a specially crafted HTML document.

Affected Software

  • Symantec Norton AntiVirus 2006
  • Symantec Norton Internet Security 2005
  • Symantec Norton Internet Security 2006
  • Symantec Norton SystemWorks 2006

CVE: CVE-2007-2955

Solution
Symantec has released an update to mitigate this problem. More information can be found in Symantec Security Advisory. Users are recommended to review the advisory and install the applicable updates.

Additional Information

Cisco Releases New Security Advisories

August 13, 2007

Cisco has released four security advisories to address multiple vulnerabilities in IOS and Unified Communications Manager. The vulnerabilities include the following: Next Hop Resolution Protocol, secure Copy Authorization Bypass, IOS Information Leakage Using IPv6 Routing Header and Voice Vulnerabilities. More information can be found in the advisories.

Additional Information

High Risk Vulnerability in AVG Antivirus Software

July 18, 2007

NGS Software has published information about a vulnerability identified in AVG Antivirus software from Grisoft. A fix has been implemented in AVG 7.5 build 476, core service version 7.5.0.476. Q-CERT recommends that the fix be implemented as soon as practical.

Additional Information

The fix can be downloaded from the following sites:

Cisco Vulnerabilities in Unified Communications Manager

July 18, 2007

Cisco has published two separate advisories that describe several vulnerabilities affecting Cisco Unified Communications Manager. The impacts of these vulnerabilities vary, but the most severe may allow a remote attacker to execute arbitrary code on an affected system. Q-CERT recommends that administrators of this product apply the updates described in the advisories.

Additional Information

Adobe Flash Player Multiple Vulnerabilities

July 18, 2007

Adobe Systems has released a security bulletin to address multiple vulnerabilities in their Flash Player, some of which may allow an unauthenticated attacker to execute arbitrary code on an affected system. Q-CERT recommends that users apply the updates described in the bulletin.

Additional Information

Apple Update for QuickTime Vulnerabilities

July 18, 2007

Apple has released an update to address multiple vulnerabilities in QuickTime. These vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code, execute arbitrary commands, or cause a denial-of-service condition on an affected system. Q-CERT recommends that users upgrade to QuickTime 7.2 as soon as possible.

Additional Information

Vulnerabilities in McAfee Products

July 18, 2007

McAfee has given notice of vulnerabilities in ePolicy Orchestrator, ProtectionPilot, and Common Management Agent product. These vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial-of-service condition on an affected system. Q-CERT recommends that users apply the updates described in the McAfee Security Bulletins below.

Additional Information

Microsoft Releases Security Updates

July 11, 2007

Microsoft has released updates to address vulnerabilities in Windows, Excel, Office Publisher, and .NET Framework as part of the Microsoft Security Bulletin Summary for July 2007. It is recommended that the bulletin is reviewed and that all applicable updates are installed.

Additional Information


pdf Arabic version

Beware of Harry Potter!

July 4, 2007

A new worm that takes advantage of the popular "Harry Potter" novel is spread through USB drives. This worm, called W32/Hairy-A, affects Windows platforms, particularly PCs with USB drives plugged in. It infects the PC with a malicious file "HarryPotter-TheDeathlyHallows.doc", which claims to be a copy of the novel that will be released this month. Opening this file could possibly result in one or all of these symptoms:

  1. The file contains the statement "Harry Potter is dead," and the worm then looks for other removable drives to infect.
  2. The worm creates multiple new accounts with names of the main characters of the novel: Harry Potter, Hermione Granger, and Ron Weasley.
  3. After logging in using one of those newly created accounts, the user would be prompted with a batch file that says the following:

    read and repent
    the end is near
    repent from your evil ways O Ye folks
    lest you burn in hell...JK Rowling especially

  4. The worm infects Internet Explorer with a home page redirected to an Amazon.com web page selling a book entitled "Harry Putter and the Chamber of Cheesecakes."

The worm does not seem to target for financial gain nor create more damage to the PC more than the symptoms outlined above.

However, Q-CERT recommends that readers be aware and keep their anti-virus software up to date.

Additional Information

Apple Releases Security Update and a new Safari Update

June 27, 2007

Apple has released Security Update 2007-006 to address multiple vulnerabilities that may allow an attacker to execute arbitrary code, cause a denial-of-service condition, and conduct cross-site scripting attacks. An update to Safari 3 Beta has also been released to add new security features.

Additional Information

Microsoft releases Security Bulletin for June 2007

June 13, 2007

Microsoft has released the Security Bulletin for June to address multiple vulnerabilities. Four of the vulnerabilities are rated critical. The bulletin covers vulnerabilities affecting multiple products, including Windows, Internet Explorer, Outlook Express, Windows Mail, Visio, Windows Schannel Security Package, and Vista. The impacts of the vulnerabilities include remote code execution and information disclosure. It is recommended that the bulletin is reviewed and that all applicable updates are installed.

Additional Information

Exploit available for Yahoo! Messenger Vulnerability

June 13, 2007

An exploit for Yahoo! Messenger Webcam Upload (ywcupl.dll) and Webcam Viewer (ywcvwr.dll) ActiveX is publicly available. Successful exploitation may allow an attacker to execute arbitrary code on a user's machine. Users are highly recommended to install Yahoo! updates.

Additional Information

Mozilla releases Security Advisory

June 7, 2007

Mozilla has released Security Advisories to address multiple vulnerabilities. The vulnerabilities affect Firefox, Thunderbird and SeaMonkey, and their impacts include denial of service, cross-site scripting, and remote code execution. Users are recommended to install the updates in order to protect their systems.

Additional Information

Apple Xserve Lights-Out Management Firmware Vulnerability

June 7, 2007

Problem
A security vulnerability in Apple's Xserver system may allow an attacker to gain administrative privileges. The vulnerability is due to a problem in the implementation of the Intelligent Platform Management Interface (IPMI).

Vulnerable Platform

  • Intel-based Xserve systems

CVE: CVE-2007-2387

Solution
Apple has released an update for this vulnerability. System administrators are encouraged to install the updates found in Apple's Security Update.

Additional Information

Vulnerability Java Runtime Environment Image Parsing Code

June 7, 2007

Problem
Java Runtime Environment contains a buffer overflow vulnerability in the image parsing code that may allow an untrusted applet or application to elevate its privileges.

Vulnerable Platform

  • Java Platform 2 Standard Edition

Solution
Users are recommended to upgrade to the appropriate version. Also, users are encouraged to disable running Java applets from their web browsers and follow the best practices described in the document Securing Your Web Browser.

Additional Information

Apple Security Updates for Mac OS X and QuickTime

May 30, 2007

Apple has released new Security Updates. The security updates addresses multiple vulnerabilities in various products, including Bind, VPN, and iChat. The impacts of these vulnerabilities include denial of service, arbitrary code execution, information disclosure, and privilege escalation. Another update released by Apple addresses multiple vulnerabilities in Apple QuickTime 7.1.6. The vulnerabilities may lead to remote code execution when visiting malicious web sites. Users are recommended to install the Security Updates.

Additional Information

Security Vulnerabilities in the SOCKS Module of Sun Java System Web Proxy

May 30, 2007

Problem
The SOCKS module Sun Java System Web Proxy Server 4.0 has two buffer overflows that may allow remote code execution by remote or local unprivileged users. The vulnerabilities may cause a denial of service to the SOCKS server.

Vulnerable Platforms

  • SPARC
  • x86
  • Linux
  • Windows
  • HP-UX
  • AIX

Solution
Sun Microsystems has released updates to solve this problem. System administrators are recommended to install the updates that correspond to the platforms used on their systems.

Additional Information

Microsoft Releases New Advisories

May 23, 2007

Microsoft has released two security advisories that address Windows Installer (MSI) fixes and Microsoft Office updates. Microsoft states that the Windows Installer update is not a patch for certain vulnerabilities but fixes the problem of having system resource consumption when running MSI occasionally. For more information, please review the Microsoft Advisory (927891).

The second advisory announces the release of Microsoft Office Isolated Conversion Environment (MOICE) and File Block Functionality for Microsoft Office. The MOICE feature converts Office 2003 binary documents to the newer Office open XML format in an isolated environment, providing an additional layer of security. Moreover, the File Block Functionality allows administrators to restrict specific Office file types to deny opening potentially unsafe documents. More details are in Microsoft Security Advisory (937696).

Multiple Vulnerabilities in Cisco IOS

May 23, 2007

Cisco IOS is prone to vulnerabilities in processing SSL packets and in the Crypto Library. The failure of SSL packet processing may lead to a system crash or denial of service. Successful exploitation could happen when Cisco IOS receives malformed packets. Cisco has published some workarounds to mitigate this problem. For more information, please review the Cisco Security Advisory.

Another vulnerability affects Cisco IOS when using a third-party cryptographic library. The vulnerability may lead to a denial of service when receiving a malformed Abstract Syntax Notation One (ASN.1) object. Please review the Cisco Security Advisory for more information.

Vulnerability in Symantec Norton Internet Security and Norton Personal Firewall

May 23, 2007

Problem
An ActiveX control used by Norton Personal Firewall 2004 and Norton Internet Security 2004 contains a buffer overflow vulnerability. This may allow a remote attacker to execute arbitrary code when the user views a specially crafted HTML document. The impact of this vulnerability could be a web-browser crash or denial of service.

Vulnerable Products

  • Norton Internet Security Version 2004
  • Norton Personal Firewall Version 2004

CVE: CVE-2007-1689

Solution
Symantec has released updates to this problem. Users are recommended to run Symantec LiveUpdate or apply the mitigations and workarounds provided by Symantec or US-CERT.

Additional Information

Full-Width and Half-Width Unicode Encoding Bypass Vulnerability

May 16, 2007

Problem
Various HTTP content scanning systems fail to properly scan full-width/half-width Unicode encoded traffic. This may allow remote attackers to bypass these systems.

Details
Some open source or Microsoft products such as Microsoft ISS and .NET Framework properly decode this type of encoding. But most IDS/IPS/WAF products does not properly decode full-width Unicode (%uff) encoded HTTP requests for analysis, lowercase/uppercase conversion, and character matching. By sending HTTP traffic to a vulnerable content scanning system, an attacker may be able to bypass the content scanning system. [GamaSec]

This vulnerability affects various vendors, including Cisco Systems, Sun Microsystems, Microsoft Corporation, and IBM Corporation. Please refer to the US-CERT Vulnerability Note for the whole list of affected vendors.

Solution
System administrators are highly recommended to contact the vendor of their affected system for a patch or workaround for this issue.

Additional Information

Apache HTTP Server Tomcat Directory Traversal Vulnerability

May 16, 2007

Problem
Apache HTTP servers running with the Tomcat servlet container have a directory traversal vulnerability. It may allow a remote attacker to gain access and read arbitrary files. The vulnerability is a failure to sufficiently sanitize user-supplied input data.

Vulnerable Products

  • RHEL Desktop Workstation (v. 5 client)
  • Red Hat Enterprise Linux (v. 5 server)
  • Red Hat Enterprise Linux Desktop (v. 5 client)

CVE: CVE-2007-0450

Solution
The vendor has released upgrades to mitigate this issue. Please review the RedHat Security Update.

Additional Information

Multiple Vulnerabilities in the IOS FTP Server

May 16, 2007

Problem
The Cisco IOS FTP Server feature contains multiple vulnerabilities. The impacts of these vulnerabilities are denial of service (DoS), improper verification of user credentials, and the ability to retrieve or write any file from the device filesystem, including the device's saved configuration. Successful exploitation may allow unauthorized, remote users to access the filesystem on the IOS device, cause the affected device to reload, or execute arbitrary code.

Vulnerable Products
Cisco devices running IOS (versions .3, 12.0, 12.1, 12.2, 12.3 and 12.4) and configured for FTP server functionality are affected by these issues. This vulnerability does not apply to the IOS FTP Client feature.

Solution
Users are encouraged to review the Cisco Advisory and apply the workarounds.

Additional Information

Microsoft Releases Security Bulletin for May 2007

May 9, 2007

Microsoft has released the Security Bulletin for May 2007 to address critical vulnerabilities. These vulnerabilities affect several products like Microsoft Windows, Internet Explorer, Windows DNS RPC Interface, Office, Exchange, CAPICOM, and BizTalk. It is recommended the bulletin is reviewed and that all applicable updates are installed.

Apple QuickTime Vulnerability

May 9, 2007

Problem

Apple QuickTime is prone to a vulnerability due to a flaw in Java Implementation. The vulnerability could lead to remote code execution. A successful exploitation could happen when the user visits a malicious web site containing a specially crafted QuickTime file.

Affected Systems

  • Mac OS X v10.3.9, v10.4.9
  • Windows XP SP2
  • Windows 2000 SP4

CVE: CVE-2007-2175

Solution
Apple has released a Security Update to address this issue. It is recommended that the updates are installed and that Java Applet is disabled when visiting untrusted sites.

Additional Information

"Internet Explorer 7.0 Beta" Malware

May 9, 2007

Some reports have been received about the spreading of spam under the title "Internet Explorer 7.0 Beta." The spam is sent with a spoofed email of "admin@microsoft.com," and it contains a malware named "update.exe" as an installer of Internet Explorer 7.0. This malicious file has been found on several web sites. Users should be aware and careful when receiving this spam. Examples of what to look for to identify malicious spam can be found at the link below.

Additional Information

Cisco Security Advisory Addresses Vulnerabilities in ASA and PIX Appliances

May 9, 2007

Cisco has released a new security advisory that addresses multiple vulnerabilities in Adaptive Security Appliance (ASA) and Private Internet Exchange (PIX) security appliances. The vulnerabilities are LDAP Authentication Bypass, Denial of Service in VPNs with Password Expiry, and Denial of Service in SSL VPNs. More information about the problems and fixes can be found at

Vulnerability in Adobe Photoshop

May 2, 2007

Problem
Adobe Photoshop products contain a vulnerability that allows the attacker to execute an arbitrary code. Adobe Photoshop (CS2 and CS3) has a stack-based buffer overflow vulnerability due to an error in handling bitmap files (e.g., .BMP, .DIB, .RLE). The system could be affected when the user opens a specially crafted bitmap file. An exploit is available for this vulnerability.

Vulnerable Applications

  • Adobe Photoshop CS2
  • Adobe Photoshop CS3

CVE: CVE-2007-2244

Solution
It is recommended that users do not open any bitmap files from non-trusted sources.

Additional Information

Vulnerability in Cisco NetFlow Collection Engine

May 2, 2007

Problem
Cisco NetFlow Collection Engine has a vulnerability that allows a remote attacker to execute an arbitrary code. This vulnerability is due to an error when the system installer creates a default username and password (nfcuser, nfcuser). An attacker who knows the default account information may gain access with high privileges to the system through the web-based interface.

Vulnerable Systems

  • Linux (Red Hat Enterprise)
  • UNIX (HP/UX)
  • UNIX (Solaris - SunOS)

CVE: CVE-2007-2282

Solution
Cisco has released Security Advisory to address this vulnerability. It is highly recommended that you change the default usernames and passwords, and that you apply the workarounds provided in the advisory.

Additional Information

HP-UX Sendmail Vulnerability

May 2, 2007

Problem
HP-UX sendmail is prone to a vulnerability that may lead to a remote denial-of-service attack. This vulnerability is due an unspecified error in HP-UX running sendmail.

Vulnerable Systems

  • HP-UX B.11.00 (obsolete) running sendmail 8.9.3 or 8.11.1
  • HP-UX B.11.11 running sendmail 8.9.3 or sendmail 8.11.1
  • HP-UX B.11.23 running sendmail 8.11.1

CVE: CVE-2007-2246

Solution
Apply an update, as specified in HP technical document HP Advisory.

Additional Information

Apple Releases Security Update 2007-004

April 25, 2007

Apple has released a new security update that addresses multiple vulnerabilities. The vulnerabilities affect Apple Mac OS X and OS X Server, and the impacts vary between remote code execution, bypass of security restrictions, and denial of service. It is highly recommended that users install these updates, which can be accessed via the link below, at the earliest opportunity:

Rinbot Worm Exploits Microsoft Windows DNS RPC Vulnerability

April 25, 2007

Problem
A new variant of the Rinbot worm that can exploit a Windows DNS vulnerability has been detected. Successful exploitation could allow attackers to install a backdoor and gain unauthorized remote access to the system.

Details
This variant of the Rinbot worm is an Internet Relay Chat controlled backdoor. It scans port 1025/tcp as an attempt to exploit the Windows DNS service buffer overflow vulnerability.

Solution
Microsoft has released Microsoft Security Advisory (935964) to mitigate the risk. Moreover, updating anti-virus applications and scanning systems on a regular basis is highly recommended.

Additional Information

Windows DNS Server Vulnerability

April 19, 2007

Problem
Windows Domain Name Server (DNS) has a stack-based buffer overflow vulnerability that may allow an attacker to execute arbitrary code with SYSTEM privileges. This vulnerability can be triggered by sending a specially crafted RPC packet to the RPC management interface. This vulnerability has been actively exploited.

Vulnerable Products

  • Microsoft Windows 2000 Server Service Pack 4
  • Microsoft Windows Server 2003 Service Pack 1
  • Microsoft Windows Server 2003 Service Pack 2

CVE: CVE-2007-1748

Solution
Microsoft has provided some workarounds to mitigate this problem. Please review the Microsoft Security Advisory to follow the workarounds.

Additional Information

Oracle releases Critical Patches Update

April 19, 2007

Oracle released patches that address critical vulnerabilities. This Critical Patch Update contains 36 new security fixes across all products. The vulnerabilities' impacts vary between remote code execution, denial of service, and information disclosure. Installing these patches is highly recommended.

Microsoft has released a Security Bulletin to address multiple vulnerabilities

April 5, 2007

Microsoft has released a new security bulletin to address several critical vulnerabilities. Updates are available for multiple Windows products. Users are highly recommended to install the updates as soon as possible. More information can be found in the Microsoft Security Bulletins.

Web Proxy Re-routing Attack in Microsoft Systems

March 29, 2007

Problem
A new attack method based on re-routing web traffic to a malicious proxy server can be exploited in Microsoft Systems. Microsoft has released a security bulletin that addresses this issue.

Details
Microsoft uses Web Proxy Automatic Discovery (WPAD) protocol to help client-type software to detect and contact web proxy servers automatically. This protocol requires adding a WPAD entry that could be registered either in Domain Name System (DNS) or in Windows Internet Naming Service (WINS). Hence, the client software can resolve the name of a host that contains the proxy automatic configuration file 'Wpad.dat'. An attacker who can gain access to DNS and WINS entries can change the WPAD entry to direct the traffic to a malicious proxy server.

Solution
Network administrators are recommended to register and reserve static WPAD entries in DNS or in WINS. More details about applying this workaround can be found in the Microsoft Security Bulletin.

References

Gozi Trojan steals SSL encrypted data in Microsoft Internet Explorer

March 29, 2007

Problem
SecureWorks has provided advice about a Trojan which targets and exploits Internet Explorer Vulnerabilities. The Russian Trojan, called Gozi, steals SSL-encrypted traffic mainly for on-line purchases data.

Details
This Trojan had been undetected for awhile and has compromised more than 5,200 hosts and 10,000 user accounts on hundreds of sites. Briefly, the Trojan goes in between Internet Explorer and the socket used to send the data and intercepts the network data before it is encrypted.

Solution
Users are recommended to update and scan using their anti-virus and anti-spyware applications. It is also recommended that you conduct a further manual search for this Trojan and delete it from ALL user profile directories. According to SecureWorks analysis, the Trojan binary (or executable file) is named "xx_????.exe" (where ???? is four random lowercase letters) and "xx_tempopt.bin". Also, delete the registry key that belongs to this Trojan: HKLM\SOFTWARE\Microsoft\CurrentVersion\xx_version. If you are not aware of how to remove registry keys or files, please contact your system administrator in your organization or an expert whom you trust.

References

Multiple Vulnerabilities in Cisco IP Telephony Solutions

March 29, 2007

Problem
Cisco IP Telephony Solutions is prone to multiple vulnerabilities that could lead to denial of service (DoS). The vulnerabilities are disclosed in Cisco Unified CallManager (CUCM) and Cisco Unified Presence Server (CUPS) functionalities. Cisco has made free software available to address these vulnerabilities for affected customers.

Details
Vulnerable products:

  • Cisco Unified CallManager 3.3 versions prior to 3.3(5)SR2a
  • Cisco Unified CallManager 4.1 versions prior to 4.1(3)SR4
  • Cisco Unified CallManager 4.2 versions prior to 4.2(3)SR1
  • Cisco Unified CallManager 5.0 versions prior to 5.0(4a)SU1
  • Cisco Unified Presence Server 1.0 versions prior to 1.0(3)

Solution
It is recommended that users install the software that Cisco released to address this issue. Please review the Cisco Advisory.

References

Multiple Vulnerabilities in IBM Lotus Dominos

March 29, 2007

Problem
IBM Lotus Dominos software is prone to buffer overflow and cross-site scripting vulnerabilities. The services IMAP, LDAP and Web Access could be successfully exploited by a remote attacker, causing cross-site scripting or denial of service.

Details
Vulnerable products:

  • IBM Lotus Domino 6.x
  • IBM Lotus Domino 7.x
  • IBM Lotus Domino Web Access (iNotes) 6.x
  • IBM Lotus Domino Web Access 7.x

Solution
It is highly recommended that users upgrade Lotus Dominos to version 6.5.6 or 7.0.2 Fix Pack 1.

References

Microsoft released Windows Server 2003 Service Pack 2

March 22, 2007

Q-CERT is aware of the release of Microsoft Windows Server 2003 Service Pack 2. Microsoft Windows Server 2003 Service Pack 2 (SP2) is a cumulative service pack that includes the latest updates and provides security enhancements, as Microsoft has stated. It is highly recommended that users update their operating systems to the new service pack and keep their system fully patched.

SP2 can be installed directly on the following operating systems:

  • Windows Server 2003 Editions (all 32-bit x86)
  • Windows Server 2003 R2 Editions
  • Windows Storage Server 2003 R2 Editions
  • Windows Small Business Server 2003 R2

More information about Windows Server 2003 SP2 can be found on the following page:

New release for Mozilla Firefox

March 22, 2007

Mozilla has released a new version of Firefox (2.0.0.3). The new version solves some security issues that were in earlier versions. It is recommended that users upgrade to the latest version. More information can be found at

Apple QuickTime Multiple Vulnerabilities

March 8, 2007

Problem
Apple QuickTime 7.1.5 contains multiple vulnerabilities that may allow attackers to execute remote code. These vulnerabilities are due to Apple QuickTime's failure in handling different types of image and media files. A successful exploitation could happen when a user opens a specially crafted image or media file with a vulnerable version of QuickTime or through a web-browser.

Solution
Apple has released updates to solve this problem. Users are highly recommended to upgrade to QuickTime 7.1.5 found in the Apple Update.

Additional information

Mozilla Firefox and SeaMonkey Updates

March 8, 2007

Problem
Mozilla has released a security advisory that addresses multiple vulnerabilities in Firefox 1.5.0.9/2.0.0.1 and SeaMonkey 1.0.7. The vulnerabilities, considered to be critical risks, have various impacts like remote code execution and cross-site scripting.

Solution
Users are highly recommended to update Firefox to version 2.0.0.2 and SeaMonkey to version 1.1.1.

Additional information

Microsoft Windows, Internet Explorer, and Adobe Flash Vulnerable

November 14, 2006

Problem
There are critical vulnerabilities in Microsoft Windows, Internet Explorer, and Adobe Flash. These vulnerabilities could allow an attacker to perform actions such as executing code on your system or causing a denial of service.

Solution
After reviewing Microsoft's November 2006 Security Bulletins, install the appropriate updates.

You can receive updates via the following sites:

Additional information

Mozilla Products Vulnerable

November 8, 2006

Problem
There are multiple vulnerabilities in the following products:

  • Mozilla SeaMonkey
  • Mozilla Firefox
  • Mozilla Thunderbird
  • Netscape web browser

These vulnerabilities could allow an attacker to perform actions such as executing code on your system or causing a denial of service.

Solution
These vulnerabilities are resolved in the following versions of the Mozilla products:

Additional information

Oracle Products Vulnerable

October 18, 2006

Problem
There are a variety of vulnerabilities in the following products:

  • Oracle10g Database
  • Oracle9i Database
  • Oracle8i Database
  • Oracle Application Express (formerly known as Oracle HTML DB)
  • Oracle Application Server 10g
  • Oracle Collaboration Suite 10g
  • Oracle9i Collaboration Suite
  • Oracle E-Business Suite Release 11i
  • Oracle E-Business Suite Release 11.0
  • Oracle Pharmaceutical Applications
  • Oracle PeopleSoft Enterprise Portal Solutions
  • Oracle PeopleSoft Enterprise PeopleTools
  • JD Edwards EnterpriseOne Tools
  • JD Edwards OneWorld Tools
  • Oracle Reports Developer client-only installations
  • Oracle Containers for J2EE client-only installations

These vulnerabilities could allow an attacker to perform actions such as executing code on your system, causing a denial of service, or accessing sensitive information.

Solution
Install the appropriate patches provided by Oracle in Critical Patch Update - October 2006. Review the pre-installation notes and patch readme files for a list of issues associated with the patches. A list of vulnerabilites addressed by these patches is available in the Map of Public Vulnerability to Advisory/Alert.

Vulnerabilities affecting Oracle Application Express are resolved in version 2.2.1.

Additional information

Microsoft Windows, Office, and Internet Explorer Vulnerable

October 10, 2006

Problem
There are critical vulnerabilities in Microsoft Windows, Office, and Internet Explorer. These vulnerabilities could allow an attacker to execute code on your system or cause a denial of service.

Microsoft has also discontinued support for Windows XP Service Pack 1 (SP1) as of October 10, 2006.

Solution
After reviewing Microsoft's October 2006 Security Bulletins, install the appropriate updates.

You can receive updates via the following sites:

Additional information

Apple and Adobe Products Vulnerable

October 2, 2006

Problem
There are a variety of vulnerabilities in the following products:

  • Apple Mac OS X version 10.3.9 and earlier (Panther)
  • Apple Mac OS X version 10.4.7 and earlier (Tiger)
  • Apple Mac OS X Server version 10.3.9 and earlier
  • Apple Mac OS X Server version 10.4.7 and earlier
  • Safari web browser
  • Adobe Flash Player 8.0.24 and earlier

These vulnerabilities could allow an attacker to perform actions such as executing commands on your system or causing a denial of service.

Solution
Install the appropriate update provided by Apple:

You can obtain updates via Apple downloads or Mac OS X: Updating your software.

Additional information