September 13, 2005 - Current Activity

US-CERT is aware of a buffer overflow vulnerability in Cisco IOS Firewall Authentication Proxy for FTP and Telnet Sessions. If exploited, the vulnerability could allow a remote unauthenticated attacker to execute arbitrary code or cause a denial-of-service condition on the affected system. We are not aware of any public exploits at this time.

More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

• VU#236045 - Cisco IOS Firewall Authentication Proxy vulnerable to buffer overflow via specially crafted user authentication credentials

US-CERT urges users to review the fixes, updates, and workarounds described in the Cisco Security Advisory.

US-CERT has received reports of multiple phishing sites that attempt to trick users into donating funds to fraudulent foundations in the aftermath of Hurricane Katrina. US-CERT warns users to expect an increase in targeted phishing emails due to recent events in the Gulf Coast Region.

Phishing emails may appear as requests from a charitable organization asking the users to click on a link that will then take them to a fraudulent site that appears to be a legitimate charity. The users are then asked to provide personal information that can further expose them to future compromises.

Users are encouraged to take the following measures to protect themselves from this type of phishing attack:

1. Do not follow unsolicited web links received in email messages
2. Contact your financial institution immediately if you believe your account/and or financial information has been compromised

US-CERT strongly recommends that all users reference the Federal Emergency Management Agency (FEMA) web site for a list of legitimate charities to donate to their charity of choice.

US-CERT is aware of multiple vulnerabilities in Computer Associates Message Queuing (CAM / CAFT) software. US-CERT is not aware of any public exploits at this time. If exploited, these vulnerabilities could allow a remote attacker to:

• Execute arbitrary code on a vulnerable machine with elevated privileges
• Execute arbitrary commands with elevated privileges
• Cause a Denial of Service (DoS) condition

Although there is limited information concerning these vulnerabilities, US-CERT encourages users to upgrade or install patches, as recommended by the Computer Associates Security Notice.

US-CERT is aware of a public exploit for a vulnerability in the Microsoft DDS Library Shape Control (msdds.dll) component, which comes with various Microsoft products such as Visual Studio .NET and Microsoft Office. Systems with Visual Studio .NET 2002, which installs msdds.dll version 7.0.9466.0, are vulnerable. Based on initial testing, msdds.dll version 7.10.3077.0 does not appear vulnerable. This version of the dll is installed with Office 2003 and Visual Studio .NET 2003. Although MS Office XP provides a vulnerable version of msdds.dll, it does not appear that IE will instantiate the COM object in question with the standard installation.

By convincing a user to view an HTML document (e.g., a web page or an HTML email message) that attempts to instantiate the Microsoft DDS Library Shape Control COM object, a remote attacker could execute arbitrary code on the user's system with privileges of the user. More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

• VU#740372 - Microsoft DDS Library Shape Control (msdds.dll) COM object contains an unspecified vulnerability

This vulnerability has similar characteristics to the previously posted javaprxy.dll vulnerability (VU#939605). The underlying vulnerability is that Internet Explorer will instantiate non-ActiveX COM objects that are referenced in an HTML document. This can cause Internet Explorer to crash. More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

• VU#680526 - Microsoft Internet Explorer allows non-ActiveX COM objects to be instantiated

Until a patch is available to address this vulnerability, US-CERT strongly encourages users to review the workarounds section of Vulnerability Note (VU#740372). Additionally, Microsoft has published a Security Advisory about this issue and is continuing to investigate the problem.

US-CERT has seen reports of multiple families of malicious code that take advantage of the vulnerability described in VU#998653 (MS05-039). This includes, but is not limited to, several variants of the Zotob worm and other malware including the W32/Rbot and W32/SDBot families of malicious code.

Currently, the malware scans for vulnerable systems on port 445/tcp. Upon infection a compromised host will attempt to scan and exploit other systems at randomly generated IP addresses. The functionality has evolved within the Zotob family and with the addition of other malware families, the scope of attack may expand to include:

• Spyware functionality (key logging, video, audio screen captures)
• Data theft (authentication credentials, CD Keys to popular applications)
• Mass mailing

While the primary attack target is the Plug and Play vulnerability on Windows 2000 systems, Windows XP and Windows Server 2003 are also exposed to the Plug and Play vulnerability under more limited circumstances. Microsoft has published Security Advisories that provide guidance on Zotob and its variants, as well as information on the limited circumstances in the "Mitigating Factors" sections of the following Microsoft Security Advisories:

• Microsoft Security Advisory (899588) - Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege
• Microsoft Security Advisory (906574) - Clarification of Simple File Sharing and ForceGuest

Once a system is compromised with any of the above listed malicious code, additional vulnerabilities may be exploited across multiple operating systems (including Windows XP and Server 2003) to get malicious code installed on a system. More information on the vulnerability is available in the following US-CERT Vulnerability Note:

• VU#998653 - Microsoft Plug and Play contains a buffer overflow vulnerability

Microsoft has also published some additional information concerning Zotob and what actions users can take now. For more information, please refer to the following Microsoft document:

• What You Should Know About Zotob

US-CERT urges users to apply the update described in Microsoft Security Bulletin MS05-039. If users are unable to apply the update, Microsoft provides several workarounds that may help to protect against known attacks on this vulnerability. For more information on computer viruses, please refer to our Computer Virus Resources document.

US-CERT is aware of a public exploit for a vulnerability in VERITAS Backup Exec Remote Agent for Windows Servers. This exploit may allow a remote attacker to retrieve arbitrary files on a system. The VERITAS Backup Exec Remote Agent listens on network port 10000/tcp.

US-CERT is aware of reports that this vulnerability is being actively exploited. US-CERT has also seen reports of increased scanning activity on port 10000/tcp. This increase is believed to be attempts to locate vulnerable systems running the VERITAS Backup Exec Software. More information about this vulnerability can be found in US-CERT Technical Cyber Security Alert:

• TA05-224A - VERITAS Backup Exec Uses Hard-Coded Authentication Credentials

Please refer to TA05-224A for information on solutions and workarounds to mitigate against this vulnerability.

US-CERT is aware of a public exploit for a vulnerability in Microsoft Plug and Play that could allow an attacker to locally or remotely execute arbitrary code or cause a denial-of-service condition on a vulnerable system.

The exploit code targets Windows systems by connecting to NetBIOS ports 139/tcp or 445/tcp on a vulnerable system. A remote, unauthenticated attacker may be able to execute arbitrary code or cause a denial-of-service. More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

• VU#998653 - Microsoft Plug and Play contains a buffer overflow vulnerability

Microsoft has released a patch to address this vulnerability in Microsoft Security Bulletin MS05-039. Administrators are encouraged to apply the appropriate fixes as soon as possible.

US-CERT is aware of six Microsoft Security Bulletins issued today that describe several vulnerabilities in various Microsoft products. Public exploit code is available for several of these vulnerabilities.

The reported vulnerabilities range in severity from low to critical. If exploited, the critical vulnerabilities could allow a remote attacker to execute arbitrary code on the user's system. More information is available in US-CERT Technical Cyber Security Alert:

• TA05-221A - Microsoft Windows and Internet Explorer Vulnerabilities

US-CERT encourages Microsoft users to apply patches that are available on the Microsoft website.

US-CERT has seen reports indicating an increase in scanning activity of port 6070/tcp. This port is used by Computer Associates BrightStor ARCserve.

Recently, Computer Associates released security advisory (Vulnerability ID: 33239) describing a vulnerability in BrightStor ARCserve. Since this time exploits have been published that take advantage of this vulnerability. More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

• VU#279774 - Computer Associates BrightStor ARCserve Backup Agents vulnerable to buffer overflow

While reports of successful system compromises using this vulnerability have not been confirmed, US-CERT encourages BrightStor ARCserve users to upgrade or install patches, as recommended by Computer Associates vulnerability description.

US-CERT is aware of a new Computer Associates BrightStor ARCserve Backup Agents vulnerability. If exploited, the vulnerability could allow a remote attacker to execute arbitrary code on a vulnerable machine with SYSTEM privileges. Public exploits are available. More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

• VU#279774 - Computer Associates BrightStor ARCserve Backup Agents vulnerable to buffer overflow

Although there is limited information concerning the vulnerability, US-CERT encourages BrightStor ARCserve users to upgrade or install patches, as recommended by Computer Associates vulnerability description.

A presentation at the 2005 Black Hat Conference demonstrated proof-of-concept exploit code that targeted a vulnerability affecting Cisco IOS. More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

• VU#930892 - Cisco IOS vulnerable to DoS or arbitrary code execution via specially crafted IPv6 packet

All readers are encouraged to review the fixes, updates, and workarounds described in the Cisco Security Advisory.

US-CERT is aware of several new Mozilla Suite and Mozilla Firefox vulnerabilities, some of which have public exploits available. The vulnerabilities range in severity from moderate to critical. If exploited, the critical vulnerabilities could allow a remote attacker to execute arbitrary commands on the user's system with the privileges of the user running the vulnerable browser.

Although there is limited information concerning several of these vulnerabilities, US-CERT encourages Firefox users to upgrade to version 1.0.5 as and Mozilla Suite users to upgrade to version 1.7.10 as soon as possible.

US-CERT is aware of a vulnerability in Microsoft's Remote Desktop Protocol (RDP). Services that utilize the Remote Desktop Protocol (i.e., Terminal Services, Remote Desktop Services, Remote Assistance) could be affected.

By sending a specially crafted RDP request, a remote attacker could cause a denial-of-service condition on an affected system. We have no evidence of successful exploitation of this vulnerability. With the exception of Windows XP Media Center Edition, services that utilize the Remote Desktop Protocol are not enabled by default.

Microsoft has published a Security Advisory about this issue and is continuing to investigate the problem. Until a patch is available to address this vulnerability, US-CERT strongly encourages users to review the workarounds section of the Microsoft Security Advisory.