September 30, 2005 - Current Activity

US-CERT is aware of publicly available exploit code for a format string vulnerability in the Helix Player. Please note that this vulnerability affects all media players based on the Helix Player, such as Real Player on UNIX/LINUX systems. The vulnerability exists in the way Helix Player handles certain media files. A remote attacker who is able to convince a user to view a specially crafted media file, may be able to execute arbitrary code with the privileges of the Helix Player process.

More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

• VU#361181 - Helix Player format string vulnerability

Until a patch is available to address this vulnerability, US-CERT strongly encourages users to review the workarounds section of the Vulnerability Note (VU#361181).

US-CERT is aware of public exploit code for a buffer overflow vulnerability in Mozilla products, including the Mozilla Suite, and Mozilla Firefox. The vulnerability exists in the way Mozilla products handle URIs containing certain IDN encoded hostnames. A remote attacker who is able to convince a user to view a specially crafted HTML document may be able to execute arbitrary code with the privileges of the user running the vulnerable application.

More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

• VU#573857 - Mozilla-based browsers contain a buffer overflow in handling URIs containing a malformed IDN hostname

US-CERT encourages Mozilla users to upgrade to version 1.0.7 and Mozilla Suite users to upgrade to version 1.7.12 as soon as possible.

US-CERT is aware of a buffer overflow vulnerability in Cisco IOS Firewall Authentication Proxy for FTP and Telnet Sessions. If exploited, the vulnerability could allow a remote unauthenticated attacker to execute arbitrary code or cause a denial-of-service condition on the affected system. We are not aware of any public exploits at this time.

More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

• VU#236045 - Cisco IOS Firewall Authentication Proxy vulnerable to buffer overflow via specially crafted user authentication credentials

US-CERT urges users to review the fixes, updates, and workarounds described in the Cisco Security Advisory.

US-CERT warns users to expect an increase in targeted phishing emails due to recent events such as Hurricane Katrina and Hurricane Rita. US-CERT has received reports of multiple phishing sites that attempt to trick users into donating funds to fraudulent foundations in the aftermath of Hurricane Katrina. US-CERT expects to see the same type of malicious activity during the aftermath of Hurricane Rita.

Phishing emails may appear as requests from a charitable organization asking the users to click on a link that will then take them to a fraudulent site that appears to be a legitimate charity. The users are then asked to provide personal information that can further expose them to future compromises.

Users are encouraged to take the following measures to protect themselves from this type of phishing attack:

1. Do not follow unsolicited web links received in email messages
2. Contact your financial institution immediately if you believe your account/and or financial information has been compromised

US-CERT strongly recommends that all users reference the Federal Emergency Management Agency (FEMA) web site for a list of legitimate charities to donate to their charity of choice.

US-CERT is aware of a public exploit for a vulnerability in the Microsoft DDS Library Shape Control (msdds.dll) component, which comes with various Microsoft products such as Visual Studio .NET and Microsoft Office. Systems with Visual Studio .NET 2002, which installs msdds.dll version 7.0.9466.0, are vulnerable. Based on initial testing, msdds.dll version 7.10.3077.0 does not appear vulnerable. This version of the dll is installed with Office 2003 and Visual Studio .NET 2003. Although MS Office XP provides a vulnerable version of msdds.dll, it does not appear that IE will instantiate the COM object in question with the standard installation.

By convincing a user to view an HTML document (e.g., a web page or an HTML email message) that attempts to instantiate the Microsoft DDS Library Shape Control COM object, a remote attacker could execute arbitrary code on the user's system with privileges of the user. More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

• VU#740372 - Microsoft DDS Library Shape Control (msdds.dll) COM object contains an unspecified vulnerability

This vulnerability has similar characteristics to the previously posted javaprxy.dll vulnerability (VU#939605). The underlying vulnerability is that Internet Explorer will instantiate non-ActiveX COM objects that are referenced in an HTML document. This can cause Internet Explorer to crash. More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

• VU#680526 - Microsoft Internet Explorer allows non-ActiveX COM objects to be instantiated

Until a patch is available to address this vulnerability, US-CERT strongly encourages users to review the workarounds section of Vulnerability Note (VU#740372). Additionally, Microsoft has published a Security Advisory about this issue and is continuing to investigate the problem.

US-CERT has seen reports of multiple families of malicious code that take advantage of the vulnerability described in VU#998653 (MS05-039). This includes, but is not limited to, several variants of the Zotob worm and other malware including the W32/Rbot and W32/SDBot families of malicious code.

Currently, the malware scans for vulnerable systems on port 445/tcp. Upon infection a compromised host will attempt to scan and exploit other systems at randomly generated IP addresses. The functionality has evolved within the Zotob family and with the addition of other malware families, the scope of attack may expand to include:

• Spyware functionality (key logging, video, audio screen captures)
• Data theft (authentication credentials, CD Keys to popular applications)
• Mass mailing

While the primary attack target is the Plug and Play vulnerability on Windows 2000 systems, Windows XP and Windows Server 2003 are also exposed to the Plug and Play vulnerability under more limited circumstances. Microsoft has published Security Advisories that provide guidance on Zotob and its variants, as well as information on the limited circumstances in the "Mitigating Factors" sections of the following Microsoft Security Advisories:

• Microsoft Security Advisory (899588) - Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege
• Microsoft Security Advisory (906574) - Clarification of Simple File Sharing and ForceGuest

Once a system is compromised with any of the above listed malicious code, additional vulnerabilities may be exploited across multiple operating systems (including Windows XP and Server 2003) to get malicious code installed on a system. More information on the vulnerability is available in the following US-CERT Vulnerability Note:

• VU#998653 - Microsoft Plug and Play contains a buffer overflow vulnerability

Microsoft has also published some additional information concerning Zotob and what actions users can take now. For more information, please refer to the following Microsoft document:

• What You Should Know About Zotob

US-CERT urges users to apply the update described in Microsoft Security Bulletin MS05-039. If users are unable to apply the update, Microsoft provides several workarounds that may help to protect against known attacks on this vulnerability. For more information on computer viruses, please refer to our Computer Virus Resources document.

US-CERT is aware of a public exploit for a vulnerability in VERITAS Backup Exec Remote Agent for Windows Servers. This exploit may allow a remote attacker to retrieve arbitrary files on a system. The VERITAS Backup Exec Remote Agent listens on network port 10000/tcp.

US-CERT is aware of reports that this vulnerability is being actively exploited. US-CERT has also seen reports of increased scanning activity on port 10000/tcp. This increase is believed to be attempts to locate vulnerable systems running the VERITAS Backup Exec Software. More information about this vulnerability can be found in US-CERT Technical Cyber Security Alert:

• TA05-224A - VERITAS Backup Exec Uses Hard-Coded Authentication Credentials

Please refer to TA05-224A for information on solutions and workarounds to mitigate against this vulnerability.

US-CERT is aware of a public exploit for a vulnerability in Microsoft Plug and Play that could allow an attacker to locally or remotely execute arbitrary code or cause a denial-of-service condition on a vulnerable system.

The exploit code targets Windows systems by connecting to NetBIOS ports 139/tcp or 445/tcp on a vulnerable system. A remote, unauthenticated attacker may be able to execute arbitrary code or cause a denial-of-service. More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

• VU#998653 - Microsoft Plug and Play contains a buffer overflow vulnerability

Microsoft has released a patch to address this vulnerability in Microsoft Security Bulletin MS05-039. Administrators are encouraged to apply the appropriate fixes as soon as possible.