February 16, 2006 - Current Activity

US-CERT is aware of publicly available exploit code for a buffer overflow vulnerability in Windows Media Player. The vulnerability exists because Windows Media Player fails to properly validate bitmap image files. Exploitation may occur if a user takes any of the following actions:

• Opens a specially crafted bitmap image file (.bmp) using Windows Media Player
• Opens a Windows Media Metafile, such as an ASX file, that references a bitmap image file (.bmp)
• Visits a specially crafted web page

Successful exploitation may allow a remote, unauthenticated attacker to execute arbitrary code with the privileges of the user.

More information can be found in the following US-CERT Vulnerability Note:

• VU#291396 - Microsoft Windows Media Player vulnerable to buffer overflow in bitmap processing routine

US-CERT urges users and administrators to implement the following recommendations:

• Apply appropriate updates as instructed in the Microsoft Security Bulletin MS06-005.
• Review the workarounds listed in the Microsoft Security Bulletin MS06-005 to mitigate this vulnerability.

US-CERT is aware of publicly available exploit code for a memory corruption vulnerability in the Mozilla Firefox web browser and Thunderbird mail client. If JavaScript is enabled in these applications, then the system is vulnerable to exploitation.

A vulnerable system may be successfully exploited if a user is convinced to visit a specially crafted web page or open a specially crafted email. A remote, unauthenticated attacker may be able to execute arbitrary code on a compromised system. If the user has elevated privileges, then the attacker will be able to exploit them.

More information can be found in the following US-CERT Vulnerability Note:

• VU#759273 - Mozilla QueryInterface memory corruption vulnerability

US-CERT urges users and administrators to implement the following recommendations:

• Update to Firefox 1.5.0.1 or SeaMonkey 1.0.
• Disable JavaScript in Thunderbird and Mozilla Suite.

US-CERT is aware of several vulnerabilities in Mozilla. Successful exploitation may allow a remote, unauthenticated attacker to execute arbitrary JavaScript commands with elevated privileges or cause a denial of service condition on a vulnerable system.

More information can be found in the following US-CERT Vulnerability Note:

• VU#592425 - Mozilla-based browsers fail to validate user input to the attribute name in "XULDocument.persist"

US-CERT urges users and administrators to implement the following recommendations:

• Update to Firefox 1.5.0.1 or SeaMonkey 1.0.
• Disable JavaScript in Thunderbird and Mozilla Suite.

US-CERT is aware of active exploitation of a buffer overflow vulnerability in Winamp. The buffer overflow is triggered when Winamp processes a specially crafted playlist (.PLS or .M3U) file that has a long "file" parameter. By convincing a user to open a playlist file, a remote, unauthenticated attacker can execute arbitrary code on a vulnerable system. Winamp can open a playlist without any user interaction as the result of viewing a specially crafted web site.

More information can be found in the following US-CERT Vulnerability Note:

• VU#604745 - Winamp fails to properly handle playlists with long computer names

US-CERT urges users and administrators to implement the following recommendations:

• Update to Winamp version 5.13 to address this vulnerability.
• Follow the instructions in the US-CERT publication Securing Your Browser to help prevent exploitation through a web browser.

US-CERT is aware of a new mass-mailing worm known as Nyxem (CME-24). This worm relies on social engineering to propagate. Specifically, the user must click on a link or open an attached file.

The Nyxem worm targets Windows systems that hide file extensions for known file types (this is the default setting for Windows XP and possibly other versions). The worm's icon makes it appear to be a WinZip file. As a result, the user may unknowingly start the worm.

Once a Windows system is infected, the malicious code may:

• Attempt to harvest email addresses stored on the infected system
• Utilize its own SMTP engine to send itself to the harvested email addresses
• Disable anti-virus and file sharing programs
• Spread itself using all available Windows network shares on the infected system
• Modify the active Desktop

In addition, on February 3, 2006, the worm will corrupt files and make them unusable by overwriting them with a small text message. The files with the following extensions are targeted on this date: DOC, XLS, MDB, MDE, PPT, PPS, ZIP, RAR, PDF, PSD, and DM.

US-CERT strongly encourages users and system administrators to implement the following workarounds:

• Install anti-virus software, and keep its virus signature files up-to-date
• Block executable and unknown file types at the email gateway

Additionally, US-CERT strongly encourages users not to follow unknown links, even if sent by a known and trusted source. Users may also wish to visit the US-CERT Computer Virus Resources for general virus protection information.

US-CERT is aware of a public exploit for a vulnerability in VERITAS NetBackup Volume Manager Daemon (vmd). The VERITAS NetBackup vmd listens on network port 13701/tcp. An attacker could send a specially crafted packet to the Volume Manager on a vulnerable system to cause a buffer overflow or a denial-of-service condition. Successful exploitation may allow may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system with root or SYSTEM privileges.

More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

• VU#574662 - VERITAS NetBackup library buffer overflow vulnerability

US-CERT strongly encourages users and administrators to review the following mitigation to address this vulnerability as soon as possible:

• Review the Symantec Advisory SYM05-024 and apply the recommended updates to address this vulnerability
• Restrict access to the ports used by the NetBackup services

US-CERT is aware of an active malicious website that exploits a vulnerability in the Sun Java Runtime Enviroment (JRE). The initial report led US-CERT to believe the website was exploiting VU#974188. After further analysis, it was determined that the actual vulnerability being exploited was VU#760344. This vulnerability allows a Java Applet to bypass java security settings. Once these checks are bypassed, a remote attacker may be able to exploit this vulnerability to execute arbitrary code on the host machine.

More information about these vulnerabilities can be found in the following US-CERT Vulnerability Notes:

• VU#760344 - Sun Java Plug-in fails to restrict access to private Java packages
• VU#974188 - Sun Java Runtime Environment "reflection" API privilege elevation vulnerabilities

US-CERT strongly encourages users and administrators to review the following mitigation to address this vulnerability as soon as possible:

• Upgrade to the latest JRE
• Do not access Java Applets from untrusted sources
• Disable Java support in web browsers

US-CERT is aware of active exploitation of a vulnerability in how Microsoft Windows handles Windows Metafiles (".wmf"). Several variations of the WMF exploit file have been released that attempt to avoid detection by anti-virus software and intrusion detection and intrusion prevention systems.

A Windows system may be compromised through several methods including:

• Opening a specially crafted WMF file which may be masquerading as a MS Word or MS Office document
• Opening a specially crafted WMF file which may be masquerading as a JPEG or other type of image file
• Visiting a specially crafted web site
• Placing a malicious WMF file in a location that is indexed by Google Desktop Search or other content indexing software
• Viewing a folder that contains a malicious WMF file with Windows Explorer

Once the vulnerability is exploited, a remote attacker may be able to perform any of the following malicious activities:

• Execute arbitrary code
• Cause a denial-of-service condition
• Take complete control of a vulnerable system

More information about this vulnerability can be found in the following:

• US-CERT Vulnerability Note: VU#181038 - Microsoft Windows Metafile handler SETABORTPROC GDI Escape vulnerability

• Technical Cyber Security Alert: TA06-005A - Update for Microsoft Windows Metafile Vulnerability

• Cyber Security Alert: SA06-005A - Microsoft Windows Metafile Vulnerability

• Microsoft Security Bulletin: MS06-001

Microsoft has released an update to address this vulnerability in Microsoft Security Bulletin MS06-001. US-CERT strongly encourages users and administrators to apply the appropriate updates as soon as possible.