June 16, 2006 - Current Activity

Active Exploitation of a Vulnerability in Microsoft Excel

US-CERT is aware of active exploitation of a new vulnerability in Microsoft Excel. Successful exploitation could allow an attacker to execute arbitrary code with the privileges of the user running Excel.

More information about this vulnerability can be found in the following:

• Technical Cyber Security Alert: TA06-167A Microsoft Excel Vulnerability
• Vulnerability Note: VU#802324 - Microsoft Excel Vulnerability

We are continuing to investigate this vulnerability. US-CERT recommends the following actions to help mitigate the security risks:

• Install anti-virus software, and keep its virus signature files up-to-date.
• Limit user privileges to no administrator rights.
• Save and scan any attachments before opening them.

Additionally, US-CERT strongly encourages users not to open unfamiliar or unexpected email attachments, even if sent by a known and trusted source. Users may wish to read Cyber Security Tip ST04-010 for more information on working with email attachments.

FDIC Phishing Scam

US-CERT continues to receive reports of phishing scams that target online users. Recently, the phishing scam targeted the customers of Federal Deposit Insurance Company (FDIC) insured institutions.

Customers of FDIC institutions received a spoofed email message, which claims that their account is in violation of the Patriot Act, and that FDIC insurance has been removed from their account until their identity can be verified. The message provides a link to a malicious web site which prompts users to enter their customer account and identification information.

If you were affected by the FDIC phishing scam, please refer to the FDIC Consumer Alert for assistance.

US-CERT confirms that the federal agencies including Department of Homeland Security (DHS) mentioned in the fraudulent email have not sent out an email that requests customer account or identification information.

US-CERT encourages users to report phishing incidents based on the following guidelines:

• Federal Agencies should report phishing incidents to US-CERT.
• Non-federal agencies and other users should report phishing incidents to OnGuard Online, a consortium of Federal Agencies.

Additionally, users are encouraged to take the following measures to prevent phishing attacks from occurring:

1. Do not follow unsolicited web links received in email messages.
2. Contact your financial institution and file a complaint with the Federal Trade Commission (FTC) immediately if you believe your account or financial information has been compromised.
3. Review FTC's web site on how to protect yourself from identity theft.
4. Review the OnGuard Online practical tips to guard against Internet fraud, secure your computer, and protect your personal information.
5. Refer to the US-CERT Cyber Security Tip on Avoiding Social Engineering and Phishing Attacks.
6. Refer to the CERT Coordination Center document on understanding Spoofed/Forged Email.

Vulnerability in Symantec AntiVirus Software

US-CERT is aware of a buffer overflow vulnerability in Symantec Client Security and Symantec Antivirus Corporate Edition. Successful exploitation may allow a remote, unauthenticated attacker to execute arbitrary code with SYSTEM privileges. We are not aware of any public exploits at this time.

More information about this vulnerability can be found in the following:

• Vulnerability Note: VU#404910 - Symantec products vulnerable to buffer overflow

• Symantec Advisory: SYM06-010 - Symantec Client Security and Symantec AntiVirus Elevation of Privilege

We will continue to update current activity as more information becomes available.

Active Exploitation of a Vulnerability in Microsoft Word

US-CERT is aware of an increase in activity attempting to exploit a vulnerability in Microsoft Word.

The exploit is disguised as an email attachment containing a Microsoft Word document. When the document is opened, malicious code is installed on the user's machine. The exploit then attempts to connect to a remote host.

More information about the reported vulnerability can be found in the following:

• Technical Cyber Security Alert: TA06-139A - Microsoft Word Vulnerability

• Vulnerability Note: VU#446012 - Microsoft Word buffer overflow

US-CERT recommends the following actions to mitigate the security risks:

• Install anti-virus software, and keep its virus signature files up-to-date.
• Block executable and unknown file types at the email gateway.
• Review the workarounds described in Microsoft Security Advisory 919637.

Additionally, US-CERT strongly encourages users not to open unfamiliar or unexpected email attachments, even if sent by a known and trusted source. Users may wish to read Cyber Security Tip ST04-010 for more information on working with email attachments.

We will continue to update current activity as more information becomes available.

Recent Data Theft of Veterans Affairs Data

US-CERT continues to receive reports of data theft that targets online users and Federal government web sites. Recently, Veteran Affairs data was stolen from the home computer system of a Veterans Affairs (VA) employee. This data contained large amounts of personally identifiable information, such as, names, social security numbers, and dates of birth. Over 26 million veterans and some spouses are affected by this incident.

The VA is continuing to investigate this issue and working to inform affected parties of this incident so that the appropriate steps can be taken to protect against this information being misused.

If you believe you may be affected by this incident or would like additional information, please refer to the Veterans Affairs web site.

Additionally, US-CERT recommends that users take the following measures to protect against data theft:

• Encrypt sensitive data on your local hard drive and back up mediums.
• Attend Security Awareness training to gain a better understanding of your organization's policies and procedures for handling sensitive data.
• Restrict access to sensitive data from Internet connected systems.

Public Exploit Code for Unpatched Vulnerability in Oracle

US-CERT is aware of publicly available, working exploit code for an unpatched vulnerability in Oracle Export Extensions. Successful exploitation may allow a remote attacker with some authentication credentials to execute arbitrary SQL statements with elevated privileges. This may allow an attacker to access and modify sensitive information within an Oracle database.

More information about this vulnerability can be found in the following:

• Vulnerability Note: VU#932124 - Oracle DBMS_EXPORT_EXTENSION package vulnerable to SQL injection

• Secunia Advisory: SA19860 - Oracle Database "DBMS_EXPORT_EXTENSION" Package SQL Injection

• Security Focus: Oracle Vulnerability Report

• Red Database Security: Oracle Exploit Report

US-CERT recommends the following actions to mitigate the security risks:

• Restrict access to Oracle:

  Only known and trusted users should be granted access to Oracle. Additionally, user accounts should be granted only those privileges needed to perform necessary tasks.

• Change login credentials for default Oracle accounts:

  Oracle creates numerous default accounts when it is installed. Upon installation, accounts that are not needed should be disabled and the login credentials for needed accounts should be changed.

We will continue to update current activity as more information becomes available.

Public Exploit Code for a Vulnerability in RealVNC Server

US-CERT is aware of publicly available exploit code for a vulnerability in RealVNC Server.

More information about the reported vulnerability can be found in the following:

• Vulnerability Note: VU#117929 - RealVNC Server does not validate client authentication method

US-CERT recommends the following actions to mitigate the security risks:

• Upgrade to the latest version: RealVNC Upgrades.

We will continue to update current activity as more information becomes available.

Public Exploit Code for a Vulnerability in Sendmail

US-CERT is aware of publicly available exploit code for a race condition vulnerability in Sendmail. US-CERT does not believe that this exploit code works at this time.

More information about the reported vulnerability can be found in the following:

• Technical Cyber Security Alert: TA06-081A - Sendmail Race Condition Vulnerability

• Vulnerability Note: VU#834865 - Sendmail contains a race condition

• Sendmail MTA Security Vulnerability Advisory

US-CERT recommends the following actions to mitigate the security risks:

• Upgrade to the latest version: Sendmail 8.13.6.
• Review the Sendmail MTA Security Vulnerability Advisory for steps to reduce the impact of this vulnerability.

We will continue to update current activity as more information becomes available.

Active Exploitation of Cross-site Scripting Vulnerability in eBay.com

US-CERT is aware of an active exploitation of a cross-site scripting vulnerability in the eBay website. Successful exploitation may allow an attacker to take various actions, including the following:

• Obtain sensitive data from stored cookies
• Redirect auction viewers to phishing sites where further disclosure of login credentials or personal information can occur
• Create auctions that use script to place login areas on the eBay website, where credentials may be sent to a remote server with malicious intent

More information about the reported vulnerability can be found in the following:

• CERT Advisory: CA-2000-02 - Malicious HTML Tags Embedded in Client Web Requests
• Vulnerability Note: VU#808921 - eBay contains a cross-site scripting vulnerability

Until a practical solution or more information becomes available, US-CERT recommends the following:

• Disable Scripting as specified in the Securing Your Web Browser document and the Malicious Web Scripts FAQ.
• Add "ebay.com" to the Restricted Sites zone in Internet Explorer.
• Validate web site addresses as described in the eBay Spoof Email Tutorial and Cyber Security Tip ST04-014.
• Validate web site certificates as described in Cyber Security Tip ST05-010.

We will continue to update current activity as more information becomes available.

Exploit for Vulnerability in Microsoft Internet Explorer

US-CERT is aware of an active exploitation of a vulnerability in the way Microsoft Internet Explorer handles certain DHTML methods. By persuading a user to access a specially crafted webpage, a remote, unauthenticated attacker may be able to execute arbitrary code on that user's system, or cause Internet Explorer to stop functioning.

More information about the reported vulnerability can be found in the following Vulnerability Note:

• VU#876678 - Microsoft Internet Explorer createTextRange() vulnerability

Known attack vectors for this vulnerability require that Active Scripting is enabled in Internet Explorer. Disabling Active Scripting will reduce the chances of exploitation.

US-CERT recommends the following:

• Apply the appropriate updates, patches, or fixes as prescribed in the Microsoft Security Bulletin MS06-013.
• Disable Active Scripting as specified in the Securing Your Web Browser document.
• Read and send email in plaintext format.
• Do not follow unsolicited links.
• Review the additional workarounds in the Microsoft Security Advisory 917077.
• Review Microsoft's recommendations to improve the safety of browsing and email activity.