August 21, 2006 - Current Activity

Public Exploit Code Being Used to Actively Exploit a Vulnerability in Microsoft Server Service

In addition to the previously reported active exploitation of a vulnerability in Microsoft Server Service, US-CERT has received reports of automated attacks and bot activity involving systems that have not been patched against this vulnerability. Successful exploitation could allow an attacker to execute arbitrary code with SYSTEM privileges.

US-CERT will continue to monitor this issue and provide additional information as it becomes available.

US-CERT strongly recommends users and administrators apply the appropriate updates in Microsoft Security Bulletin MS06-040 as soon as possible.

More information about this vulnerability can be found in Vulnerability Note VU#650769 and Technical Cyber Security Alert TA06-220A.

Active Exploitation of a Vulnerability in Microsoft Server Service

US-CERT is aware of active exploitation of a buffer overflow vulnerability in the Microsoft Windows Server service. If a remote attacker sends a specially crafted packet to a vulnerable Windows system, that attacker may be able to execute arbitrary code with SYSTEM privileges.

US-CERT recommends users and administrators apply the appropriate updates in Microsoft Security Bulletin MS06-040 as soon as possible.

More information about this vulnerability can be found in Vulnerability Note VU#650769 and Technical Cyber Security Alert TA06-220A.

US-CERT recommends users and administrators apply the appropriate updates in Microsoft Security Bulletin MS06-040 as soon as possible.

Additionally, US-CERT strongly encourages users to review the Microsoft Security Bulletin Summary for August 2006 for additional information about vulnerabilities in Microsoft Windows, Office, Works, Visual Basic for Applications, and Internet Explorer.

Multiple Vulnerabilities in Microsoft Internet Explorer 6.0

US-CERT is aware of multiple vulnerabilities in Microsoft Internet Explorer (IE) 6.0. US-CERT is also aware of a public blog that will be posting new web browser bugs on a daily basis in July. US-CERT will be analyzing relevant vulnerabilities, as well as actively monitoring the site to provide additional information as it becomes available.

When available, more information about these vulnerabilities can be found in the following:

• Vulnerability Note: VU#159220 - Microsoft Internet Explorer vulnerable to heap overflow via the HTML Help Control "Image" property

Until an update, patch, or more information becomes available, US-CERT strongly recommends the following:

• Disable ActiveX as specified in the Securing Your Web Browser document and the Malicious Web Scripts FAQ.
• Do not follow unsolicited links.
• Review the steps described in Microsoft's document to improve the safety of your browser.

We will continue to update current activity as more information becomes available.

Active Exploitation of a Vulnerability in Microsoft PowerPoint

US-CERT is aware of active exploitation of a new vulnerability in Microsoft PowerPoint. Successful exploitation could allow a remote attacker to execute arbitrary code with the privileges of the user running PowerPoint.

When available, more information about this vulnerability can be found in the following:

• Vulnerability Note: VU#936945 - Microsoft PowerPoint contains an unspecified remote code execution vulnerability

Until an update, patch, or more information becomes available, US-CERT strongly recommends the following:

• Do not open attachments from unsolicited email messages.
• Install anti-virus software, and keep its virus signature files up-to-date.
• Limit user privileges to no administrator rights.
• Save and scan any attachments before opening them.

US-CERT strongly encourages users not to open unfamiliar or unexpected email attachments, even if sent by a known and trusted source. Users may wish to read Cyber Security Tip ST04-010 for more information on working with email attachments.

We will continue to update current activity as more information becomes available.

Public Exploit Code for Unpatched Vulnerabilities in Microsoft Internet Explorer

US-CERT is aware of publicly available exploit code for two unpatched vulnerabilities in Microsoft Internet Explorer.

We are tracking the first vulnerability as VU#655100. By persuading a user to double-click a file accessible through a file share such as SMB, a remote attacker may be able to execute arbitrary code with the privileges of the user.

The second issue is a cross-domain violation vulnerability that is being tracked as VU#883108. Successful exploitation could allow a remote attacker to access the contents of a web page in another domain. This exploitation could lead to information disclosure, which may include harvesting user credentials.

When available, more information about these vulnerabilities can be found in the following:

• Vulnerability Note: VU#655100 - Microsoft Internet Explorer fails to properly handle CLSID extensions

• Vulnerability Note: VU#883108 - Microsoft Internet Explorer HTML Document object cross-domain vulnerability

Until an update, patch, or more information becomes available, US-CERT recommends the following:

• Do not follow unsolicited links.
• To address the vulnerability (VU#655100):
  • Block or restrict access to outgoing connections to SMB servers on the internet.
• To address the cross-domain violation vulnerability (VU#883108):
  • Disable ActiveX as specified in the Securing Your Web Browser document and the Malicious Web Scripts FAQ.

We will continue to update current activity as more information becomes available.

Public Exploit Code for Unpatched Vulnerability in MS Office Hyperlink Object Library

US-CERT is aware of publicly available exploit code for an unpatched buffer overflow vulnerability in Microsoft Hyperlink Object Library (HLINK.DLL). By persuading a user to access a specially crafted hyperlink in an email message or MS Office document, a remote attacker may be able to execute arbitrary code with the privileges of the user.

More information about this vulnerability can be found in the following:

• Vulnerability Note: VU#394444 - Microsoft Hyperlink Object Library stack buffer overflow

Until an update, patch, or more information becomes available, US-CERT recommends the following:

• Do not follow unsolicited web links received in email messages or embedded in MS Office documents.

We will continue to update current activity as more information becomes available.

Active Exploitation of a Vulnerability in Microsoft Excel

US-CERT is aware of active exploitation of a new vulnerability in Microsoft Excel. Successful exploitation could allow an attacker to execute arbitrary code with the privileges of the user running Excel.

More information about this vulnerability can be found in the following:

• Technical Cyber Security Alert: TA06-167A Microsoft Excel Vulnerability
• Vulnerability Note: VU#802324 - Microsoft Excel Vulnerability

We are continuing to investigate this vulnerability. US-CERT recommends the following actions to help mitigate the security risks:

• Install anti-virus software, and keep its virus signature files up-to-date.
• Limit user privileges to no administrator rights.
• Save and scan any attachments before opening them.
• Review the workarounds described in Microsoft Security Advisory 921365.

Additionally, US-CERT strongly encourages users not to open unfamiliar or unexpected email attachments, even if sent by a known and trusted source. Users may wish to read Cyber Security Tip ST04-010 for more information on working with email attachments.

FDIC Phishing Scam

US-CERT continues to receive reports of phishing scams that target online users. Recently, the phishing scam targeted the customers of Federal Deposit Insurance Company (FDIC) insured institutions.

Customers of FDIC institutions received a spoofed email message, which claims that their account is in violation of the Patriot Act, and that FDIC insurance has been removed from their account until their identity can be verified. The message provides a link to a malicious web site which prompts users to enter their customer account and identification information.

If you were affected by the FDIC phishing scam, please refer to the FDIC Consumer Alert for assistance.

US-CERT confirms that the federal agencies including Department of Homeland Security (DHS) mentioned in the fraudulent email have not sent out an email that requests customer account or identification information.

US-CERT encourages users to report phishing incidents based on the following guidelines:

• Federal Agencies should report phishing incidents to US-CERT.
• Non-federal agencies and other users should report phishing incidents to OnGuard Online, a consortium of Federal Agencies.

Additionally, users are encouraged to take the following measures to prevent phishing attacks from occurring:

1. Do not follow unsolicited web links received in email messages.
2. Contact your financial institution and file a complaint with the Federal Trade Commission (FTC) immediately if you believe your account or financial information has been compromised.
3. Review FTC's web site on how to protect yourself from identity theft.
4. Review the OnGuard Online practical tips to guard against Internet fraud, secure your computer, and protect your personal information.
5. Refer to the US-CERT Cyber Security Tip on Avoiding Social Engineering and Phishing Attacks.
6. Refer to the CERT Coordination Center document on understanding Spoofed/Forged Email.