January 15, 2007 - Current Activity

Oracle Issues Pre-Release Announcement for January Critical Patch Update

Oracle has issued a Pre-Release Announcement indicating that their January Critical Patch Update (CPU) will contain over 50 new security fixes across all products, some of which have a maximum severity rating of High. The announcement further states that twenty-seven of the security fixes are for Oracle Database; twelve for Oracle Application Server; seven for Oracle E-Business Suite; six for Oracle Enterprise Manager; and three for Oracle PeopleSoft Enterprise. The release is scheduled for Tuesday, January 16, 2007.

We will provide additional information as it becomes available.

Active Exploitation of Vulnerability in CA BrightStor ARCserve Backup

US-CERT is aware of active exploitation of a vulnerability in the Computer Associates BrightStor ARCserve Backup software product. There is a flaw in the way the BrightStor ARCserve Backup handles malformed RPC requests.

Additionally, US-CERT has received reports of increased port scan activity on port 6502/tcp. An attacker may be able to access a vulnerable version of the BrightStor ARCserve Backup on this port. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.

More information about this vulnerability and related ones can be found in the Vulnerability Notes Database.

US-CERT encourages users and administrators to take the following actions to help mitigate the security risks:

• Apply the available updates as soon as possible.
• Restrict access to ports 6502/tcp, 6503/tcp and 6504/tcp to trusted hosts only.

Exploit Code Available for Multiple Vulnerabilities in Sun Java Runtime Environment

US-CERT is aware of publicly available exploit code for multiple vulnerabilities in Sun Java Runtime Environment (JRE). There are several flaws in the JRE that may allow an untrusted Java Applet to elevate its privileges or execute malicious code. If successfully exploited, a remote, unauthenticated attacker may be able to execute arbitrary code with elevated privileges.

More information about these vulnerabilities can be found in the Vulnerability Notes Database.

US-CERT encourages users to take the following actions to help mitigate the effects of these vulnerabilities:

• Upgrade to patched versions for impacted Sun products as specified in Sunsolve Documents: 102729 and 102731.
• Disable Java as specified in the Securing Your Web Browser document until updates can be applied.

Multiple Vulnerabilities in Kerberos Administration Daemon

US-CERT is aware of multiple vulnerabilities in the Kerberos administration daemon. The impacts of these vulnerabilities include remote code execution or denial of service on a vulnerable system.

There are several vulnerabilities related to the way memory management is handled by the Generic Security Services Application Program Interface (GSS-API) and Remote Procedure Call (RPC) library provided with MIT Kerberos (krb5) distribution. By sending specially crafted packets to a vulnerable system, a remote, unauthenticated attacker may be able to execute arbitrary code or crash the Kerberos administration daemon.

More information about these vulnerabilities can be found in the following:

• Vulnerability Note VU#481564 - Kerberos administration daemon fails to properly initialize function pointers
• MIT krb5 Security Advisory 2006-002

• Vulnerability Note VU#831452 - Kerberos administration daemon may free uninitialized pointers
• MIT krb5 Security Advisory 2006-003

US-CERT encourages users and administrators to apply the patches as described in both the MIT krb5 Security Advisories 2006-002 and 2006-003 to address these vulnerabilities.

Microsoft Releases January Security Bulletin

Microsoft has released updates to address vulnerabilities in Microsoft Windows and Office as part of the Microsoft Security Bulletin Summary for January 2007.

Microsoft indicates that the buffer overflow vulnerability in Vector Markup Language (VU#122084) is being actively exploited.

US-CERT strongly encourage users to review the bulletins and follow best-practice security policies to determine what updates should be applied.

Additionally, more information about these vulnerabilities can be found in the Vulnerability Notes Database and Technical Cyber Security Alert TA07-009A.

Multiple Vulnerabilities in Cisco Secure ACS

US-CERT is aware of multiple vulnerabilities in Cisco Secure Access Control Server (ACS). The impacts of these vulnerabilities include remote code execution and denial of service on a vulnerable system.

The first issue is a stack-based buffer overflow vulnerability in the CSAdmin service. There is a flaw in the way specially crafted HTTP GET requests are processed. If successfully exploited, a remote attacker may be able to execute arbitrary code or crash the CSAdmin service.

The second issue is a stack-based buffer overflow vulnerability in the CSRadius service. There is a flaw in the way specially crafted RADIUS Accounting-Request packets are processed. If successfully exploited, a remote attacker with a RADIUS secret key may be able to execute arbitrary code or crash the CSRadius service.

The third issue is due to multiple unspecified flaws in the way specially crafted RADIUS Access-Request packets are processed. If successfully exploited, a remote attacker may be able to crash the CSRadius service.

The products affected by these vulnerabilities are Cisco Secure Access Control Server for Windows, and Cisco Secure Access Control Server Solution Engine running software versions 4.1 and prior.

More information about this vulnerability can be found in the following:

• Cisco Advisory cisco-sa-20070105-csacs - Multiple Vulnerabilities in Cisco Secure Access Control Server

US-CERT encourages users to take the following actions to help mitigate the security risks:

• Apply the patches or upgrade to the latest release of Cisco Secure ACS as described in the Cisco advisory.

US-CERT will continue to investigate and provide additional information as it becomes available.

Cross-Site Scripting Vulnerability in Adobe Acrobat Plug-In

US-CERT is aware of a cross-site scripting vulnerability in the Adobe Acrobat Plug-In. The Adobe Acrobat Plug-In allows users to view PDF files inside of a web browser. The Adobe Acrobat Plug-In fails to properly validate URI parameters for JavaScript code. This allows user-supplied JavaScript to execute within the context of the web site hosting the PDF file causing a cross-site scripting vulnerability.

More information about this vulnerability can be found in the following:

• Vulnerability Note VU#815960 - Adobe Acrobat Plug-In cross domain violation

US-CERT encourages users to upgrade to the latest release of Adobe Acrobat Reader as soon as possible.

If unable to upgrade, then US-CERT recommends that users take the following actions to help mitigate the security risks:

• Disable the displaying of PDF documents in the web browser.
• Disable JavaScript as specified in the Securing Your Web Browser document.

Note: Any website that hosts a PDF file may be used as an attack vector or launch point to exploit this vulnerability. Web site and network administrators may wish to filter JavaScript in both URLs and leaving the network to prevent their websites from being leveraged in attacks. Information on how to filter JavaScript out of URLs is available in VU#815960.

IRS Phishing Scam and Identity Theft

US-CERT continues to receive reports of phishing scams that target online users. Most recently, users have reported receiving emails that appear to be from the Internal Revenue Service (IRS). The phishing email claims to offer a tax refund and requests users to click on a link to provide personal and possibly sensitive information. Identity thieves could use this information to further compromise unsuspecting victims.

A spokesperson for the IRS has confirmed that they do not solicit anything by email.

US-CERT reminds users to remain cautious when receiving unsolicited email that could be a potential phishing email. US-CERT reminds users to remain cautious when receiving unsolicited email. US-CERT encourages users to report phishing incidents based on the following guidelines:

• Federal agencies should report phishing incidents to US-CERT.
• Non-federal agencies and other users should refer to OnGuard Online, a consortium of federal agencies, for information on reporting phishing incidents.

Additionally, users are encouraged to take the following measures to prevent phishing attacks from occurring:

1. Do not follow unsolicited web links received in email messages.
2. Contact your financial institution and file a complaint with the Federal Trade Commission (FTC) immediately if you believe your account or financial information has been compromised.
3. Review FTC's web site on how to protect yourself from identity theft.
4. Review the OnGuard Online practical tips to guard against Internet fraud, secure your computer, and protect your personal information.
5. Refer to the US-CERT Cyber Security Tip on Avoiding Social Engineering and Phishing Attacks.
6. Refer to the CERT Coordination Center document on understanding Spoofed/Forged Email.

Proof-of-Concept Code for a Vulnerability in Apple QuickTime

US-CERT is aware of proof-of-concept code for a buffer overflow vulnerability in Apple QuickTime. The flaw is in the way that QuickTime handles Real Time Streaming Protocol (RTSP) URL strings. By persuading a user to access a specially crafted QuickTime file, a remote attacker may be able to execute arbitrary code or cause a denial of service on a vulnerable system.

Note: Apple iTunes installations are also affected by this vulnerability.

More information about this vulnerability can be found in the following:

• Vulnerability Note VU#442497 - Apple QuickTime RTSP buffer overflow

Until a security fix or more information becomes available, US-CERT recommends the following action to help mitigate the security risks:

• Do not access QTL files from untrusted sources.
• Disable file association for QTL files.
• Refer to the Securing Your Web Browser document to implement the following workarounds:
• Disable QuickTime in your web browser.
• Disable JavaScript.

Public Exploit Code Available for DoS Vulnerability in Microsoft Windows Workstation

US-CERT is aware of a publicly available exploit code for a buffer overflow vulnerability in Microsoft Windows Workstation. According to Secunia Advisory SA23487, there is a flaw in the way the Workstation service handles large RPC requests. By sending specially crafted data to the Workstation service, a remote attacker could cause a denial-of-service condition on a vulnerable system. Initial analysis indicates that Windows XP and Windows 2000 are vulnerable to this flaw.

Until a security fix from Microsoft becomes available, US-CERT recommends the following action to help mitigate the security risks:

• Block ports 139/tcp and 445/tcp at the firewall.

US-CERT will continue to investigate and will provide additional information as it becomes available.

Proof-of-Concept Code for Vulnerability in Microsoft Windows

US-CERT is aware of publicly available proof-of-concept code for a local privilege escalation vulnerability in Microsoft Windows 2000, Windows Server 2003, Windows XP, and Windows Vista.

More information concerning this flaw is available at the Microsoft Security Response Center Blog.

US-CERT will continue to investigate and will provide additional information as it becomes available.

Mozilla Releases Security Advisories to Address Multiple Vulnerabilities

Mozilla has released Security Advisories to correct multiple vulnerabilities in Firefox, Thunderbird, and SeaMonkey. If successfully exploited, these vulnerabilities may allow a remote attacker to execute arbitrary code or cause a denial-of-service condition on a vulnerable system.

More information about these vulnerabilities can be found in the following:

• Vulnerability Notes Database
• Technical Cyber Security Alert TA06-354A - Mozilla Addresses Multiple Vulnerabilities
• Mozilla Foundation Security Advisories - December 19, 2006

US-CERT strongly encourages users to take the following actions to help mitigate the security risks:

• Upgrade to the latest release of Firefox , Thunderbird and SeaMonkey.
• Disable JavaScript and Java as specified in the Securing Your Web Browser document.
• Do not follow unsolicited links.

Microsoft Publishes New Information on the Three Word Vulnerabilities

Microsoft has published new information on its Security Response Center Blog addressing the latest Word vulnerabilities reported earlier this month.

Until a security fix from Microsoft becomes available, US-CERT recommends that users follow the recommendations in Microsoft Security Advisory 929433 to help mitigate the security risks for all three Word vulnerabilities.