Skip to content

Home  |   FAQ  |   Contact  |   Privacy & Use

customize
Current Activity Calendar
Left Arrow
January 2007
 Right Arrow
Su M Tu W Th F Sa
 
 1 2 3 4 5 6
7
 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28
 29 30
31
      
Please click on a date above to see current activity for that day.

  • Latest Current Activity
    •

    January 29, 2007 - Current Activity

    This is an archived copy of current activity, if you would like to see the most recent version, please click here.

    January 29 Microsoft Releases Security Advisory to Address Vulnerability in Microsoft Word 2000
    January 24 Cisco Releases Security Advisories for Multiple Vulnerabilities in IOS
    January 24 Apple Releases Security Update for Vulnerability in QuickTime
    January 23Microsoft Re-Releases Security Bulletin MS07-002 for Excel 2000
    January 22 Exploit Code Available for Multiple Vulnerabilities in Sun Java Runtime Environment
    January 20 Second Trojan Variant Storm Worm Spreads through Social Engineering
    January 17 Oracle Releases January Critical Patch Update
    January 16 Proof-of-Concept Code for Integer Overflow Vulnerability in Apple Mac OS X
    January 12 Active Exploitation of Vulnerability in CA BrightStor ARCserve Backup


    Microsoft Releases Security Advisory to Address Vulnerability in Microsoft Word 2000

    added January 25, 2007 | updated January 29, 2007

    Microsoft has released Security Advisory 932114 to address a previously known vulnerability in Word 2000. There is a flaw in the way Word handles a malformed string that could corrupt system memory. By persuading a user to open a specially crafted Word document from an email attachment or web site, a remote attacker may be able to execute arbitrary code with privileges of the user. If the compromised user is an administrator or has administrator-level privileges, then the attacker would be able to execute arbitrary code with SYSTEM-level privileges.

    According to the Microsoft Security Response Center Blog, there are very limited, targeted attacks attempting to exploit this vulnerability.

    Note: According to Microsoft, this vulnerability cannot be exploited on Word 2003, Word Viewer 2003, Word 2007, and Word 2004 for Mac, Word v. X for Mac, Word 2002, or Works 2004, 2005, or 2006.

    According to Symantec, a Trojan horse called Trojan.Mdropper.W is actively exploiting this vulnerability. This Trojan takes advantage of the unpatched flaw in Word 2000 to drop additional malicious files, such as Backdoor.Trojan, that may provide a remote attacker with unauthorized access to a vulnerable system. Backdoor.Trojan is a generic detection for a group of Trojan horse programs that open a back door and allow a remote attacker to have unauthorized access to the compromised computer.

    More information about this vulnerability is located in the following:

    • Vulnerability Note VU#412225 - Microsoft Word 2000 fails to properly handle malformed strings

    Until more information becomes available, US-CERT recommends the following actions to help mitigate the security risks:

    • Do not open or save untrusted Word documents or attachments from unsolicited email messages.
    • Disable automatic opening of Microsoft Office documents.
    • Do not rely on file name extensions as a way to securely filter against malicious files.
    • Install anti-virus software and keep its virus signature files up-to-date.
    • Save and scan any attachments before opening them.
    • Limit user privileges to no administrator rights.
    • Review Microsoft Security Advisory 932114 for additional workarounds.

    US-CERT will continue to investigate and provide additional information as it becomes available.


    Cisco Releases Security Advisories for Multiple Vulnerabilities in IOS

    added January 24, 2007 | updated January 24, 2007

    Cisco has released three Security Advisories to address severely rated vulnerabilities in their Internetwork Operating System Software (IOS).

    Cisco Security Advisory: Crafted IP Option Vulnerability addresses a remotely exploitable denial-of-service vulnerability that may potentially allow for arbitrary code execution. This vulnerability may be exploited when an affected device processes a crafted packet that meets all of the following conditions:

    • The packet contains a specific crafted IP option.
    • The packet is one of the following protocols:
      • ICMP - Echo Request (Type 8)
      • ICMP - Timestamp (Type 13)
      • ICMP - Information Request (Type 15)
      • ICMP - Address Mask Request (Type 17)
      • PIMv2 - IP protocol 103
      • PGM - IP protocol 113
      • URD - TCP Port 465
    • The packet is sent to a physical or virtual IPv4 address configured on the affected device.

    Cisco Security Advisory: Crafted TCP Packet Can Cause Denial of Service addresses a denial-of-service vulnerability in the Transmission Control Protocol listener. Crafted packets may cause the device to leak a small amount of memory. Over time, such a memory leak may lead to memory exhaustion and a denial-of-service condition.

    Cisco Security Advisory: IPv6 Routing Header Vulnerability addresses a remotely exploitable denial-of-service vulnerability in the IPv6 Type 0 Routing header handling. This vulnerability can be triggered by a packet containing crafted IPv6 Type 0 Routing headers.

    More information about these vulnerabilities can be found in the Vulnerability Notes Database.

    US-CERT encourages users to apply the fixes and workarounds described in the Cisco Security Advisories and Vulnerability Notes, and will continue to investigate and provide additional information as it becomes available.


    Apple Releases Security Update for Vulnerability in QuickTime

    added January 24, 2007

    Apple has released Security Update 2007-001 to correct a buffer overflow vulnerability in Apple QuickTime. The flaw is in the way that QuickTime handles Real Time Streaming Protocol (RTSP) URL strings. By persuading a user to access a specially crafted QuickTime file, a remote attacker may be able to execute arbitrary code or cause a denial of service on a vulnerable system. US-CERT is also aware of publicly available proof-of-concept code that exploits this vulnerability.

    Additionally, the Month of Apple Bugs MOAB-01-01-2007 website states that an attacker may also submit a specially crafted HTML document (e.g., a web page or an HTML email message) or Javascript code to cause a buffer overflow and compromise a vulnerable system.

    More information about this vulnerability is located in the following:

    • Vulnerability Note VU#442497 - Apple QuickTime RTSP buffer overflow
    • Technical Cyber Security Alert TA07-005A - Apple QuickTime RTSP Buffer Overflow
    • Apple Security Update 2007-001
    • Month of Apple Bugs MOAB-01-01-2007 - Apple QuickTime rtsp URL Handler Stack-based Buffer Overflow

    US-CERT encourages users to apply the appropriate updates as specified in Apple Security Update 2007-001 as soon as possible.

    • Disable the QuickTime ActiveX controls in Internet Explorer as specified in Microsoft Support Document 240797.
    • Disable the QuickTime plug-in for Mozilla-based browsers as specified in the PluginDoc article Uninstalling Plugins.
    • Disable file association for QuickTime files.
    • Disable JavaScript as specified in the Securing Your Web Browser document.
    • Do not access QuickTime files from untrusted sources.

    Microsoft Re-Releases Security Bulletin MS07-002 for Excel 2000

    added January 23, 2007

    Microsoft has released a new version of Security Bulletin MS07-002 to address an issue with security update for Excel 2000. The new version corrects the problem described in Microsoft Knowledge Base Article 931183 and in the Microsoft Security Response Center Blog. According to Microsoft, there was a flaw in the way the previous update processed the phonetic information that is embedded in files that are created by using Excel in the Korean, Chinese, or Japanese executable mode. Users who created Excel documents in one of these modes had difficulty opening some files after installing the update. The Microsoft re-release of MS07-002 resolves this issue.

    More information about the vulnerabilities addressed in this Security Bulletin is located in the Vulnerability Notes Database.

    US-CERT strongly encourages Excel 2000 users to apply the updates in the newly released Security Bulletin MS07-002 as soon as possible.


    Exploit Code Available for Multiple Vulnerabilities in Sun Java Runtime Environment

    added January 10, 2007 | updated January 22, 2007

    US-CERT is aware of publicly available exploit code for multiple vulnerabilities in Sun Java Runtime Environment (JRE). There are several flaws in the JRE that may allow an untrusted Java Applet to elevate its privileges or execute malicious code. If successfully exploited, a remote, unauthenticated attacker may be able to execute arbitrary code with elevated privileges.

    More information about these vulnerabilities can be found in the Vulnerability Notes Database and Technical Cyber Security Alert TA07-022A.

    US-CERT encourages users to take the following actions to help mitigate the effects of these vulnerabilities:

    • Upgrade to patched versions of the Sun Java Runtime environment as specified in Technical Cyber Security Alert TA07-022A.
    • Disable Java as specified in the Securing Your Web Browser document until updates can be applied.

    Second Trojan Variant Storm Worm Spreads through Social Engineering

    added January 19, 2007 | updated January 20, 2007

    US-CERT is aware of a second variant of the Small Trojan that is known as Storm Worm. Similar to the first variant, this one is also a mass-mailer that uses social engineering and network shares to propagate. The Storm Worm variant creates a peer-to-peer network that operates on port 7871/UDP, while the previously reported variant, known as Small.DAM or Trojan.Peacomm, operates on port 4000/UDP.

    The Small Trojan variants arrive as an email attachment and also propagate through network file shares. These Trojan variants drop two files upon execution, one of which may contain rootkit functionality. These Trojan variants also create a back door that may be used to harvest sensitive data or launch a spam attack.

    Subject lines can change at any time, but the following are currently being used by these Trojans:

    • 230 dead as storm batters Europe
    • A killer at 11, he's free at 21 and...
    • British Muslims Genocide
    • Naked teens attack home director
    • U.S. Secretary of State Condoleezza...
    • Russian missle shot down Chinese satellite
    • Russian missle shot down USA aircraft
    • Russian missle shot down USA satellite
    • Chinese missile shot down USA aircraft
    • Chinese missile shot down USA satellite
    • Sadam Hussein alive!
    • Sadam Hussein safe and sound!
    • Radical Muslim drinking enemies' blood

    File names can also change at any time, but the following are currently being used:

    • Full Clip.exe
    • Full Story.exe
    • Full Video.exe
    • Full Text.exe
    • Full Story.exe
    • Read More.exe
    • Video.exe

    US-CERT urges users and administrators to take the following preventative measures to mitigate the security risks:


    Oracle Releases January Critical Patch Update

    added January 15, 2007 | updated January 17, 2007

    Oracle has released their January Critical Patch Update (CPU) to address 54 vulnerabilities across all products, some of which have a maximum severity rating of High. This CPU contains twenty-six security fixes for Oracle Database; twelve for Oracle Application Server; seven for Oracle E-Business Suite; six for Oracle Enterprise Manager; and three for Oracle PeopleSoft Enterprise PeopleTools.

    US-CERT strongly encourages users to review the January CPU and follow best-practice security policies to determine which updates to apply.

    Additionally, more information about these vulnerabilities is located in the Vulnerability Notes Database and Technical Cyber Security Alert TA07-017A.


    Proof-of-Concept Code for Integer Overflow Vulnerability in Apple Mac OS X

    added January 16, 2007

    US-CERT is aware of proof-of-concept code for an unpatched integer overflow vulnerability in Apple Mac OS X Unix File System (UFS) handling. By persuading a user to open a specially crafted Disk Image (DMG) file, a remote attacker may be able to cause a denial-of-service condition or possibly execute arbitrary code on a vulnerable system.

    NOTE: This is only remotely exploitable via the Safari web browser when the Opening Safe Files After Downloading option is enabled.

    More information about this vulnerability can be found in the following:

    • Vulnerability Note VU#552136 - Apple Mac OS X UFS filesystem integer overflow vulnerability

    Until Apple releases a security fix or update, US-CERT recommends the following actions to help mitigate the security risks:

    • Disable the Open Safe Files After Downloading option in the Safari browser preferences as specified in the Securing Your Web Browser document.
    • Do not mount untrusted DMG files.

    Active Exploitation of Vulnerability in CA BrightStor ARCserve Backup

    added January 12, 2007

    US-CERT is aware of active exploitation of a vulnerability in the Computer Associates BrightStor ARCserve Backup software product. There is a flaw in the way the BrightStor ARCserve Backup handles malformed RPC requests.

    Additionally, US-CERT has received reports of increased port scan activity on port 6502/tcp. An attacker may be able to access a vulnerable version of the BrightStor ARCserve Backup on this port. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.

    More information about this vulnerability and related ones can be found in the Vulnerability Notes Database.

    US-CERT encourages users and administrators to take the following actions to help mitigate the security risks:

    • Apply the available updates as soon as possible.
    • Restrict access to ports 6502/tcp, 6503/tcp and 6504/tcp to trusted hosts only.