February 09, 2007 - Current Activity

Multiple Vulnerabilities in Trend Micro Antivirus Software

US-CERT is aware of multiple buffer vulnerabilities in Trend Micro AntiVirus software. There are flaws in the way the Trend Micro virus scan engine processes malformed UPX compressed executables, and in the Anti-Rootkit Common Module.

The impacts include remote code execution with potential kernel level privileges, denial of service, and local privilege escalation. Both Microsoft and Linux versions of Trend Micro AntiVirus are impacted by this vulnerability.

Note: The Trend Micro virus scanning engine may be licensed to other vendors; therefore, other scanning software products may also be affected by these vulnerabilities.

More information about this vulnerability is located in the following:

• Vulnerability Note VU#276432 - Trend Micro AntiVirus fails to properly process malformed UPX compressed executables
• Vulnerability Note VU#666800 - Trend Micro Anti-Rootkit Common Module fails to properly validate input
• Vulnerability Note VU#282240 - Trend Micro Anti-Rootkit Common Module fails to properly restrict access to the \\.\TmComm DOS device interface
• Trend Micro Solution Detail 1034289
• Trend Micro Solution Detail 1034432

Until a full upgrade becomes available, US-CERT recommends applying the updates for the virus pattern, scanning engine, and Anti-Rootkit Common Module to the latest version to address this vulnerability.

US-CERT will continue to investigate and provide additional information as needed.

Microsoft Releases Advance Notification for February Security Bulletin

Microsoft has issued a Security Bulletin Advance Notification indicating that their February release cycle will contain thirteen bulletins, some of which have a maximum severity rating of Critical. The notification further states that five of the bulletins are for Windows; two for Office; one for Windows and Visual Studio; one for Windows and Office; one for Step-by-Step Interactive Training; one for Data Access Components; and one for Live OneCare, Antigen, Windows Defender, and Forefront. The release is scheduled for Tuesday, February 13, 2007.

US-CERT will provide additional information as it becomes available.

Anomalous DNS Activity

US-CERT was made aware of anomalous Domain Name Server (DNS) traffic that began on 6 Feb 2007. It is not confirmed whether this is a DDOS attempt, or an incidental effect of something else, however it is likely that the traffic is Distributed Denial of Service (DDOS) related.

At approximately 0001 GMT on 6 Feb 2007, several root-level DNS servers began receiving a large volume of malformed DNS queries. This initial attack appears to have been a warm-up for a much larger attack that began at 1000 GMT.

DNS servers G (U.S. DOD Network Information Center), L (Internet Corporation for Assigned Names and Numbers), and M (WIDE Project) appear to have been the most severely impacted although none were ever unreachable. The servers were operational and reachable even with the high volume of traffic.

US-CERT has been in contact with the various groups affected to ensure that appropriate actions are being taken.

US-CERT will continue to investigate and provide additional information as needed.

Microsoft Releases Security Advisory for Unpatched Vulnerability in Office involving Excel

Microsoft has released Security Advisory 932553 to address a new vulnerability that affects multiple versions of Microsoft Office. When Office applications improperly process a malformed string, a corruption in system memory occurs. By persuading a user to open a specially crafted Office document from an email attachment or web site, a remote attacker may be able to execute arbitrary code with privileges of the user.

The Security Advisory states that the following Office versions are vulnerable: Microsoft Office 2000, Microsoft Office XP, Microsoft Office 2003, and Microsoft Office 2004 for Mac.

According to the Microsoft Security Response Center Blog, there are very limited, targeted attacks attempting to use Excel documents as an attack vector to exploit this vulnerability in Microsoft Office. However, the issue can also affect all Office documents.

More information about this vulnerability is located in the following:

• Vulnerability Note VU#613740 - Microsoft Office unspecified vulnerability

Until Microsoft provides a security update, or more information becomes available, US-CERT recommends the following actions to help mitigate the security risks:

• Do not open or save untrusted Office documents or attachments from unsolicited email messages.
• Disable automatic opening of Microsoft Office documents, as specified in the Office Document Open Confirmation Tool document for Office 2000 users.
• Do not rely on file name extensions as a way to filter securely against malicious files.
• Limit user privileges to no administrator rights.
• Review Microsoft Security Advisory 932553 for additional workarounds.

US-CERT will continue to investigate and provide additional information as it becomes available.

Active Exploitation of Unpatched Vulnerability in Microsoft Word

US-CERT is aware of active exploitation of an unpatched vulnerability in Microsoft Word. There are reports indicating Microsoft has issued a response that this vulnerability is related to VU#166700, reported in December 2006. According to Symantec, there are different documents that use this same exploit from multiple organizations. Each document has been specifically crafted for the targeted organization in both language and content. Details are limited at this point.

More information about this vulnerability is located in the following:

• Vulnerability Note VU#166700 - Microsoft Word malformed data structure vulnerability

Until Microsoft issues a security fix, or more information becomes available, US-CERT recommends the following actions to help mitigate the security risks:

• Do not open or save untrusted Word documents or attachments from unsolicited email messages.
• Disable automatic opening of Microsoft Office documents, as specified in the Office Document Open Confirmation Tool document.
• Do not rely on file name extensions as a way to securely filter against malicious files.

US-CERT will continue to monitor this issue and provide additional information as it becomes available.

Public Exploit Code for Multiple Vulnerabilities in CA BrightStor ARCserve Backup

US-CERT is aware of public exploit code for multiple vulnerabilities in the Computer Associates BrightStor ARCserve Backup software product. The vulnerable process (Loginserver.exe) is susceptible to buffer overflows as the size of the data and the data received are improperly validated. By sending specially crafted data packets to ports 2200/tcp and 1900/tcp, a remote, unauthenticated attacker may be able to execute arbitrary code with SYSTEM level privileges or cause a denial of service.

More information about these vulnerabilities is located in the Vulnerability Notes database and the Computer Associates Security Notice.

US-CERT encourages users and administrators to take the following actions to help mitigate the security risks:

• Apply an update as specified in the Computer Associates Security Notice.
• Restrict access to ports 2200/tcp and 1900/tcp to trusted hosts only.

US-CERT will continue to monitor this issue and provide additional information as it becomes available.

Vulnerability in PGP Desktop Service

US-CERT is aware of a memory corruption vulnerability in the PGP Desktop service. The PGP Desktop service fails to validate user-supplied data. By sending a specially crafted object to the PGP Desktop service, a remote, authenticated attacker may be able to execute arbitrary code with potentially elevated privileges on a vulnerable system.

More information about this vulnerability is located in the following:

• Vulnerability Note VU#102465 - PGP Desktop service fails to validate user supplied data

PGP states that upgrading to the latest version of PGP Desktop will address this vulnerability.

US-CERT will continue to monitor this issue and provide additional information as it becomes available.

SIP-Enabled Cisco IOS Devices are Vulnerable to Denial of Service

US-CERT is aware of an unspecified vulnerability in SIP-enabled Cisco IOS devices. SIP is a protocol designed for use in IP phone networks, and is widely used for Voice over Internet Protocol (VOIP) communications worldwide. According to Cisco, devices running IOS which support voice traffic and are not properly configured for Session Initiated Protocol (SIP) are vulnerable to a crash isolated to traffic destined to Port 5060. Other conditions affecting this vulnerability are yet to be determined.

By sending specially crafted SIP packets to port 5060, a remote, unauthenticated attacker could cause the IOS device to reboot and cause a denial-of-service condition.

More information about this vulnerability is located in the following:

• Vulnerability Note VU#438176 - Cisco IOS fails to properly handle Session Initiated Protocol packets
• Cisco Security Advisory cisco-sa-20070131-sip - SIP Packet Reloads IOS Devices Not Configured for SIP
• Cisco Applied Intelligence Response cisco-air-20070131-sip - Identifying and Mitigating Exploitation of the SIP Packet Reloads IOS Devices Not Configured for SIP Vulnerability

US-CERT encourages users and administrators to take the following actions to help mitigate the security risks:

• Update to unaffected IOS versions as soon as possible.
• Disable SIP processing.
• Restrict access to ports 5060/UDP and 5060/TCP to trusted hosts only.

Microsoft Releases Security Advisory to Address Vulnerability in Microsoft Word 2000

Microsoft has released Security Advisory 932114 to address a previously known vulnerability in Word 2000. There is a flaw in the way Word handles a malformed string that could corrupt system memory. By persuading a user to open a specially crafted Word document from an email attachment or web site, a remote attacker may be able to execute arbitrary code with privileges of the user. If the compromised user is an administrator or has administrator-level privileges, then the attacker would be able to execute arbitrary code with SYSTEM-level privileges.

According to the Microsoft Security Response Center Blog, there are very limited, targeted attacks attempting to exploit this vulnerability.

Note: According to Microsoft, this vulnerability cannot be exploited on Word 2003, Word Viewer 2003, Word 2007, and Word 2004 for Mac, Word v. X for Mac, Word 2002, or Works 2004, 2005, or 2006.

According to Symantec, a Trojan horse called Trojan.Mdropper.W is actively exploiting this vulnerability. This Trojan takes advantage of the unpatched flaw in Word 2000 to drop additional malicious files, such as Backdoor.Trojan, that may provide a remote attacker with unauthorized access to a vulnerable system. Backdoor.Trojan is a generic detection for a group of Trojan horse programs that open a back door and allow a remote attacker to have unauthorized access to the compromised computer.

More information about this vulnerability is located in the following:

• Vulnerability Note VU#412225 - Microsoft Word 2000 fails to properly handle malformed strings

Until more information becomes available, US-CERT recommends the following actions to help mitigate the security risks:

• Do not open or save untrusted Word documents or attachments from unsolicited email messages.
• Disable automatic opening of Microsoft Office documents.
• Do not rely on file name extensions as a way to securely filter against malicious files.
• Install anti-virus software and keep its virus signature files up-to-date.
• Save and scan any attachments before opening them.
• Limit user privileges to no administrator rights.
• Review Microsoft Security Advisory 932114 for additional workarounds.

US-CERT will continue to investigate and provide additional information as it becomes available.

Cisco Releases Security Advisories for Multiple Vulnerabilities in IOS

Cisco has released three Security Advisories to address severely rated vulnerabilities in their Internetwork Operating System Software (IOS).

Cisco Security Advisory: Crafted IP Option Vulnerability addresses a remotely exploitable denial-of-service vulnerability that may potentially allow for arbitrary code execution. This vulnerability may be exploited when an affected device processes a crafted packet that meets all of the following conditions:

• The packet contains a specific crafted IP option.
• The packet is one of the following protocols:
• ICMP - Echo Request (Type 8)
• ICMP - Timestamp (Type 13)
• ICMP - Information Request (Type 15)
• ICMP - Address Mask Request (Type 17)
• PIMv2 - IP protocol 103
• PGM - IP protocol 113
• URD - TCP Port 465
• The packet is sent to a physical or virtual IPv4 address configured on the affected device.

Cisco Security Advisory: Crafted TCP Packet Can Cause Denial of Service addresses a denial-of-service vulnerability in the Transmission Control Protocol listener. Crafted packets may cause the device to leak a small amount of memory. Over time, such a memory leak may lead to memory exhaustion and a denial-of-service condition.

Cisco Security Advisory: IPv6 Routing Header Vulnerability addresses a remotely exploitable denial-of-service vulnerability in the IPv6 Type 0 Routing header handling. This vulnerability can be triggered by a packet containing crafted IPv6 Type 0 Routing headers.

More information about these vulnerabilities can be found in the Vulnerability Notes Database.

US-CERT encourages users to apply the fixes and workarounds described in the Cisco Security Advisories and Vulnerability Notes, and will continue to investigate and provide additional information as it becomes available.

Apple Releases Security Update for Vulnerability in QuickTime

Apple has released Security Update 2007-001 to correct a buffer overflow vulnerability in Apple QuickTime. The flaw is in the way that QuickTime handles Real Time Streaming Protocol (RTSP) URL strings. By persuading a user to access a specially crafted QuickTime file, a remote attacker may be able to execute arbitrary code or cause a denial of service on a vulnerable system. US-CERT is also aware of publicly available proof-of-concept code that exploits this vulnerability.

Additionally, the Month of Apple Bugs MOAB-01-01-2007 website states that an attacker may also submit a specially crafted HTML document (e.g., a web page or an HTML email message) or Javascript code to cause a buffer overflow and compromise a vulnerable system.

More information about this vulnerability is located in the following:

• Vulnerability Note VU#442497 - Apple QuickTime RTSP buffer overflow
• Technical Cyber Security Alert TA07-005A - Apple QuickTime RTSP Buffer Overflow
• Apple Security Update 2007-001
• Month of Apple Bugs MOAB-01-01-2007 - Apple QuickTime rtsp URL Handler Stack-based Buffer Overflow

US-CERT encourages users to apply the appropriate updates as specified in Apple Security Update 2007-001 as soon as possible.

• Disable the QuickTime ActiveX controls in Internet Explorer as specified in Microsoft Support Document 240797.
• Disable the QuickTime plug-in for Mozilla-based browsers as specified in the PluginDoc article Uninstalling Plugins.
• Disable file association for QuickTime files.
• Disable JavaScript as specified in the Securing Your Web Browser document.
• Do not access QuickTime files from untrusted sources.

Microsoft Re-Releases Security Bulletin MS07-002 for Excel 2000

Microsoft has released a new version of Security Bulletin MS07-002 to address an issue with security update for Excel 2000. The new version corrects the problem described in Microsoft Knowledge Base Article 931183 and in the Microsoft Security Response Center Blog. According to Microsoft, there was a flaw in the way the previous update processed the phonetic information that is embedded in files that are created by using Excel in the Korean, Chinese, or Japanese executable mode. Users who created Excel documents in one of these modes had difficulty opening some files after installing the update. The Microsoft re-release of MS07-002 resolves this issue.

More information about the vulnerabilities addressed in this Security Bulletin is located in the Vulnerability Notes Database.

US-CERT strongly encourages Excel 2000 users to apply the updates in the newly released Security Bulletin MS07-002 as soon as possible.

Exploit Code Available for Multiple Vulnerabilities in Sun Java Runtime Environment

US-CERT is aware of publicly available exploit code for multiple vulnerabilities in Sun Java Runtime Environment (JRE). There are several flaws in the JRE that may allow an untrusted Java Applet to elevate its privileges or execute malicious code. If successfully exploited, a remote, unauthenticated attacker may be able to execute arbitrary code with elevated privileges.

More information about these vulnerabilities can be found in the Vulnerability Notes Database and Technical Cyber Security Alert TA07-022A.

US-CERT encourages users to take the following actions to help mitigate the effects of these vulnerabilities:

• Upgrade to patched versions of the Sun Java Runtime environment as specified in Technical Cyber Security Alert TA07-022A.
• Disable Java as specified in the Securing Your Web Browser document until updates can be applied.

Second Trojan Variant Storm Worm Spreads through Social Engineering

US-CERT is aware of a second variant of the Small Trojan that is known as Storm Worm. Similar to the first variant, this one is also a mass-mailer that uses social engineering and network shares to propagate. The Storm Worm variant creates a peer-to-peer network that operates on port 7871/UDP, while the previously reported variant, known as Small.DAM or Trojan.Peacomm, operates on port 4000/UDP.

The Small Trojan variants arrive as an email attachment and also propagate through network file shares. These Trojan variants drop two files upon execution, one of which may contain rootkit functionality. These Trojan variants also create a back door that may be used to harvest sensitive data or launch a spam attack.

Subject lines can change at any time, but the following are currently being used by these Trojans:

• 230 dead as storm batters Europe
• A killer at 11, he's free at 21 and...
• British Muslims Genocide
• Naked teens attack home director
• U.S. Secretary of State Condoleezza...
• Russian missle shot down Chinese satellite
• Russian missle shot down USA aircraft
• Russian missle shot down USA satellite
• Chinese missile shot down USA aircraft
• Chinese missile shot down USA satellite
• Sadam Hussein alive!
• Sadam Hussein safe and sound!
• Radical Muslim drinking enemies' blood

File names can also change at any time, but the following are currently being used:

• Full Clip.exe
• Full Story.exe
• Full Video.exe
• Full Text.exe
• Full Story.exe
• Read More.exe
• Video.exe

US-CERT urges users and administrators to take the following preventative measures to mitigate the security risks:

• Install anti-virus software, and keep its virus signature files up-to-date.
• Block executable and unknown file types at the email gateway.
• Refer to the Recognizing and Avoiding Email Scams document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

Oracle Releases January Critical Patch Update

Oracle has released their January Critical Patch Update (CPU) to address 54 vulnerabilities across all products, some of which have a maximum severity rating of High. This CPU contains twenty-six security fixes for Oracle Database; twelve for Oracle Application Server; seven for Oracle E-Business Suite; six for Oracle Enterprise Manager; and three for Oracle PeopleSoft Enterprise PeopleTools.

US-CERT strongly encourages users to review the January CPU and follow best-practice security policies to determine which updates to apply.

Additionally, more information about these vulnerabilities is located in the Vulnerability Notes Database and Technical Cyber Security Alert TA07-017A.

Proof-of-Concept Code for Integer Overflow Vulnerability in Apple Mac OS X

US-CERT is aware of proof-of-concept code for an unpatched integer overflow vulnerability in Apple Mac OS X Unix File System (UFS) handling. By persuading a user to open a specially crafted Disk Image (DMG) file, a remote attacker may be able to cause a denial-of-service condition or possibly execute arbitrary code on a vulnerable system.

NOTE: This is only remotely exploitable via the Safari web browser when the Opening Safe Files After Downloading option is enabled.

More information about this vulnerability can be found in the following:

• Vulnerability Note VU#552136 - Apple Mac OS X UFS filesystem integer overflow vulnerability

Until Apple releases a security fix or update, US-CERT recommends the following actions to help mitigate the security risks:

• Disable the Open Safe Files After Downloading option in the Safari browser preferences as specified in the Securing Your Web Browser document.
• Do not mount untrusted DMG files.

Active Exploitation of Vulnerability in CA BrightStor ARCserve Backup

US-CERT is aware of active exploitation of a vulnerability in the Computer Associates BrightStor ARCserve Backup software product. There is a flaw in the way the BrightStor ARCserve Backup handles malformed RPC requests.

Additionally, US-CERT has received reports of increased port scan activity on port 6502/tcp. An attacker may be able to access a vulnerable version of the BrightStor ARCserve Backup on this port. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.

More information about this vulnerability and related ones can be found in the Vulnerability Notes Database.

US-CERT encourages users and administrators to take the following actions to help mitigate the security risks:

• Apply the available updates as soon as possible.
• Restrict access to ports 6502/tcp, 6503/tcp and 6504/tcp to trusted hosts only.