February 15, 2007 - Current Activity

New Unpatched Vulnerability in Word Could Allow Remote Code Execution

In Security Advisory 933052 issued yesterday, Microsoft confirmed very limited attacks against a new unpatched vulnerability in Word. The vulnerability is due to a memory corruption error that occurs when Word improperly processes a malformed string supplied in an Office document. By persuading a user to open a specially crafted Office document from an email attachment or web site, a remote attacker may be able to execute arbitrary code with privileges of the user.

This vulnerability affects Microsoft Word which is a component of Microsoft Office. Microsoft reports that Office 2000 and Office XP are associated with this vulnerability.

Note: Previous reports indicated that the impact of this vulnerability was limited to denial of service. After further analysis, Microsoft has confirmed that the impact of this vulnerability is remote code execution.

More information about this vulnerability is located in the following:

• Vulnerability Note VU#332404 - Microsoft Word fails to properly handle malformed strings
• Microsoft Security Advisory 933052

Until Microsoft issues a security fix, or more information becomes available, US-CERT recommends the following actions to help mitigate the security risks:

• Do not open or save untrusted Word documents or attachments from unsolicited email messages.
• Disable automatic opening of Microsoft Office documents, as specified in the Office Document Open Confirmation Tool document.
• Do not rely on file name extensions as a secure way to filter against malicious files.

US-CERT will continue to monitor this issue and provide additional information as it becomes available.

Microsoft Releases February Security Bulletin

Microsoft has released updates to address vulnerabilities in Microsoft Windows, Office, Visual Studio, Windows, Interactive Training, Internet Explorer, and Antivirus as part of the Microsoft Security Bulletin Summary for February 2007.

More information about these vulnerabilities is located in the Vulnerability Notes Database and Technical Cyber Security Alert TA07-044A.

US-CERT strongly encourages users to review the bulletins and follow best-practice security policies to determine what updates should be applied.

Authentication Bypass Vulnerability in Sun Solaris Telnet Daemon

US-CERT is aware of an authentication bypass vulnerability in the Sun Solaris telnet daemon (in.telnetd). The Sun Solaris telnet daemon does not properly sanitize the USER Environment variable before passing it to the login process. By supplying a specially crafted USER Environment variable over telnet, a remote attacker may be able to bypass authentication to gain access to the system with elevated privileges. Public exploit code is available.

Note: An attacker must have knowledge of a user account other than root to exploit this vulnerability successfully. Additionally, in default Solaris configurations, this vulnerability cannot be used to gain root level access.

More information about this vulnerability is located in the following:

• Vulnerability Note VU#881872 - Sun Solaris telnet authentication bypass vulnerability
• Sun Alert 102802 - Security Vulnerability in the in.telnetd(1M) Daemon May Allow Unauthorized Remote Users to Gain Access to a Solaris Host

US-CERT recommends the following actions to help mitigate the security risks:

• Apply interim patches.
• Be advised that these patches may not have been fully tested. Apply with caution.
• Disable Telnet daemon.
• Restrict access to port 23/tcp to trusted hosts only.

US-CERT will continue to investigate and provide additional information as it becomes available.

Multiple Vulnerabilities in Trend Micro Antivirus Software

US-CERT is aware of multiple buffer vulnerabilities in Trend Micro AntiVirus software. There are flaws in the way the Trend Micro virus scan engine processes malformed UPX compressed executables, and in the Anti-Rootkit Common Module.

The impacts include remote code execution with potential kernel level privileges, denial of service, and local privilege escalation. Both Microsoft and Linux versions of Trend Micro AntiVirus are impacted by this vulnerability.

Note: The Trend Micro virus scanning engine may be licensed to other vendors; therefore, other scanning software products may also be affected by these vulnerabilities.

More information about this vulnerability is located in the following:

• Vulnerability Note VU#276432 - Trend Micro AntiVirus fails to properly process malformed UPX compressed executables
• Vulnerability Note VU#666800 - Trend Micro Anti-Rootkit Common Module fails to properly validate input
• Vulnerability Note VU#282240 - Trend Micro Anti-Rootkit Common Module fails to properly restrict access to the \\.\TmComm DOS device interface
• Trend Micro Solution Detail 1034289
• Trend Micro Solution Detail 1034432

Until a full upgrade becomes available, US-CERT recommends applying the updates for the virus pattern, scanning engine, and Anti-Rootkit Common Module to the latest version to address this vulnerability.

US-CERT will continue to investigate and provide additional information as needed.

Anomalous DNS Activity

US-CERT was made aware of anomalous Domain Name Server (DNS) traffic that began on 6 Feb 2007. It is not confirmed whether this is a DDOS attempt, or an incidental effect of something else, however it is likely that the traffic is Distributed Denial of Service (DDOS) related.

At approximately 0001 GMT on 6 Feb 2007, several root-level DNS servers began receiving a large volume of malformed DNS queries. This initial attack appears to have been a warm-up for a much larger attack that began at 1000 GMT.

DNS servers G (U.S. DOD Network Information Center), L (Internet Corporation for Assigned Names and Numbers), and M (WIDE Project) appear to have been the most severely impacted although none were ever unreachable. The servers were operational and reachable even with the high volume of traffic.

US-CERT has been in contact with the various groups affected to ensure that appropriate actions are being taken.

US-CERT will continue to investigate and provide additional information as needed.

Microsoft Releases Security Advisory for Unpatched Vulnerability in Office involving Excel

Microsoft has released Security Advisory 932553 to address a new vulnerability that affects multiple versions of Microsoft Office. When Office applications improperly process a malformed string, a corruption in system memory occurs. By persuading a user to open a specially crafted Office document from an email attachment or web site, a remote attacker may be able to execute arbitrary code with privileges of the user.

The Security Advisory states that the following Office versions are vulnerable: Microsoft Office 2000, Microsoft Office XP, Microsoft Office 2003, and Microsoft Office 2004 for Mac.

According to the Microsoft Security Response Center Blog, there are very limited, targeted attacks attempting to use Excel documents as an attack vector to exploit this vulnerability in Microsoft Office. However, the issue can also affect all Office documents.

More information about this vulnerability is located in the following:

• Vulnerability Note VU#613740 - Microsoft Office unspecified vulnerability

Until Microsoft provides a security update, or more information becomes available, US-CERT recommends the following actions to help mitigate the security risks:

• Do not open or save untrusted Office documents or attachments from unsolicited email messages.
• Disable automatic opening of Microsoft Office documents, as specified in the Office Document Open Confirmation Tool document for Office 2000 users.
• Do not rely on file name extensions as a way to filter securely against malicious files.
• Limit user privileges to no administrator rights.
• Review Microsoft Security Advisory 932553 for additional workarounds.

US-CERT will continue to investigate and provide additional information as it becomes available.

Active Exploitation of Unpatched Vulnerability in Microsoft Word

US-CERT is aware of active exploitation of an unpatched vulnerability in Microsoft Word. There are reports indicating Microsoft has issued a response that this vulnerability is related to VU#166700, reported in December 2006. According to Symantec, there are different documents that use this same exploit from multiple organizations. Each document has been specifically crafted for the targeted organization in both language and content. Details are limited at this point.

More information about this vulnerability is located in the following:

• Vulnerability Note VU#166700 - Microsoft Word malformed data structure vulnerability

Until Microsoft issues a security fix, or more information becomes available, US-CERT recommends the following actions to help mitigate the security risks:

• Do not open or save untrusted Word documents or attachments from unsolicited email messages.
• Disable automatic opening of Microsoft Office documents, as specified in the Office Document Open Confirmation Tool document.
• Do not rely on file name extensions as a way to securely filter against malicious files.

US-CERT will continue to monitor this issue and provide additional information as it becomes available.

Public Exploit Code for Multiple Vulnerabilities in CA BrightStor ARCserve Backup

US-CERT is aware of public exploit code for multiple vulnerabilities in the Computer Associates BrightStor ARCserve Backup software product. The vulnerable process (Loginserver.exe) is susceptible to buffer overflows as the size of the data and the data received are improperly validated. By sending specially crafted data packets to ports 2200/tcp and 1900/tcp, a remote, unauthenticated attacker may be able to execute arbitrary code with SYSTEM level privileges or cause a denial of service.

More information about these vulnerabilities is located in the Vulnerability Notes database and the Computer Associates Security Notice.

US-CERT encourages users and administrators to take the following actions to help mitigate the security risks:

• Apply an update as specified in the Computer Associates Security Notice.
• Restrict access to ports 2200/tcp and 1900/tcp to trusted hosts only.

US-CERT will continue to monitor this issue and provide additional information as it becomes available.