Skip to content

Home  |   FAQ  |   Contact  |   Privacy & Use

customize
Current Activity Calendar
Left Arrow
March 2007
 Right Arrow
Su M Tu W Th F Sa
 
 1 2 3
4
 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25
 26 27
 28
 29
 30
 31
Please click on a date above to see current activity for that day.

  • Latest Current Activity
    •

    March 01, 2007 - Current Activity

    This is an archived copy of current activity, if you would like to see the most recent version, please click here.

    March 1 Worm Actively Exploits Vulnerability in Sun Solaris Telnet Daemon
    February 26Proof-of-Concept Code for Vulnerability in Mozilla Firefox
    February 23 Mozilla Releases Security Advisories to Address Multiple Vulnerabilities
    February 23 Exploit Code Posted for XSS Vulnerability in Google Desktop Search Engine
    February 22 Vulnerability in JBOSS Application Server
    February 21Multiple Vulnerabilities in Trend Micro ServerProtect
    February 20 Vulnerability in Sourcefire Snort Preprocessor
    February 16 Apple Releases Security Update 2007-002 for Multiple Vulnerabilities
    February 16Symantec Warns Users of New Drive-By Pharming Attack
    February 16 Cisco Releases Security Advisories to Address Multiple Vulnerabilities in PIX, ASA, and FWSM


    Worm Actively Exploits Vulnerability in Sun Solaris Telnet Daemon

    added February 28, 2007 | updated March 1, 2007

    US-CERT is aware of public reports of a worm that is actively exploiting a known vulnerability in the Sun Solaris telnet daemon (in.telnetd). The worm targets Solaris 10 (SunOS 5.10) systems that are not patched to address this vulnerability and have enabled the telnet daemon. When the worm discovers a vulnerable host, it attempts to log into the host using the lp or adm account to invoke one or more of the following malicious actions:

    • Modifies the /var/adm and /var/spool/lp directories
    • Installs and runs a server on port 32982
    • Schedules a crontab entry to run at 1:00 A.M.
    • Scans for other vulnerable hosts

    More information about this vulnerability is located in the following:

    • Vulnerability Note VU#881872 - Sun Solaris telnet authentication bypass vulnerability
    • Technical Cyber Security Alert TA07-059A - Sun Solaris Telnet Worm
    • Sun Alert 102802 - Security Vulnerability in the in.telnetd (1M) Daemon May Allow Unauthorized Remote Users to Gain Access to a Solaris Host

    US-CERT recommends the following actions to help mitigate the security risks:

    • Apply the latest patches, as specified in Sun Alert 102802 to address this vulnerability.
    • Run the Sun inoculation script if your host is infected.
    • Disable Telnet daemon if unable to apply the patch at this time.
    • Restrict access to port 23/tcp to trusted hosts only.

    Proof-of-Concept Code for Vulnerability in Mozilla Firefox

    added February 23, 2007 | updated February 26, 2007

    US-CERT is aware of proof-of-concept code for a memory corruption vulnerability in Mozilla Firefox. The vulnerability exists due to a flaw in the way Firefox handles freed data structures modified in the onUnload event handler, which may cause a memory corruption error. By persuading a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code or crash the Firefox browser.

    More information about this vulnerability is located in the following:

  • Vulnerability Note VU#393921 - Mozilla Firefox fails to properly handle JavaScript onUnload events
  • Mozilla Security Advisory 2007-08

    • Until Mozilla issues a security fix for this issue, US-CERT recommends the following workaround to help mitigate the security risk:

  • Disable JavaScript in the Firefox browser.


    • Mozilla Releases Security Advisories to Address Multiple Vulnerabilities

    added February 23, 2007

    Mozilla has released Security Advisories to address multiple vulnerabilities in Mozilla products, such as Firefox and SeaMonkey.

    US-CERT encourages users to upgrade to the latest version or implement the workarounds for the affected products as described in the Security Advisories.

    Additionally, more information about these vulnerabilities can be found in the Vulnerability Notes Database.


    Exploit Code Posted for XSS Vulnerability in Google Desktop Search Engine

    added February 22, 2007 | updated February 23, 2007

    US-CERT is aware of publicly available exploit code for a cross-site (XSS) scripting vulnerability in the Google Desktop Search engine. The vulnerability exists due to a flaw in the way the Google Desktop Search engine processes malformed user input. By persuading a user to view a specially crafted HTML document (e.g., a web page or an HTML email message), a remote unauthenticated attacker may be able to execute existing arbitrary code, search and view files, or steal sensitive data.

    Note: Without the presence of another vulnerability, remote exploitation is not possible.

    Google has addressed this issue in the latest version of Google Desktop, which updates automatically.

    More information about this vulnerability is located in the following:

    • Vulnerability Note VU#615857 - Google Desktop vulnerable to to cross-site scripting

    US-CERT recommends the following workaround to help mitigate the security risks:

    • Disable JavaScript in your browser.

    Vulnerability in JBOSS Application Server

    added February 20, 2007 | updated February 22, 2007

    US-CERT is aware of a vulnerability in JBoss Application Server. If the JBoss Application Server is installed without using the advanced installer, and these steps are not taken to secure the server, a vulnerable condition may occur. If a JBoss Application Server is improperly configured to allow unauthenticated access to the administrative interface, and is accessible from a network, then an unauthenticated, remote attacker may be able to gain access to, and possibly modify, data on the server.

    Note: Using the advanced installer options will configure JBoss to allow only authenticated administrative access by default.

    More information about this vulnerability is located in the following:

    • Vulnerability Note VU#632656 - JBoss Application Server fails to properly restrict access to the administrative interface.

    Multiple Vulnerabilities in Trend Micro ServerProtect

    added February 21, 2007 | updated February 21, 2007

    US-CERT is aware of multiple stack-based buffer overflow vulnerabilities in the Trend Micro ServerProtect "stcommon.dll" and "eng50.dll" modules. Exploitation of these vulnerabilities may allow execution of arbitrary code with SYSTEM privileges.

    More information about the vulnerabilities can be found in the following:

    US-CERT recommends users apply the ServerProtect 5.58 for Windows Security Patch 1- Build 1171 patch as soon as possible.


    Vulnerability in Sourcefire Snort Preprocessor

    added February 19, 2007 | updated February 20, 2007

    US-CERT is aware of a stack-based buffer overflow vulnerability in the Sourcefire Snort DCE/PRC preprocessor. Sourcefire Snort is an intrusion detection and prevention solution and is included with a variety of UNIX and Linux distributions. The DCE/RPC preprocessor detects and decodes SMB and DCE/RPC traffic. By sending a specially crafted TCP packet, a remote attacker could execute arbitrary code with privileges of the Snort process.

    Note: The DCE/RPC preprocessor is enabled by default. Users who have disabled the DCE/RPC preprocessor are not vulnerable.

    More information about this vulnerability is located in the following:

    • Vulnerability Note VU#196240 - Sourcefire Snort DCE/RPC preprocessor does not properly reassemble fragmented packets
    • Technical Cyber Security Alert TA07-050A - Sourcefire Snort DCE/RPC Preprocessor Buffer Overflow
    • Sourcefire Advisory 2007-02-19 - Vulnerability in Snort DCE/RPC Preprocessor

    US-CERT recommends the following actions to help mitigate the security risks:

    • Upgrade to Snort 2.6.1.3 (or later) as soon as possible.
    • Contact Sourcefire Support for upgrades to Sourcefire products.
    • Disable the DCE/RPC preprocessor if unable to upgrade.
      • Be advised that disabling the DCE/RPC preprocessor could allow attackers to bypass detection for some types of attacks.

    Apple Releases Security Update 2007-002 for Multiple Vulnerabilities

    added February 16, 2007 | updated February 16, 2007

    Apple has released Security Update 2007-002 to address multiple vulnerabilities in Mac OS X and related products. The impacts of these vulnerabilities include remote code execution, denial of service, and system privilege elevation. These vulnerabilities were also announced during the Month of Apple Bugs.

    More information about these vulnerabilities is located in the Vulnerability Notes Database and Technical Cyber Security Alert TA07-047A.

    US-CERT encourages users to apply the appropriate updates as soon as possible.

    US-CERT will continue to investigate these vulnerabilities and provide additional information as it becomes available.


    Symantec Warns Users of New Drive-By Pharming Attack

    added February 16, 2007

    In an announcement made yesterday, security researchers at Symantec and Indiana University School of Informatics revealed that they had uncovered a serious new security threat targeting home broadband routers. The attack, dubbed Drive-By Pharming, allows an attacker to change the configuration of a home router when a user unknowingly visits a malicious website. The website employs malicious JavaScript code that allows an attacker to log into many types of home routers if the default password has not been changed. Once logged in, the attacker is able to change the configuration of the home router, including the Domain Name Server (DNS) server settings.

    This type of attack is particularly concerning for a few reasons:

    • Simply viewing the malicious webpage is all that is required for a user to fall victim to this attack.
    • Many home users fail to change the default password on their broadband routers. The Symantec report indicates that 50% of all users could fall into this category.
    • Changing the Domain Name Server (DNS) server settings allow an attacker to redirect the home user to a DNS server of their choice. This includes a malicious server set up by the attacker to direct users to other malicious websites, where information such as financial account numbers, passwords, and other sensitive data can be stolen.

    Symantec notes that the best defense against this type of attack is for home users to change their default password. The following links provide support resources for three of the more common home router vendors:

    US-CERT cautions users to avoid clicking on links sent in unsolicited emails. Users should also remain cautious when browsing the web and avoid visiting untrusted sites. More information can be found in Securing Your Web Browser document.

    To learn more, or to view a flash-animation of the attack, visit Security Response Weblog.


    Cisco Releases Security Advisories to Address Multiple Vulnerabilities in PIX, ASA, and FWSM

    added February 16, 2007

    Cisco has released Security Advisory cisco-sa-20070214-pix to address multiple vulnerabilities in the PIX 500 Series Security Appliances and the ASA 5500 Series Adaptive Security Appliances. The vulnerabilities exist due to flaws in the way Cisco PIX and ASA appliances process malformed HTTP requests, SIP packets, and TCP-based packets. By sending specially crafted packets to a vulnerable appliance, an attacker may be able to cause a denial of service, escalate user privileges, or take complete control of the appliance.

    Note: The Security Advisory also states that some of these vulnerabilities affect the Cisco Firewall Services Module (FWSM).

    More information about these vulnerabilities is located in the following:

    US-CERT encourages administrators to apply the fixes and workarounds described in the following documents:

    US-CERT will continue to monitor this issue and provide additional information as it becomes available.