March 27, 2007 - Current Activity

Microsoft Releases Security Advisory for Attack Against Web Proxy Automatic Discovery (WPAD)

Microsoft has released Security Advisory 934864 to address a new, recently disclosed attack method against the Microsoft Web Proxy Automatic Discovery (WPAD) protocol. An attacker with the ability to register a WPAD entry in a Domain Name System (DNS) or Windows Internet Naming Service (WINS) server may be able to cause a WPAD-configured client to resolve to an arbitrary host and retrieve the malicious WPAD.dat file. This may allow the attacker access to the client's traffic by routing it through a malicious proxy server.

US-CERT recommends that network administrators reserve static WPAD DNS host names and WPAD WINS name records as described in Microsoft Security Advisory 934864.

Exploit Code Available for Microsoft ADODB.Connection ActiveX Control Vulnerability

US-CERT is aware of publicly available exploit code for a vulnerability in the Microsoft ADODB.Connection ActiveX Control. The vulnerability in the ADODB.Connection ActiveX object causes memory corruption, and may allow a remote, unauthenticated attacker to cause Internet Explorer to crash or potentially execute arbitrary code.

More information about this vulnerability can be found in the following:

• Vulnerability Note VU#589272- ADODB.Connection ActiveX control memory corruption vulnerability
• Microsoft Security Bulletin MS07-009

US-CERT recommends the following actions to help mitigate the security risks:

• Apply the update as described in Microsoft Security Bulletin MS07-009
• Disable the ADODB.Connection ActiveX control in Internet Explorer, as specified in Vulnerability Note VU#589272
• Disable ActiveX
• For more information on disabling ActiveX, please refer to the Securing Your Web Browser document and the Malicious Web Scripts FAQ.

Vulnerability in NETxAutomation NETxEIB OPC Server

US-CERT is aware of a vulnerability that affects the NETxAutomation NETxEIB OPC Server. Specifically, the server fails to properly verify OPC server handles. An attacker with access to the NETxEIB OPC Server may be able to arbitrarily access server process memory and potentially execute arbitrary code or cause a denial of service.

More information about this vulnerability can be found in the following:

• Vulnerability Note VU#296593 - NETxAutomation NETxEIB OPC Server fails to properly validate OPC server handles
• Neutralbit Security Advisory NB07-22

US-CERT recommends the following actions to help mitigate the security risks:

• Upgrade the NETxEIB OPC Server to version 3.0.1300 as soon as possible.
• Apply the patch for NETxEIB OPC Server version 3.0 if upgrading is not possible.
• Restrict access to the server.

Gozi Trojan Targets Microsoft Internet Explorer Vulnerabilities

SecureWorks recently issued a report detailing their findings of a Russian Trojan program called Gozi that is responsible for stealing user account and password information from more than 5,200 hosts and 10,000 user accounts. The Trojan is reportedly spread via IE browser exploits and has primarily targeted infected home computers. To read the full report, visit SecureWorks.

While new and sophisticated exploits can be difficult to defend against, US-CERT encourages users to take the following preventative measures to help mitigate browser-based security risks:

• Install anti-virus software, and keep its virus signature files up-to-date.
• Review the Securing Your Web Browser document.

Mozilla Releases Security Advisory to Address a Vulnerability in Client Products

Mozilla has released Security Advisory 2007-11 to address a vulnerability in Firefox and SeaMonkey.

US-CERT strongly encourages users to upgrade to Firefox 2.0.0.3 as soon as possible.

Computer Associates BrightStor ARCServe Backup Updates

Computer Associates has released updates to address four vulnerabilities in their BrightStor ARCserve Backup product. The most severe of these vulnerabilities may allow an unauthenticated attacker to execute arbitrary code or create a denial of service condition.

More information about these vulnerabilities can be found in the Security Notice for BrightStor ARCserve Backup Tape Engine and Portmapper.

US-CERT will continue to investigate these vulnerabilities and provide additional information as it becomes available.

Microsoft Releases Windows Server 2003 Service Pack 2

Microsoft has released Windows Server 2003 Service Pack 2. This update package provides the following security enhancements:

• The ability to simplify the creation and maintenance of the Internet Protocol security (IPsec) policy
• Group Policy support for non-broadcasting networks and Wi-Fi Protected Access 2 (WPA2) settings to allow Windows wireless client configuration
• Windows wireless client support for WPA2 with the following features:
• Non-broadcast network profiles are now marked with a flag to improve the security of the Windows wireless client.
• Windows will not automatically connect to a peer-to-peer network, even if it has been automatically saved in the preferred network list.

More information concerning this update package is located in the following:

• Release Notes for Microsoft Windows Server 2003 Service Pack 2
• Windows Server 2003 Service Pack 2 Technical Library

US-CERT encourages affected administrators to apply this update package as soon as possible.

Apple Releases Security Update to Address Multiple Vulnerabilities in Various Products

Apple has released Security Update 2007-003 to address multiple vulnerabilities in various products. The impacts of these vulnerabilities include arbitrary code execution, privilege escalation, SYSTEM level access, cross-site scripting, sensitive data exposure, file manipulation, and denial of service.

More information about these vulnerabilities is located in the Vulnerability Notes Database and Technical Cyber Security Alert TA07-072A.

US-CERT encourages users to apply the appropriate updates as soon as possible.

No New Microsoft Security Bulletins for March

Microsoft released no new security bulletins today. They have, however, released an updated version of the Microsoft Windows Malicious Software Removal Tool. They have also released six non-security, high-priority updates.

More information can be found in Microsoft Security Bulletin Summary for March 2007.

Mozilla Releases Security Advisory to Address Multiple Vulnerabilities

Mozilla has released Security Advisory 2007-09 to address vulnerabilities in Firefox and SeaMonkey.

More information about this vulnerability is located in the following:

• Mozilla Foundation Security Advisory 2007-09

US-CERT strongly encourages users to upgrade to Firefox 2.0.0.2 and SeaMonkey 1.1.1 as soon as possible.

Apple Releases Security Update to Address Multiple QuickTime Vulnerabilities

Apple has released QuickTime 7.1.5 Update to address multiple vulnerabilities in QuickTime. The impacts of these vulnerabilities include remote code execution and denial of service.

More information about these vulnerabilities is located in the Vulnerability Notes Database and Technical Cyber Security Alert TA07-065A.

US-CERT encourages users to apply the appropriate updates as soon as possible.

US-CERT will continue to investigate these vulnerabilities and provide additional information as it becomes available.

Daylight Saving Time Changes for 2007

The start and end dates for Daylight Saving Time (DST) will change this year in accordance with the Energy Policy Act of 2005. With the new rules, clocks will be set ahead on March 11th instead of April 1st, and will be turned back on November 4th instead of October 28th. The change will have an effect on and require updates to many computing systems that are time reliant. For example, any organization using software to perform scheduling, billing, transaction logging, and other time-related calculations could be at risk if upgrades are not performed.

All organizations should prepare for the DST changeover by analyzing their systems and applying the appropriate updates. While the level of effort will vary widely across systems, platforms, and industries, every computing environment should be assessed for potential impact, as it is likely that most systems will require some pre-changeover action. To find out more about the systems at risk, the scope of impact, and the updates required to avoid complications, visit page 3 and 4 of the most recent Quarterly Trends and Analysis Report.

WordPress Releases New Version to Address Vulnerabilities

WordPress has released a new version to address vulnerabilities introduced into version 2.1.1 by a malicious third party. These vulnerabilities allow remote, unauthenticated users to execute arbitrary system commands or PHP code.

More information about these vulnerabilities can be found in the Vulnerability Notes Database and the WordPress Blog.

US-CERT urges users who are running version 2.1.1 to upgrade to version 2.1.2 as soon as possible.

Vulnerability in Citrix Presentation Server Client

US-CERT is aware of an unspecified vulnerability in Citrix Presentation Server Client for Windows. The vulnerability exists in the way ICA connections are handled through proxy servers. By persuading a user to access a specially crafted HTML document (e.g., a web page or an HTML email message), a remote, unauthenticated attacker may be able to execute arbitrary code with privileges in the context of the client process.

More information about this vulnerability is located in the following:

• Vulnerability Note VU#798364 - Citrix Presentation Server Client vulnerable to arbitrary code execution
• Citrix Advisory CTX112589 - Vulnerability in Citrix Presentation Server Client for Windows could result in arbitrary code

US-CERT recommends that administrators upgrade to version 10.0 and later to mitigate the security risks.