March 30, 2007 - Current Activity

Fake Internet Explorer 7 Installer Phishing Attacks

US-CERT is aware of reports of malware using social engineering to propagate. Spam appearing to come from "admin@microsoft.com" contains a link to a malicious file that claims to be an installer for Internet Explorer 7. Typically the file is named "IE7.0.exe" and if executed installs a rootkit on the target machine.

US-CERT encourages users to take the following preventative measures to help mitigate this risk:

• Do not follow unsolicited links in email messages.
• Install anti-virus software, and keep its virus signature files up-to-date.
• Review the Reducing Spam Cyber Security Tip.
• Review the Avoiding Social Engineering and Phishing Attacks Cyber Security Tip.

US-CERT will continue to investigate and provide additional information as it becomes available.

Publicly Available Exploit for Computer Associates BrightStor ARCserve Backup Vulnerability

US-CERT is aware of publicly available exploit code for vulnerability in Computer Associates' BrightStor ARCserve Backup software. The vulnerability is caused by an unspecified error in the way that the "mediasvr.exe" process handles crafted RPC requests. Successful exploitation of the vulnerability allows an attacker to gain shell access to the target machine.

Until a fix becomes available, US-CERT recommends that users restrict access to RPC.

US-CERT will continue to investigate and provide additional information as it becomes available.

Cisco Releases Security Advisory to Address Multiple Vulnerabilities in Unified CallManager and Presence Server

Cisco Systems has released Security Advisory cisco-sa-20070328-voip to address multiple vulnerabilities in the Cisco Unified CallManager (CUCM) and Cisco Unified Presence Server (CUPS). The advisory indicates that the following attack vectors could be used against a vulnerable system:

• It may be possible to crash a CallManager system, resulting in a denial of service, by sending a series of specially crafted packets to the Skinny Call Control Protocol (SCCP) service port.
• It may be possible to cause various CUCM / CUPS services to crash, resulting in a denial of service, by sending a large amount of ICMP Echo Requests (Ping) to a CUCM or CUPS system.
• It may be possible to cause various CUCM / CUPS services to fail, resulting in a denial of service, by sending a specific UDP packet to the IPSec Manager Service on UDP port 8500.

There are no workarounds for these vulnerabilities; however, Cisco has released free software to address the flaws described in this report.

More information, including links to the fixes, can be found in Cisco Security Advisory cisco-sa-20070328-voip - Multiple Cisco Unified CallManager and Presence Server Denial of Service Vulnerabilities.

Active Exploitation of an Unpatched Vulnerability in Microsoft Windows ANI Handling

US-CERT is aware of a new, unpatched vulnerability in Microsoft Windows that could allow an attacker to execute arbitrary code. This vulnerability is caused by Windows failing to properly handle specially crafted animated cursor (ANI) files. According to public reports, this vulnerability is actively being exploited via Internet Explorer. Specifically, the reports claim that browsing to a specially crafted web page with Microsoft Internet Explorer results in exploitation.

More information about this vulnerability can be found in the following:

• Vulnerability Note - VU#191609
• Microsoft Security Advisory 935423
• McAfee Avert Labs Blog - Unpatched Drive-By Exploit Found On The Web
• McAfee - Exploit-ANIfile.c
• TrendMicro - TROJ_ANICMOO.AX

Note: Configuring Outlook Express to read email in plaintext will not protect against this vulnerability. Outlook Express in plaintext mode will download and parse a malicious .ANI file referenced in the email message without prompting.

US-CERT will continue to investigate this vulnerability and provide more information as it becomes available.

Microsoft Releases Security Advisory for Attack Against Web Proxy Automatic Discovery (WPAD)

Microsoft has released Security Advisory 934864 to address a new, recently disclosed attack method against the Microsoft Web Proxy Automatic Discovery (WPAD) protocol. An attacker with the ability to register a WPAD entry in a Domain Name System (DNS) or Windows Internet Naming Service (WINS) server may be able to cause a WPAD-configured client to resolve to an arbitrary host and retrieve the malicious WPAD.dat file. This may allow the attacker access to the client's traffic by routing it through a malicious proxy server.

US-CERT recommends that network administrators reserve static WPAD DNS host names and WPAD WINS name records as described in Microsoft Security Advisory 934864.

Exploit Code Available for Microsoft ADODB.Connection ActiveX Control Vulnerability

US-CERT is aware of publicly available exploit code for a vulnerability in the Microsoft ADODB.Connection ActiveX Control. The vulnerability in the ADODB.Connection ActiveX object causes memory corruption, and may allow a remote, unauthenticated attacker to cause Internet Explorer to crash or potentially execute arbitrary code.

More information about this vulnerability can be found in the following:

• Vulnerability Note VU#589272- ADODB.Connection ActiveX control memory corruption vulnerability
• Microsoft Security Bulletin MS07-009

US-CERT recommends the following actions to help mitigate the security risks:

• Apply the update as described in Microsoft Security Bulletin MS07-009
• Disable the ADODB.Connection ActiveX control in Internet Explorer, as specified in Vulnerability Note VU#589272
• Disable ActiveX
• For more information on disabling ActiveX, please refer to the Securing Your Web Browser document and the Malicious Web Scripts FAQ.

Vulnerability in NETxAutomation NETxEIB OPC Server

US-CERT is aware of a vulnerability that affects the NETxAutomation NETxEIB OPC Server. Specifically, the server fails to properly verify OPC server handles. An attacker with access to the NETxEIB OPC Server may be able to arbitrarily access server process memory and potentially execute arbitrary code or cause a denial of service.

More information about this vulnerability can be found in the following:

• Vulnerability Note VU#296593 - NETxAutomation NETxEIB OPC Server fails to properly validate OPC server handles
• Neutralbit Security Advisory NB07-22

US-CERT recommends the following actions to help mitigate the security risks:

• Upgrade the NETxEIB OPC Server to version 3.0.1300 as soon as possible.
• Apply the patch for NETxEIB OPC Server version 3.0 if upgrading is not possible.
• Restrict access to the server.

Gozi Trojan Targets Microsoft Internet Explorer Vulnerabilities

SecureWorks recently issued a report detailing their findings of a Russian Trojan program called Gozi that is responsible for stealing user account and password information from more than 5,200 hosts and 10,000 user accounts. The Trojan is reportedly spread via IE browser exploits and has primarily targeted infected home computers. To read the full report, visit SecureWorks.

While new and sophisticated exploits can be difficult to defend against, US-CERT encourages users to take the following preventative measures to help mitigate browser-based security risks:

• Install anti-virus software, and keep its virus signature files up-to-date.
• Review the Securing Your Web Browser document.

Mozilla Releases Security Advisory to Address a Vulnerability in Client Products

Mozilla has released Security Advisory 2007-11 to address a vulnerability in Firefox and SeaMonkey.

US-CERT strongly encourages users to upgrade to Firefox 2.0.0.3 as soon as possible.

Computer Associates BrightStor ARCServe Backup Updates

Computer Associates has released updates to address four vulnerabilities in their BrightStor ARCserve Backup product. The most severe of these vulnerabilities may allow an unauthenticated attacker to execute arbitrary code or create a denial of service condition.

More information about these vulnerabilities can be found in the Security Notice for BrightStor ARCserve Backup Tape Engine and Portmapper.

US-CERT will continue to investigate these vulnerabilities and provide additional information as it becomes available.

Microsoft Releases Windows Server 2003 Service Pack 2

Microsoft has released Windows Server 2003 Service Pack 2. This update package provides the following security enhancements:

• The ability to simplify the creation and maintenance of the Internet Protocol security (IPsec) policy
• Group Policy support for non-broadcasting networks and Wi-Fi Protected Access 2 (WPA2) settings to allow Windows wireless client configuration
• Windows wireless client support for WPA2 with the following features:
• Non-broadcast network profiles are now marked with a flag to improve the security of the Windows wireless client.
• Windows will not automatically connect to a peer-to-peer network, even if it has been automatically saved in the preferred network list.

More information concerning this update package is located in the following:

• Release Notes for Microsoft Windows Server 2003 Service Pack 2
• Windows Server 2003 Service Pack 2 Technical Library

US-CERT encourages affected administrators to apply this update package as soon as possible.