April 10, 2007 - Current Activity

Microsoft Releases April Security Bulletin

Microsoft has released updates to address vulnerabilities in Microsoft Windows and Content Management Server as part of the Microsoft Security Bulletin Summary for April 2007.

More information about these vulnerabilities is located in the Vulnerability Notes Database and Technical Cyber Security Alert TA07-100A.

US-CERT strongly encourages users to review the bulletins and follow best-practice security policies to determine what updates should be applied.

Apple Releases Firmware Update for AirPort Extreme Base Station with 802.11n

Apple has released Firmware Update 7.1 to address CVE-2007-1338 and CVE-2007-0734 for the Airport Extreme Base Station with 802.11n.

US-CERT encourages users to apply Firmware Update 7.1 as soon as possible.

Microsoft Releases Advance Notification for April Security Bulletins

Microsoft has issued a Security Bulletin Advance Notification indicating that their April release cycle will contain five bulletins, some of which have a maximum severity rating of Critical. The notification further states that four of the bulletins are for Windows and one is for Microsoft Content Management Server, and that they also plan on releasing an updated version of the Microsoft Windows Malicious Software Removal Tool. The release is scheduled for Tuesday, April 10, 2007.

US-CERT will provide additional information as it becomes available.

Multiple Vulnerabilities in MIT Kerberos 5

US-CERT is aware of multiple vulnerabilities affecting the MIT Kerberos 5 implementation. The most severe of these vulnerabilities may allow a remote attacker to execute arbitrary code on a Kerberos Distribution Center (KDC), which may result in a compromise of the Kerberos key database.

More information about these vulnerabilities can be found in the following:

• US-CERT Technical Cyber Security Alert TA07-093B
• Vulnerability Notes Database
• MIT krb5 Security Advisory 2007-001
• MIT krb5 Security Advisory 2007-002
• MIT krb5 Security Advisory 2007-003

US-CERT recommends users apply the patches as described in MIT krb5 Security Advisories 2007-001, 2007-002, and 2007-003.

Microsoft Releases Security Bulletin to Patch Animated Cursor Vulnerability

Microsoft has released updates to address several vulnerabilities in Microsoft Windows as part of Microsoft Security Bulletin MS07-017. Note that update addresses the animated cursor ANI header stack buffer overflow vulnerability addressed in Vulnerability Note VU#191609.

Microsoft noted in the Microsoft Security Bulletin Summary for April 2007 that they will update the bulletin summary with any other security bulletins published during the scheduled release cycle on April 10 or any other day of the month.

More information about these vulnerabilities can be found in the Vulnerability Notes Database and Technical Cyber Security Alert TA07-093A.

US-CERT strongly encourages users to review the bulletin and follow best-practice security policies to determine what updates should be applied.

Microsoft Releases Advance Notification for Critical Security Bulletin

Microsoft has issued a Security Bulletin Advance Notification indicating that they will be releasing a single critical Security Bulletin affecting Microsoft Windows. This release falls outside of Microsoft's normal release schedule for security updates, and is scheduled for Tuesday, April 3, 2007.

US-CERT will provide additional information as it becomes available.

Active Exploitation of an Unpatched Vulnerability in Microsoft Windows ANI Handling

US-CERT is aware of a new, unpatched vulnerability in Microsoft Windows that could allow an attacker to execute arbitrary code. This vulnerability is caused by Windows failing to properly handle specially crafted animated cursor (ANI) files. According to public reports, this vulnerability is actively being exploited via Internet Explorer. Specifically, the reports claim that browsing to a specially crafted web page with Microsoft Internet Explorer results in exploitation.

More information about this vulnerability can be found in the following:

• US-CERT Technical Cyber Security Alert TA07-089A
• Vulnerability Note - VU#191609
• Microsoft Security Advisory 935423
• McAfee Avert Labs Blog - Unpatched Drive-By Exploit Found On The Web
• McAfee - Exploit-ANIfile.c
• TrendMicro - TROJ_ANICMOO.AX

Note: Configuring Outlook Express to read email in plaintext will not protect against this vulnerability. Outlook Express in plaintext mode will download and parse a malicious .ANI file referenced in the email message without prompting.

US-CERT will continue to investigate this vulnerability and provide more information as it becomes available.

Fake Internet Explorer 7 Installer Phishing Attacks

US-CERT is aware of reports of malware using social engineering to propagate. Spam appearing to come from "admin@microsoft.com" contains a link to a malicious file that claims to be an installer for Internet Explorer 7. Typically the file is named "IE7.0.exe" and if executed installs a rootkit on the target machine.

US-CERT encourages users to take the following preventative measures to help mitigate this risk:

• Do not follow unsolicited links in email messages.
• Install anti-virus software, and keep its virus signature files up-to-date.
• Review the Reducing Spam Cyber Security Tip.
• Review the Avoiding Social Engineering and Phishing Attacks Cyber Security Tip.

US-CERT will continue to investigate and provide additional information as it becomes available.

Publicly Available Exploit for Computer Associates BrightStor ARCserve Backup Vulnerability

US-CERT is aware of publicly available exploit code for vulnerability in Computer Associates' BrightStor ARCserve Backup software. The vulnerability is caused by an unspecified error in the way that the "mediasvr.exe" process handles crafted RPC requests. Successful exploitation of the vulnerability allows an attacker to gain shell access to the target machine.

Until a fix becomes available, US-CERT recommends that users restrict access to RPC.

US-CERT will continue to investigate and provide additional information as it becomes available.

Cisco Releases Security Advisory to Address Multiple Vulnerabilities in Unified CallManager and Presence Server

Cisco Systems has released Security Advisory cisco-sa-20070328-voip to address multiple vulnerabilities in the Cisco Unified CallManager (CUCM) and Cisco Unified Presence Server (CUPS). The advisory indicates that the following attack vectors could be used against a vulnerable system:

• It may be possible to crash a CallManager system, resulting in a denial of service, by sending a series of specially crafted packets to the Skinny Call Control Protocol (SCCP) service port.
• It may be possible to cause various CUCM / CUPS services to crash, resulting in a denial of service, by sending a large amount of ICMP Echo Requests (Ping) to a CUCM or CUPS system.
• It may be possible to cause various CUCM / CUPS services to fail, resulting in a denial of service, by sending a specific UDP packet to the IPSec Manager Service on UDP port 8500.

There are no workarounds for these vulnerabilities; however, Cisco has released free software to address the flaws described in this report.

More information, including links to the fixes, can be found in Cisco Security Advisory cisco-sa-20070328-voip - Multiple Cisco Unified CallManager and Presence Server Denial of Service Vulnerabilities.