April 16, 2007 - Current Activity

New Storm Worm Variant Spreads through Social Engineering

US-CERT is aware of a new variant of the Trojan Worm known as "Storm Worm" that uses social engineering with mass mailing to spread to unsuspecting victims. This variant of Storm Worm arrives as an email attachment and also propagates through network file shares. Clicking on the executable file in the email installs a rootkit that may mask the malicious software from virus scans and shut down running security programs. This virus then scans the machine's hard drive to harvest email addresses that can be used to launch a spam attack.

Understanding that the subject lines can change at any time, we are currently aware of the following:

• Worm Alert!
• Worm Detected
• Virus Alert
• ATTN!
• Trojan Detected!
• Worm Activity Detected!
• Spyware Detected!
• Dream of You
• Virus Activity Detected!

The message body typically contains an image with text that warns of a worm and states that the attached .zip file is a patch for the worm. The .zip file is generally password-protected with the password given in the image. Passwords may differ among samples.

US-CERT urges users and administrators to take the following preventative measures to mitigate the security risks:

• Install anti-virus software, and keep its virus signature files up-to-date.
• Block executable and unknown file types at the email gateway.
• Refer to the Recognizing and Avoiding Email Scams document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

Publicly Available Exploit Code for Vulnerability in RPC on Windows DNS Server

US-CERT is aware of publicly available exploit code for a buffer overflow vulnerability in the Microsoft Windows DNS service RPC management interface. We are also aware of reports indicating this vulnerability is being actively exploited.

More information about this vulnerability can be found in the following:

• Technical Cyber Security Alert TA07-103A
• Vulnerability Note VU#555920
• Microsoft Security Advisory 935964

US-CERT recommends the following actions to help mitigate the security risks:

• Disable the RPC interface used by the Microsoft Windows DNS service
• Block or Restrict access to RPC at the network perimeter

Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution

Microsoft has released a security advisory regarding a vulnerability in the Domain Name System (DNS) Server Service. This vulnerability affects Microsoft Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2.

More information about this vulnerability can be found in the following:

• Technical Cyber Security Alert TA07-103A
• Vulnerability Note VU#555920
• Microsoft Security Advisory 935964

US-CERT will continue to investigate and provide additional information as it becomes available.

Cisco Releases Security Advisories to Address Multiple Vulnerabilities in Cisco Wireless Products

Cisco has released Security Advisories cisco-sa-20070412-wcs and cisco-sa-20070412-wlc to address multiple vulnerabilities in Cisco Wireless Control System, Wireless LAN Controller, and Lightweight Access Points. The impacts of these vulnerabilities include denial of service, information disclosure, access control list changes, privilege escalation, unauthorized access through fixed authentication credentials, and the ability to gain full administrative access.

More information about these vulnerabilities is located in the following:

• Cisco Security Advisory cisco-sa-20070412-wcs - Multiple Vulnerabilities in Cisco Wireless Control System
• Cisco Security Advisory cisco-sa-20070412-wlc - Multiple Vulnerabilities in the Cisco Wireless LAN Controller and Cisco Lightweight Access Points

US-CERT encourages administrators to apply the fixes and workarounds as described in Cisco Security Advisories cisco-sa-20070412-wcs and cisco-sa-20070412-wlc

Oracle Issues Pre-Release Announcement for April Critical Patch Update

Oracle has issued a Pre-Release Announcement indicating that their April Critical Patch Update (CPU) will contain 37 new security fixes across all products. The announcement further states that thirteen of the security fixes are for Oracle Database; two for Oracle Enterprise Manager; one for Oracle Workflow Cartridge; one for the Ultra Search component affect code bundled with the Oracle Database; five for Oracle Application Server; eleven for Oracle E-Business Suite; and four for Oracle PeopleSoft Enterprise.

The release is scheduled for Tuesday, April 17, 2007.

We will provide additional information as it becomes available.

Microsoft Releases April Security Bulletin

Microsoft has released updates to address vulnerabilities in Microsoft Windows and Content Management Server as part of the Microsoft Security Bulletin Summary for April 2007.

More information about these vulnerabilities is located in the Vulnerability Notes Database and Technical Cyber Security Alert TA07-100A.

US-CERT strongly encourages users to review the bulletins and follow best-practice security policies to determine what updates should be applied.

Apple Releases Firmware Update for AirPort Extreme Base Station with 802.11n

Apple has released Firmware Update 7.1 to address CVE-2007-1338 and CVE-2007-0734 for the Airport Extreme Base Station with 802.11n.

US-CERT encourages users to apply Firmware Update 7.1 as soon as possible.

Microsoft Releases Advance Notification for April Security Bulletins

Microsoft has issued a Security Bulletin Advance Notification indicating that their April release cycle will contain five bulletins, some of which have a maximum severity rating of Critical. The notification further states that four of the bulletins are for Windows and one is for Microsoft Content Management Server, and that they also plan on releasing an updated version of the Microsoft Windows Malicious Software Removal Tool. The release is scheduled for Tuesday, April 10, 2007.

US-CERT will provide additional information as it becomes available.

Multiple Vulnerabilities in MIT Kerberos 5

US-CERT is aware of multiple vulnerabilities affecting the MIT Kerberos 5 implementation. The most severe of these vulnerabilities may allow a remote attacker to execute arbitrary code on a Kerberos Distribution Center (KDC), which may result in a compromise of the Kerberos key database.

More information about these vulnerabilities can be found in the following:

• US-CERT Technical Cyber Security Alert TA07-093B
• Vulnerability Notes Database
• MIT krb5 Security Advisory 2007-001
• MIT krb5 Security Advisory 2007-002
• MIT krb5 Security Advisory 2007-003

US-CERT recommends users apply the patches as described in MIT krb5 Security Advisories 2007-001, 2007-002, and 2007-003.

Microsoft Releases Security Bulletin to Patch Animated Cursor Vulnerability

Microsoft has released updates to address several vulnerabilities in Microsoft Windows as part of Microsoft Security Bulletin MS07-017. Note that update addresses the animated cursor ANI header stack buffer overflow vulnerability addressed in Vulnerability Note VU#191609.

Microsoft noted in the Microsoft Security Bulletin Summary for April 2007 that they will update the bulletin summary with any other security bulletins published during the scheduled release cycle on April 10 or any other day of the month.

More information about these vulnerabilities can be found in the Vulnerability Notes Database and Technical Cyber Security Alert TA07-093A.

US-CERT strongly encourages users to review the bulletin and follow best-practice security policies to determine what updates should be applied.