September 10, 2007 - Current Activity

Storm Worm Variant Spreads by Fictitious NFL Email

US-CERT is aware of public reports that the Storm Worm variant, previously reported in the US-CERT Current Activity on 29-June-2007, is currently spreading by email messages purporting to be an NFL (National Football League) game statistics website. This variant of the Storm Worm arrives as an email message and contains a link to a malicious website that, when visited, installs malware on the user's system.

US-CERT urges users and administrators to take the following preventative measures to mitigate the security risks:

• Install anti-virus software, and keep its virus signature files up-to-date.   
  
• Block executable and unknown file types at the email gateway.
• Refer to the Recognizing and Avoiding Email Scams document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks. 

Microsoft Releases Advance Notification for September Security Bulletins

Microsoft has issued a Security Bulletin Advance Notification indicating that their September release cycle will contain five bulletins, some of which have a maximum severity rating of Critical. The notification further states that the bulletins are for Windows, Visual Studio, Windows Services for UNIX, Subsystem for UNIX-based Applications, MSN Messenger, Windows Live Messenger, and SharePoint Server. The release is scheduled for Tuesday, September 11, 2007.

US-CERT will provide additional information as it becomes available.

Apple Releases Security Update to Address Vulnerability in iTunes

Apple has released iTunes 7.4 to address a vulnerability in the way that iTunes processes album cover art. By enticing a user to open a specially crafted music file, an attacker may be able to execute arbitrary code on an affected system.

US-CERT recommends that users update to iTunes version 7.4 as soon as possible. 

Cisco Addresses Vulnerabilities in Content Switching Module and Video Surveillance Products

Cisco has issued two Security Advisories to address vulnerabilities in their Content Switching Module, Video Surveillance IP Gateway, Services Platform, and Integrated Services Platform devices. These vulnerabilities may allow a remote, unauthenticated user to cause a denial-of-service condition or gain complete administrative control of an affected device.

For more information about these vulnerabilities and affected products, see "Denial of Service Vulnerabilities in Content Switching Module" and "Cisco Video Surveillance IP Gateway and Services Platform Authentication Vulnerabilities."

US-CERT strongly recommends that administrators review the advisories and follow best-practice security policies to determine what updates or workarounds should be applied.

Multiple Vulnerabilities in Kerberos Administration Daemon

US-CERT is aware of multiple vulnerabilities in the Kerberos administration daemon that may allow a remote user to execute arbitrary code or cause a denial-of-service condition on an affected system.

More information regarding these vulnerabilities may be found in the following:

• Vulnerability Notes Database
• MIT krb5 Security Advisory 2007-006

USAJOBS and Monster Resume Database Compromise

US-CERT is aware of a database compromise affecting Monster.com. Reports indicate that the resume database was targeted and that subscriber names, addresses, phone numbers, and email addresses were disclosed to the attacker. This compromise also affects USAJOBS.gov subscribers as Monster Worldwide is the technology provider for USAJOBS. Monster states that social security numbers have not been compromised as USAJOBS has security policies in place to safeguard them.

More information may be found at the following:

• Monster.com
• USAJOBS.gov

Quiksoft EasyMail SMTP ActiveX Control Vulnerabilities

US-CERT is aware of publicly available exploit code for vulnerabilities in the Quiksoft EasyMail SMTP ActiveX control. This control is packaged with several applications, including Earthlink internet access software. These stack buffer overflow vulnerabilities may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. 

More information about this vulnerability can be found in the Vulnerability Note VU#281977.

US-CERT recommends the workarounds as described in Vulnerability Note VU#281977 to help mitigate the security risks.