January 16, 2008 - Current Activity

Apple Releases Security Updates to Address Multiple Vulnerabilities

Apple has released QuickTime 7.4, iPhone v1.1.3, and iPod touch v1.1.3 to address multiple vulnerabilities in these products. The impacts of these vulnerabilities include arbitrary code execution, application termination, authentication bypass, and cross-site scripting.

US-CERT encourages users to review Apple Article 307301 for the QuickTime update and Apple Article 307302 for the iPhone and iPod touch updates. Users are also encouraged to apply the appropriate updates as soon as possible.

More information regarding the QuickTime vulnerabilies can be found in Technical Cyber Security Alert TA08-016A.

US-CERT will continue to investigate and provide additional information as it becomes available.

Microsoft Office Excel Remote Code Vulnerability

Microsoft has released Security Advisory 947563 to address a vulnerability in Excel. Successful exploitation could allow a remote, unauthenticated attacker to execute arbitrary code with the privileges of the local user.

According to Security Advisory 947563:

• This vulnerability cannot be exploited on Microsoft Office Excel 2003 Service Pack 3, Microsoft Office Excel 2007, Microsoft Office Excel 2007 Service Pack 1, or Microsoft Excel 2008 for Mac.
• This vulnerability does not affect customers who are running Microsoft Office Excel 2003 Service Pack 2 and have deployed Microsoft Office Isolated Conversion Environment (MOICE).

• Do not open unfamiliar or unexpected email attachments
• Review the workarounds described in Microsoft Security Advisory 947563
  

New Storm Worm Variant Spreads

US-CERT has received reports of new Storm Worm activity circulating. The emails contain romantic or Valentine's Day greetings and provide links for users to click on. The links are in the form of actual IP addresses, such as http:/x.x.x.x, although actual domain names may also be used. If a user clicks on the link provided, they will be directed to a malicious website that will attempt to exploit a variety of vulnerabilities and install malware onto the user's system.

The following are examples of some subject lines currently being used. Please note that this is not inclusive and other similar subjects are likely circulating.

• You... In My Dreams
• A Toast My Love
• Sending You My Love
• Falling In Love with You
• Special Romance
• You're In My Thoughts
• Sent with Love
• Our Love Will Last
• Our Love is Strong
• Your Love Has Opened
• You're the One
• Heavenly Love
  

• Sporting Events such as the Super Bowl
  
• Political Events such as the Presidential Primaries
  
• Other Social Events
• Holidays
  

• Install anti-virus software, and keep its virus signature files up-to-date.
• Block executable and unknown file types at the email gateway.
• Refer to the Recognizing and Avoiding Email Scams document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

Oracle Releases Critical Patch Update for January 2008

Oracle has released their Critical Patch Update (CPU) for January 2008 to address 26 vulnerabilities across several products. This CPU contains eight security fixes for Oracle Database products; six for Oracle Application Server; one for Oracle Collaboration Suite; seven for Oracle E-Business Suite; and four for Oracle PeopleSoft Enterprise PeopleTools.

US-CERT strongly encourages users to review the January CPU and follow best-practice security policies to determine which updates to apply.

Fraudulent Mac OS Security Tool Circulating

US-CERT is aware of reports of a rogue security scanning tool circulating for Apple Mac OS, known as MacSweeper. The website hosting the tool appears to offer a free scan that when clicked on, highlights purported security issues on a users system. The website then indicates that a subscription fee is necessary in order to fix the alleged issues. Researchers have raised concern over the legitimacy of this tool and point to discrepancies in the language used to describe the software, citing plagiarism from well-known security vendor websites. In addition, some users on the Apple message boards have indicated that they are automatically being directed to the MacSweeper website while browsing online.

US-CERT reminds users to only install software from trusted sources.

Attack Vector Targets UPnP

US-CERT is aware of an attack vector targeting networking devices that support UPnP (Universal Plug and Play). This specific attack occurs via a maliciously crafted SWF file that is contained in a web site. When the web site is visited, changes may occur to a router's configuration via UPnP. This may allow an attacker to change any parameter on the router or device that can be set by UPnP.

US-CERT recommends that users consider disabling UPnP. (Note: Disabling UPnP may cause applications that rely on UPnP to fail or operate with reduced functionality.)

More information regarding this attack vector can be found in Vulnerability Note VU#347812.

QuickTime Real Time Streaming Protocol Vulnerability

US-CERT is aware of a public report of a vulnerability in Apple QuickTime. The flaw is in the way that QuickTime handles Real Time Streaming Protocol (RTSP) Response message headers. By persuading a user to access a specially crafted QuickTime file, or RTSP stream, a remote attacker may be able to execute arbitrary code or cause a denial of service on a vulnerable system.

More information regarding this security risk may be found in Vulnerability Note VU#112179.