January 31, 2008 - Current Activity

Possible Department of Justice Phishing Campaign

US-CERT has received information indicating that a phishing campaign involving targeted malicious email messages may be imminent. The messages may attempt to convince users that they are the subject of a business complaint filed through the Department of Justice, and could include a malicious attachment or a link to a malicious website.

To help protect against this type of attack, US-CERT recommends that users never open attachments or click links contained in unsolicited email messages. More information on how to avoid becoming a victim of such an attack can be found in the US-CERT Using Caution with Email Attachments and Avoiding Social Engineering and Phishing Attacks Cyber Security Tips.

Communication Interruption Due to Mediterranean Cable Break

Internet and voice communications in many countries have been interrupted by a break in the Mediterranean cable that provides those services.  Reports are stating that repairs may take considerable time to complete and that other methods of connectivity are being implemented.

This event may affect communications for the following countries:

• Pakistan
• Egypt
• Maldives
• Kuwait
• Lebanon
• Algeria
• Sudan
• UAE
• Syria
• Saudi Arabia
• Bahrain
• India

• CNN.com Feature Article
• Renesys Blog

Storm Worm Directing Users to Medical Spam Web Sites

US-CERT is aware of a variant of the Storm Worm that sends unsolicited email messages to users and attempts to evade spam filtering. When a user receives this email message, it will contain a link in the format of:

http://<IP Address>/<random directory name>

The link directs the user to a website containing spam about medical information.

US-CERT urges users and administrators to take the following preventative measures to mitigate the security risks:

• Install anti-virus software, and keep its virus signature files up-to-date.
• Block executable and unknown file types at the email gateway.
• Refer to the Recognizing and Avoiding Email Scams document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

Cisco Releases Security Advisories to Address a Vulnerability in the Cisco Wireless Control System

Cisco has released Security Advisory cisco-sa-20080130-wcs to address a vulnerability in the Wireless Control System. The vulnerability exists in the Apache Tomcat URI handler and may allow a remote, unauthenticated attacker to execute arbitrary code on an affected system.

More information and workarounds regarding this vulnerability can be found in the Cisco Security Advisory cisco-sa-20080130-wcs.

GE Fanuc Product Vulnerabilities

Vulnerabilities in GE Fanuc CIMPLICITY and Proficy Real-Time Information Portal could allow an attacker to execute arbitrary code, obtain user credentials, upload and execute arbitrary files, or cause a denial-of-service condition.

US-CERT encourages users to review the following:

• Vulnerability Notes Database
• GE Fanuc Proficy Real-Time Information Portal allows arbitrary file upload and execution (KB12460)
• GE Fanuc Proficy Real-Time Information Portal transmits authentication credentials in plain text (KB12459)
• Buffer Overflow Allows Remote Code Execution (KB12458)

IBM AIX Vulnerabilities

US-CERT is aware of multiple vulnerabilities affecting IBM AIX.  These vulnerabilities may allow a local attacker to gain escalated privileges on an affected system, gain access to sensitive information, or alter the behavior of system software.

US-CERT encourages users to visit the IBM web site for further information regarding these vulnerabilities.

US-CERT will provide more information as it becomes available.

Sun Releases Java Update

US-CERT is aware that Sun has released an update to Java SE 6 containing fixes for 375 bugs. Users are encouraged to install the appropriate updates and should be aware that installing this new version of Java SE may not remove previous versions of the software. 

For more information please see the following:

• Java SE 6 Update Release Notes
• Java SE Downloads

Mozilla Firefox Chrome Vulnerability

US-CERT is aware of reports of a vulnerability in Mozilla Firefox that may allow directory traversal within the chrome protocol scheme. This vulnerability could lead to information disclosure and affects users that have certain "flat" packaged add-ons installed. 

US-CERT encourages users to:

• Review the Mozilla Security Blog referencing this issue
• Consider following the best security practices found in the Securing Your Web Browser Document to help mitigate the risks

Microsoft Security Bulletin Re-Releases and Revisions

Microsoft has re-released the following Security Bulletins:

• MS08-001, Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution, has been updated to include Windows Small Business Server 2003 Service Pack 2 as an affected product.
• MS07-064, Vulnerabilities in DirectX Could Allow Remote Code Execution, has been updated to reflect that DirectX 9.0 and 9.0b are included in the update.

• MS07-068, Vulnerability in Windows Media File Format Could Allow Remote Code Execution, has been updated to include information about installing the updates for Windows Media Format Runtime 9.5 on Windows XP Professional x64 Edition.
• MS07-057, Cumulative Security Update for Internet Explorer, has been updated to include information about address rendering issues.

Cisco Releases Security Advisories to Address Vulnerabilities in PIX, ASA, and AVS

Cisco has released Security Advisory cisco-sa-20080123-asa and cisco-sa-20080123-avs to address vulnerabilities in the PIX 500 Series Security Appliance (PIX), 5500 Series Adaptive Security Appliance (ASA), and Application Velocity System (AVS). 

The vulnerability affecting the PIX and ASA devices could allow a remote attacker to cause a denial-of-service condition.  The vulnerability affecting AVS could allow an attacker to gain full administrative rights to the system or user-level access to the host operating system.

More information about these vulnerabilities is located in the following Cisco documents:

• Cisco Security Advisory: Cisco PIX and ASA Time-to-Live Vulnerability (cisco-sa-20080123-asa)
• Cisco Security Advisory: Default Passwords in the Application Velocity System (cisco-sa-20080123-avs)

• Cisco Security Advisory: Cisco PIX and ASA Time-to-Live Vulnerability (cisco-sa-20080123-asa)
• Cisco Security Advisory: Default Passwords in the Application Velocity System (cisco-sa-20080123-avs)