March 14, 2008 - Current Activity

Websites Compromised Through SQL Injection

US-CERT has seen reports of an attack that has compromised a large number of legitimate websites. The reports indicate that attackers are modifying the sites and embedding a reference to JavaScript code. Users who visit one of these infected websites may unknowingly execute malicious code. This code attempts to exploit known vulnerabilities for which patches are available but may not have been applied to the victim's system.

This issue is currently exploiting a variety of vulnerabilities:

• Baofeng Storm ActiveX
• Ourgame GLChat ActiveX
• Microsoft Internet Explorer VML (VU#122084)
  
• Qvod Player ActiveX
• Microsoft RDS.Dataspace ActiveX (VU#234812)
  
• RealPlayer playlist ActiveX (VU#871673)
  
• Storm Player ActiveX
• Microsoft Windows WebViewFolderIcon ActiveX (VU#753044)
  
• Xunlei Thunder DapPlayer ActiveX

• Regularly apply software updates and patches provided by vendors.
• Disable JavaScript and ActiveX as described in the Securing Your Web Browser document.

Search Engine IFRAME Injection Attacks

US-CERT has seen reports of attacks using specially crafted URLs that inject IFRAMEs as terms into search engines on legitimate websites.  The affected URLs include popular search terms, and may be returned as high ranking results in internet search engines. If the site hosting the search engine is vulnerable to cross-site scripting, users who follow the affected URLs may be unknowingly redirected to malicious websites. These sites may then attempt to exploit web browser vulnerabilities, entice users to download and install malicious code, or display unsolicited advertisements.

US-CERT encourages users to do the following to help mitigate the risk of this and similar attacks:

• Regularly apply software updates and patches provided by vendors.
• Disable JavaScript and ActiveX as described in the Securing Your Web Browser document.

Microsoft Updates March Security Bulletin

Microsoft has made revisions to all of the March Security Bulletins. These revisions

• Clarify why a non-vulnerable version of Office was offered during this update.
• Correct the registry key for verifying the update for ISA Server.
• Remove MS07-015 as a replaced bulletin for Microsoft Office XP Service Pack 3.
• Update vulnerability FAQs
• Update file information tables for Outlook 2000 and 2003.

Cisco Releases Security Advisory to Address Multiple Vulnerabilities

Cisco has released Security Advisory cisco-sa-20080312-ucp to address multiple vulnerabilities in the Cisco Secure Access Control Server for Windows User-Changeable Password (UCP) application. These vulnerabilities are due to buffer overflow conditions and improper sanitization of input passed to CSuserCGI.exe. Exploitation of these vulnerabilities may allow a remote, unauthenticated attacker to execute arbitrary code.

US-CERT encourages users to review Cisco Security Advisory cisco-sa-20080312-ucp and apply any necessary updates.

US-CERT will provide more information as it becomes available.

Adobe Releases Security Bulletins to Address Multiple Vulnerabilities

Adobe has issued six security bulletins to address multiple vulnerabilities in the following Adobe products:

• Adobe Reader 8.1.2 for Unix
• ColdFusion MX 7 and ColdFusion 8
• Adobe Form Designer 5.0 and Adobe Form Client 5.0 Components
• LiveCycle Workflow 6.2

• Execute arbitrary code
• Escalate privileges
• Manipulate data
• Bypass security settings
• Conduct cross-site scripting attacks

RealPlayer ActiveX Vulnerability

US-CERT is aware of reports of a vulnerability in RealPlayer. This vulnerability is due to improper handling of the "Console" property in the RealPlayer ActiveX control (rmoc3260.dll). Exploitation of this vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code.

US-CERT encourages users to do the following to help mitigate the risk:

• Review US-CERT Vulnerability Note VU#831457.
  
• Review Microsoft Support Document 240797 and set kill bits for the following CLSIDs:

• Review the Securing Your Web Browser document and disable ActiveX controls.

Microsoft Releases March Security Bulletin

Microsoft has released updates to address vulnerabilities in Microsoft Excel, Outlook, Office, and Office Web Components as part of the Microsoft Security Bulletin Summary for March 2008. All of these vulnerabilities could allow an attacker to execute arbitrary code.

US-CERT strongly encourages users to review the bulletins and follow best-practice security policies to determine which updates should be applied.

Trojan Exploiting Microsoft Excel Vulnerability

US-CERT is aware of public reports of a trojan that may exploit a vulnerability in Microsoft Excel. This trojan is circulating through email messages that contain attached Excel files. Known file names for these attachments are OLYMPIC.XLS and SCHEDULE.XLS. These files may also contain Windows binary executables that can compromise an affected system.

US-CERT encourage users to do the following to help mitigate the risk:

• Review Microsoft Security Bulletin MS08-014 and apply any necessary updates.
  
• Do not open unsolicited or untrusted email messages.
• Use caution when opening email attachments.
• Block executable files and unknown file types at the email gateway.
• Install anti-virus software, and keep its virus signature files up-to-date.
• Review the US-CERT Cyber Security Tip - Using Caution with Email Attachments.

GNOME Evolution Vulnerability

US-CERT is aware of a vulnerability in GNOME Evolution. This vulnerability, which is caused by a format string error in the "emf_multipart_encrypted()" function in mail/em-format.c, occurs when displaying data from an encrypted email message. By convincing a user to select a specially crafted email message, a remote, authenticated attacker may be able to execute arbitrary code.

US-CERT encourages users and administrators to apply updates as soon as possible. Administrators who compile Evolution from source should refer to GNOME Bug ID 520745; others should refer to their operating system vendor for updated software.

US-CERT will provide more information as it becomes available.

Sun Java SE Updates

Sun has released updates for Java SE. These updates address multiple vulnerabilities in Java Web Start, Java JDK, Java JRE, and Java SDK. These vulnerabilities may allow a remote attacker to execute arbitrary code, bypass security restrictions, or cause a denial-of-service condition.

US-CERT encourages users to review the following Sun Alerts and apply any necessary updates:

• Sun Alert 233321 - Two Security Vulnerabilities in the Java Runtime Environment Virtual Machine
• Sun Alert 233322 - Security Vulnerability in the Java Runtime Environment with the Processing of XSLT Transformations
• Sun Alert 233323 - Multiple Security Vulnerabilities in Java Web Start May Allow an Untrusted Application to Elevate Privileges
• Sun Alert 233324 - A Security Vulnerability in the Java Plug-in May Allow an Untrusted Applet to Elevate Privileges
• Sun Alert 233325 - Vulnerabilities in the Java Runtime Environment image Parsing Library
• Sun Alert 233326 - Security Vulnerability in the Java Runtime Environment May Allow Untrusted JavaScript Code to Elevate Privileges through Java APIs
• Sun Alert 233327 - Buffer Overflow Vulnerability in Java Web Start May Allow an Untrusted Application to Elevate its Privileges