June 19, 2008 - Current Activity

New Phishing/Storm Worm Variant Spreading

US-CERT has received reports of new phishing activity, some of which has been linked to Storm Worm. The latest activity is centered around messages related to the recent earthquake in China and the upcoming Olympic Games. This Trojan is spread via an unsolicited email message that contains a link to a malicious website. This website contains a video that, when opened, may run the executable file "beijing.exe" to infect the user's system with malicious code.

Reports, including a posting by Symantec, indicate that the following subject lines are being used. Please note that subject lines can change at any time.

• The most powerful quake hits China
• Countless victims of earthquake in China
• Death toll in China is growing
• Recent earthquake in china took a heavy toll
• Recent china earthquake kills million
• China is paralyzed by new earthquake
• Death toll in China exceeds 1000000
• A new powerful disaster in China
• A new deadly catastrophe in China
• 2008 Olympic Games are under the threat
• China's most deadly earthquake
  

• Install anti-virus software, and keep its virus signature files up-to-date.
• Do not follow unsolicited web links received in email messages.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

Cisco Releases Security Advisory

Cisco has released a Security Advisory to address a vulnerability in several of their Intrusion Prevention System platforms. This vulnerability is caused by an unspecified error in the handling of Jumbo Ethernet frames received on a Gigabit network interface configured for inline mode. Exploitation of this vulnerability may allow a remote attacker to trigger a kernel panic and cause a denial-of-service condition or bypass security restrictions.

At this time, Cisco has not yet released software updates to resolve this issue; however, they have provided a workaround in their advisory. US-CERT encourages users to review Cisco Security Advisory cisco-sa-20080618-ips and apply any necessary workarounds until Cisco releases software updates.

US-CERT will provide additional information as it becomes available.

Microsoft Releases June Security Bulletin

Microsoft has released updates to address vulnerabilities in Microsoft Windows and Internet Explorer as part of the Microsoft Security Bulletin Summary for June 2008. These vulnerabilities may allow an attacker to execute arbitrary code, obtain sensitive information, or cause a denial-of-service condition.

US-CERT encourages users to review the bulletins and follow best-practice security policies to determine which updates should be applied.

SNMPv3 Authentication Bypass Vulnerability

US-CERT is aware of a vulnerability in implementations of SNMPv3. This vulnerability is due to an error in the way the authenticator field handles shortened hash message authentication code (HMAC). Exploitation of this vulnerability may allow an attacker to read and modify any SNMP object or the configuration of the affected device using the credentials that got them onto the system.

US-CERT encourages users to review Vulnerability Notes VU#878044 and apply the solutions or workarounds listed in the document to help mitigate the risks.

US-CERT will provide additional information as it becomes available.

Apple Releases QuickTime 7.5

Apple has released QuickTime 7.5 to address multiple vulnerabilities. These vulnerabilities include the following:

• a heap-based buffer overflow condition in the handling of PixData structures when processing a PICT image that may allow an attacker to execute arbitrary code or cause a denial-of-service condition
• a memory corruption condition in the handling of AAC-encoded media content that may allow an attacker to execute arbitrary code or cause a denial-of-service condition
• a heap-based buffer overflow condition in the handling of PICT images that may allow an attacker to execute arbitrary code or cause a denial-of-service condition
• a stack-based buffer overflow condition in the handling of Indeo video codec content that may allow an attacker to execute arbitrary code execution or cause a denial-of-service condition
• an unspecified error in the handling of file: URLs that may allow an attacker to execute arbitrary files and applications

Microsoft Releases Advance Notification for June Security Bulletin

Microsoft has issued a Security Bulletin Advance Notification indicating that its June release cycle will contain seven bulletins, three of which will have the severity rating of Critical. The notification states that these Critical bulletins are for Microsoft Windows and Internet Explorer. The notification also states that there will be three Important bulletins for Microsoft Windows. The last of these bulletins has the severity rating of Moderate and is for Microsoft Windows. Release of these bulletins is scheduled for Tuesday, June 10.

US-CERT will provide additional information as it becomes available.

Skype Releases Security Bulletin

Skype has released a security bulletin to address a vulnerability. This vulnerability is due to an error in the handling of "file:" URIs. By convincing a user to click on a specially crafted "file:" URI, a remote, unauthenticated attacker may be able to execute arbitrary code.

US-CERT encourages users to review Skype security bulletin SKYPE-SB/2008-003 and upgrade to Skype version 3.8.0.139.

Cisco Releases Security Advisory

Cisco has released a Security Advisory to address multiple vulnerabilities in the PIX and ASA security appliances. These vulnerabilities include the following:

• An unspecified error in the processing of TCP ACK packets that may allow an attacker to cause a denial-of-service condition.
• An unspecified error in the handling of the TLS protocol that may allow an attacker to cause a denial-of-service condition.
• An unspecified error in the Instant Messaging Inspection that may allow an attacker to cause a denial-of-service condition.
• An unspecified error that occurs during vulnerability scanning against  TCP port 443 may allow an attacker to cause a denial-of-service condition.
• An unspecified error in the Control-plane Access List may allow an attacker to bypass security restrictions.

HP Instant Support ActiveX Control Vulnerabilities

HP has released a support document to address multiple vulnerabilities in the Instant Support ActiveX control (HPISDataManager.dll). These vulnerabilities may allow a remote attacker to execute arbitrary code.

US-CERT encourages users to review the HP Support Document and upgrade to Instant Support v1.0.0.24 or apply the workarounds listed in the Support Document.

Sun Releases Java ASP Server 4.0.3

Sun has released Java ASP Server 4.0.3 to address multiple vulnerabilities. These vulnerabilities may allow a remote, unauthenticated attacker to execute arbitrary code with the privileges of the root user or the user running the Sun Java ASP server, obtain sensitive information, or bypass security restrictions.

US-CERT encourages users to review Sun Alert 238184 and upgrade to Java ASP Server 4.0.3 or apply the workarounds listed in the Sun Alert.