July 09, 2008 - Current Activity

New Storm Worm Variant Spreading

US-CERT has received reports of new Storm Worm activity. The latest activity uses messages that refer to the conflict in the Middle East. This Trojan is spread via unsolicited email messages that contain a link to a malicious website. The website is noted as having the following malicious characteristics which may be used to infect the user's system with malicious code.

• A video that, when opened, may run the executable file "iran_occupation.exe."
• A banner add that, when clicked, may run the executable file "form.exe."
• A hidden iframe linked to "ind.php."

• 20000 US soldiers in Iran
• Iran USA conflict developed into war
• More than 10000 Iranians were murdered
• Negotiations between USA and Iran ended in War
• Occupation of Iran
• Plans for Iran attack began
• The Iran's Leader Mahmoud Ahmadinejad declared Jihad to USA
• The World War III has already begun
• The begining of The World War III
• The military operation in Iran has begun
• The secret war against Iran
• Third War in Iran
• Third World War has begun
• US Army crossed Iran's borders
• US Army invaded Iran
• US army is about 20 kilometers from Tegeran
• US soldiers occupied Iran
• USA attacked Iran
• USA declares war on Iran
• USA occupeid Iran
• USA unleashed war on Iran
• War between USA&Iran
• War with Iran is the reality now
• Washington prefers to shoot first

• Install anti-virus software, and keep its virus signature files up-to-date.
• Do not follow unsolicited web links received in email messages.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

Microsoft Releases Security Advisory for Word Vulnerability

Microsoft has released a Security Advisory to address a vulnerability in Microsoft Word. The advisory indicates that this vulnerability affects Microsoft Office Word 2002 Service Pack 3. By convincing a user to open a specially crafted Word file, a remote attacker may be able to execute arbitrary code or cause a denial-of-service condition. Additionally, the advisory indicates that Microsoft is aware of limited, targeted attacks attempting to exploit this vulnerability.

US-CERT encourages users to review Microsoft Security Advisory 953635 and apply any necessary workarounds to help mitigate the risks.

US-CERT will provide additional information as it becomes available.

DNS Implementations Vulnerable to Cache Poisoning

US-CERT is aware of deficiencies in the DNS protocol. Implementations of this protocol may leave the affected system vulnerable to DNS cache poisoning attacks. If an attacker can successfully conduct a cache poisoning attack, they may be able to cause a nameserver's clients to contact the incorrect, and possibly malicious, hosts for particular services. This may allow an attacker to obtain sensitive information or mislead users into believing they are visiting a legitimate website.

US-CERT encourages users to review "VU#800113 - Multiple DNS implementations vulnerable to cache poisoning" and apply any necessary solutions listed in that document to help mitigate the risks.

US-CERT will provide additional information as it becomes available.

Microsoft Releases July Security Bulletin

Microsoft has released updates to address vulnerabilities in Microsoft Windows and SQL Server as part of the Microsoft Security Bulletin Summary for July 2008. These vulnerabilities may allow an attacker to execute arbitrary code, redirect network traffic to a malicious location, or access the system with elevated privileges.

US-CERT encourages users to review the bulletins and follow best-practice security policies to determine which updates should be applied.

Microsoft Releases Security Advisory For Snapshot Viewer ActiveX Control

Microsoft has released a Security Advisory to address a vulnerability in a Microsoft Access ActiveX control. By convincing a user to visit a specially crafted web page, a remote, unauthenticated attacker may be able to execute arbitrary code. The Advisory also indicates that the vulnerability is being used in active, targeted attacks.

US-CERT encourages users to review Microsoft Security Advisory 955179 and apply the workarounds to help mitigate the risks. Additional information regarding this issue can be found in the Vulnerability Notes Database.

Microsoft Releases Advanced Notification for July Security Bulletin

Microsoft has issued a Security Bulletin Advance Notification indicating that its July release cycle will contain four bulletins which all will have a severity rating of Important. The notification states that these Important bulletins are for Microsoft Windows, Microsoft SQL Server, and Microsoft Exchange Server. Release of these bulletins is scheduled for Tuesday, July 8.

US-CERT will provide additional information as it becomes available.

Mozilla Releases Firefox 2.0.0.15

Mozilla has released Firefox 2.0.0.15. This version addresses multiple vulnerabilities that may allow an attacker to execute arbitrary code, conduct cross-site scripting attacks, upload arbitrary files, or escalate privileges. As described in the Mozilla Foundation Security Advisories, some of these vulnerabilities also affect Thunderbird and SeaMonkey.

US-CERT encourages users to do the following to help mitigate the risks:

• Review the Mozilla Foundation Security Advisories.
• Update to Firefox 2.0.0.15.
• Update to SeaMonkey 1.1.10.

Apple Releases Security Updates

Apple has released Mac OS X v10.5.4, Security Update 2008-004, and Safari 3.1.2 for Mac OS X 10.4.11 to address multiple vulnerabilities. These vulnerabilities affect a number of applications. These vulnerabilities may allow an attacker to execute arbitrary code, bypass security restrictions, or cause a denial-of-service condition.

US-CERT encourages users to review Apple Article HT2163 and HT2165 and apply any necessary updates.

Microsoft Releases Security Advisory

Microsoft has released a Security Advisory to address public reports of the Microsoft Windows Server Update Services failing to properly deploy updates within certain environments. Environments that rely on this service for updates may be unable to deploy updates to client systems, some of which may be security related.

US-CERT encourages users and system administrators to review Microsoft Security Advisory 954960 and apply the workarounds listed in the advisory.

US-CERT will provide additional information as it becomes available.

Cisco Releases Security Advisory

Cisco has released a Security Advisory to address multiple vulnerabilities in the Unified Communications Manager. The first vulnerability is due to improper handling of malformed data in the Computer Telephony Integration Manager service. Exploitation of this vulnerability may allow an attacker to cause a denial-of-service condition. The second vulnerability is due to improper access restrictions in the Real-Time Information Server Data Collector process. This vulnerability may allow an attacker to bypass security restrictions and obtain sensitive information which may be used for further attacks.

US-CERT encourages users to review Cisco Security Advisory cicso-sa-20080625-cucm and apply any necessary updates or fixes.