Skip to content

Home  |   FAQ  |   Contact  |   Privacy & Use

customize
Current Activity Calendar
Left Arrow
September 2008
 Right Arrow
Su M Tu W Th F Sa
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30
Please click on a date above to see current activity for that day.

  • Latest Current Activity
    •

    September 03, 2008 - Current Activity

    This is an archived copy of current activity, if you would like to see the most recent version, please click here.

    September 3Google Chrome Download Vulnerability
    September 2VMware Releases Security Announcement
    September 1Hurricane Gustav and Phishing Scams
    August 27SSH Key-based Attacks
    August 25Microsoft Revised Security Bulletin MS08-051
    August 25Red Hat Releases OpenSSH Security Update
    August 21Malware Circulating via Russia/Georgia Conflict Spam Messages
    August 21Opera Releases Version 9.52
    August 18Webex Meeting Manager ActiveX Control Vulnerability
    August 14Joomla! Password Reset Vulnerability


    Google Chrome Download Vulnerability

    added September 3, 2008 at 01:52 pm

    US-CERT is aware of a vulnerability that affects the Google Chrome web browser. This vulnerability is due to a default configuration that allows files to be downloaded without prompting the user. In addition, downloaded files can be opened with a single click, which could allow a user to inadvertently open a malicious file.

    US-CERT encourages users to enable the "Ask where to save each file before downloading" option within the "Minor Tweaks" tab in the browser preferences. Although this does not fix the underlying vulnerability, selecting this option will warn the user before files are downloaded. Users should still exercise caution when visiting and downloading items from untrusted websites.

    US-CERT will provide additional information as it becomes available.


    VMware Releases Security Announcement

    added September 2, 2008 at 03:00 pm

    VMware has released a security announcement to address multiple vulnerabilities in VMware Workstation, VMware Player, VMware ACE, VMware Server, and VMware ESX. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, access the system with elevated privileges, or obtain sensitive information.

    US-CERT encourages users and administrators to review the VMware security announcement and apply any necessary updates.


    Hurricane Gustav and Phishing Scams

    added September 1, 2008 at 12:29 pm

    In the past, US-CERT has received reports of an increased number of phishing scams that take advantage of natural disasters. Due to the current situation involving Hurricane Gustav, US-CERT would like to remind users to remain cautious when receiving unsolicited email that could be a potential phishing scam.

    Phishing scams may appear as requests for donations from a charitable organization asking users to click on a link that will take them to a fraudulent website that appears to be a legitimate charity. The users are then asked to provide personal information that can further expose them to future compromises.

    Users are encouraged to take the following measures to protect themselves from this type of phishing scam:

    • Do not follow unsolicited web links received in email messages.
    • Review the Federal Trade Commission's Charity Checklist.
    • Verify the legitimacy of the email by contacting the organization directly through a trusted contact number. Trusted contact information can be found on the Better Business Bureau National Charity Report Index.
    For additional information regarding phishing, US-CERT recommends reading the following documents:


    SSH Key-based Attacks

    added August 26, 2008 at 03:41 pm | updated August 27, 2008 at 03:41 pm

    US-CERT is aware of active attacks against linux-based computing infrastructures using compromised SSH keys. The attack appears to initially use stolen SSH keys to gain access to a system, and then uses local kernel exploits to gain root access. Once root access has been obtained, a rootkit known as "phalanx2" is installed.

    Phalanx2 appears to be a derivative of an older rootkit named "phalanx". Phalanx2 and the support scripts within the rootkit, are configured to systematically steal SSH keys from the compromised system. These SSH keys are sent to the attackers, who then use them to try to compromise other sites and other systems of interest at the attacked site.

    Detection of phalanx2 as used in this attack may be performed as follows:

    • "ls" does not show a directory "/etc/khubd.p2/", but it can be entered with "cd /etc/khubd.p2".
    • "/dev/shm/" may contain files from the attack.
    • Any directory named "khubd.p2" is hidden from "ls", but may be entered by using "cd".
    • Changes in the configuration of the rootkit might change the attack indicators listed above. Other detection methods may include searching for hidden processes and checking the reference count in "/etc" against the number of directories shown by "ls".
    US-CERT encourages administrators to perform the following actions to help mitigate the risks:
    • Proactively identify and examine systems where SSH keys are used as part of automated processes. These keys will typically not have passphrases or passwords.
    • Encourage users to use the keys with passphrase or passwords to reduce the risk if a key is compromised.
    • Review access paths to internet facing systems and ensure that systems are fully patched.
    If a compromise is confirmed, US-CERT recommends the following actions:
    • Disable key-based SSH authentication on the affected systems, where possible.
    • Perform an audit of all SSH keys on the affected systems.
    • Notify all key owners of the potential compromise of their keys.
    US-CERT will provide additional information as it becomes available.

    US-CERT credits DFN-CERT for their contributions regarding this issue.


    Microsoft Revised Security Bulletin MS08-051

    added August 25, 2008 at 09:22 am

    Microsoft has revised Security Bulletin MS08-051, which addresses vulnerabilities in Microsoft PowerPoint. This revision describes a rerelease of the standalone update package for Microsoft Office PowerPoint 2003.

    According to Microsoft, users who applied the update provided through Microsoft Update or Office Update do not need to take further action. Users who installed the original standalone update should apply the updated package as described in the revised Microsoft Security Bulletin.

    US-CERT encourages users and administrators to review Microsoft Security Bulletin MS08-051 and apply or reapply any necessary updates.


    Red Hat Releases OpenSSH Security Update

    added August 25, 2008 at 09:14 am

    Red Hat has released Security Advisory RHSA-2008:0855-6 to address a recent security incident. In the advisory, Red Hat indicates that the incident involved an intrusion on several of their computer systems. During the intrusion, an attacker was able to sign a small number of OpenSSH packages. Red Hat has provided a list of the compromised packages and has released updated versions of the OpenSSH packages as a precautionary measure.

    US-CERT encourages users and administrators to review Red Hat Security Advisory RHSA-2008:0855-6 and apply the solution provided in the document.


    Malware Circulating via Russia/Georgia Conflict Spam Messages

    added August 21, 2008 at 09:07 am

    US-CERT is aware of public reports of malware circulating via spam email messages related to the Russia/Georgia conflict. These messages contain factual information about the conflict. The messages also contain download instructions for the user to watch a video that is attached to the message. If a user opens the attachment, malware may be downloaded and installed onto their system.

    US-CERT encourages users and administrators to take the following preventative measures to help mitigate the security risks:


    Opera Releases Version 9.52

    added August 21, 2008 at 08:58 am

    Opera Software has released version 9.52 of the Opera web browser to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, inject malicious content into a page on a trusted website, obtain sensitive information, or cause a denial-of-service condition.

    US-CERT encourages users to review the latest Opera Security Advisories and upgrade to Opera 9.52 to help mitigate the risks.


    Webex Meeting Manager ActiveX Control Vulnerability

    added August 11, 2008 at 12:41 pm | updated August 18, 2008 at 10:44 am

    Cisco has released a Security Advisory to address a vulnerability that affects Cisco Webex Meeting Manager. This vulnerability is due to a buffer overflow condition in the "NewObject()" method within the WebexUCFObject ActiveX control (atucfobj.dll). By convincing a user to visit a specially crafted web page, open an e-mail message that contains embedded malicious HTML code, or by sending malicious HTML code via instant messaging applications, a remote attacker may be able to execute arbitrary code.

    US-CERT encourages users to review Cisco Security Advisory 107751 and apply any necessary updates or workarounds listed in the document. Additional information about this vulnerability can be found in the Vulnerability Notes Database.


    Joomla! Password Reset Vulnerability

    added August 14, 2008 at 01:20 pm

    The Joomla! Project has released an advisory to address a password reset vulnerability in the Joomla! content management system. This vulnerability, which may allow non-validating tokens to be forged, is due to a flaw in the reset token validation mechanism. Exploitation of this vulnerability may allow an unauthenticated attacker to reset the password of the first enabled user, which is typically an administrator user.

    US-CERT encourages users to review the Joomla! advisory and upgrade to version 1.5.6 (or newer) or apply the patch listed in the advisory.