May 18, 2009 - Current Activity

Gumblar Malware Exploit Circulating

US-CERT is aware of public reports of a malware exploit circulating. This is a drive-by-download exploit with multiple stages and is being referred to as Gumblar. The first stage of this exploit attempts to compromise legitimate websites by injecting malicious code into them. Reports indicate that these website infections occur primarily through stolen FTP credentials but may also be compromised through poor configuration settings, vulnerable web applications, etc.  The second stage of this exploit occurs when users visit a website compromised by Gumblar. Users who visit these compromised websites and have not applied updates for known PDF and Flash Player vulnerabilities may become infected with malware. This malware may be used by attackers to monitor network traffic and obtain sensitive information, including FTP and login credentials, that can be used to conduct further exploits. Additionally, this malware may also redirect Google search results for the infected user.

US-CERT encourages users and administrators to apply software updates in a timely manner and use up-to-date antivirus software to help mitigate the risks.

US-CERT will provide additional information as it becomes available.

Microsoft Internet Information Services (IIS) WebDAV Request Vulnerability

US-CERT is aware of public reports of a vulnerability affecting Microsoft Internet Information Services 6 (IIS6). Reports indicate that this vulnerability is due to improper handling of unicode tokens. Exploitation of this vulnerability may allow a remote attacker to bypass authentication methods, allowing an attacker to upload files to a WebDAV folder or obtain sensitive information. NTFS file ACLs will generally prevent the anonymous internet user from writing to an unauthorized area. US-CERT is also aware of publicly available exploit code and active exploitation of this vulnerability.

US-CERT encourages users to implement the following workaround to help mitigate the risks until a patch or update is available from the vendor:

Disable WebDAV. Administrators who are unable to disable WebDAV may be able to mitigate some risk by configuring their IDS to refuse external HTTP requests containing "Translate: f" headers. Please note that disabling WebDAV may affect the functionality of other applications such as SharePoint.

US-CERT will provide additional information as it becomes available.

Adobe Releases Security Updates for Adobe Reader and Acrobat

Adobe has released security updates to address a vulnerability that affects Reader 9.1 and earlier and Acrobat 9.1 and earlier. This vulnerability could allow an attacker to execute arbitrary code or cause a denial-of-service condition.

US-CERT encourages users and administrators to review Adobe Security Bulletin APSB09-06 and apply any necessary updates to help mitigate the risks. Additional information regarding this vulnerability can be found in Technical Cyber Security Alert TA09-133B.

Apple Releases Security Update 2009-002, Mac OS X v10.5.7 and Safari 3.2.3

Apple has released Security Update 2009-002 and Mac OS X v10.5.7 to address multiple vulnerabilities in a number of applications. These vulnerabilities may allow an attacker to execute arbitrary code, obtain sensitive information, cause a denial-of-service condition, leverage additional attacks, or obtain elevated privileges.

Additionally, Apple has released Safari 3.2.3 to address vulnerabilities in libxml, Safari, and Webkit. These vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.

US-CERT encourages users and administrators to review Apple articles HT3549 and HT3550 and apply any necessary updates to help mitigate the risks. Additional information regarding these vulnerabilities can be found in Technical Cyber Security Alert TA09-133A.

Microsoft Releases May Security Bulletin

Microsoft has released an update to address a vulnerability in Microsoft Office as part of the Microsoft Security Bulletin Summary for May 2009. By convincing a user to open a specially crafted PowerPoint file, an attacker may be able to execute arbitrary code.

US-CERT encourages users and administrators to review the bulletin and follow best-practice security policies to determine if the update should be applied. Additional information regarding this vulnerability can be found in Technical Cyber Security Alert TA09-132A.

Microsoft Releases Advance Notification for May Security Bulletin

Microsoft has issued a Security Bulletin Advance Notification indicating that the May release cycle will contain one bulletin with a maximum severity rating of Critical. The notification states that the Critical bulletin is for Microsoft PowerPoint. The release is scheduled for Tuesday, May 12.

US-CERT will provide additional information as it becomes available.

Adobe Releases Security Bulletin for Flash Media Server

Adobe has released Security Bulletin APSB09-05 to address a potential vulnerability in versions of Flash Media Server up to and including version 3.5.1. This vulnerability may allow an attacker to "execute remote procedures within a server side ActionScript file running on a Flash Media Server." According to Adobe, this issue affects versions of Flash Media Interactive Server and Flash Media Streaming Server.

US-CERT encourages users to review Adobe Security Bulletin APSB09-05 and upgrade to the most current version of Flash Media Server.

Symantec Releases Security Advisories

Symantec has released three security advisories to address multiple vulnerabilities in Symantec Alert Management System, Log Viewer, and Reporting Server. These vulnerabilities may allow an attacker to execute arbitrary code, bypass security mechanisms, or leverage phishing attacks.

US-CERT encourages users and administrators to review the following Symantec Security Advisories and apply any necessary updates or workarounds to help mitigate the risks:

• Symantec Alert Management System 2 Multiple Vulnerabilities
• Symantec Log Viewer JavaScript Injection Vulnerabilities
• Symantec Reporting Server Improper URL Handling Exposure

Adobe Reader and Acrobat JavaScript Vulnerabilities

US-CERT is aware of public reports of two vulnerabilities affecting Adobe Reader and Acrobat. The JavaScript methods customDictionaryOpen() and getAnnots() do not safely handle specially crafted arguments and can be manipulated to execute arbitrary code.

US-CERT encourages users and administrators to disable JavaScript in Adobe Reader to help mitigate the risk:

1. Open the General Preferences dialog box
2. From the Edit menu, select Preferences and then choose JavaScript
   
3. Un-check Enable Acrobat JavaScript

Swine Flu Phishing Attacks and Email Scams

US-CERT is aware of public reports of email scams circulating related to the Swine Flu. The attacks arrive via an unsolicited email message typically containing a subject line related to the Swine Flu. These email messages may contain a link or an attachment. If users click on this link or open the attachment, they may be directed to a phishing website or exposed to malicious code.

US-CERT encourages users to take the following measures to protect themselves:

• Do not follow unsolicited web links or attachments in email messages.
• Maintain up-to-date antivirus software.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.