October 2005 - Posts

• phpBB 2.0.18 - Special Halloween release has security improvements

  Forum Administrators should move to the latest versions of phpBB, as security improvements continue to be made to this highly flexible and functional environment.  http://www.phpbb.com/phpBB/viewtopic.php?t=336756 The phpBB Group is pleased to announce the release of phpBB 2.0.18, "The Halloween Special" release.  This is a major update to the 2.0.x codebase and includes fixes for numerous bugs reported by users to our Bug Tracker, as well as updates to those issues identified by the recent security audit of the code and a couple of security issues reported to us. In addition we have backported a further feature from our "Olympus" codebase to change the way automatic logins are handled. Posted Oct 31 2005, 04:52 PM by hwaldron with no comments

• New AIM worm carries Windows Rootkit

  I don't think this one is widespread, but based on the stealth-like nature of rootkits, it's probably both difficult to detect and remove. http://news.zdnet.com/2100-1009_22-5920403.html A worm found spreading via America Online's Instant Messenger is carrying a nastier punch than usual, a security company has warned.  The unnamed worm delivers a cocktail of unwanted software, including a so-called rootkit, security experts at FaceTime Communications said Friday. A rootkit is a tool designed to go undetected by the security software used to lock down control of a computer after an initial hack. Posted Oct 31 2005, 10:52 AM by hwaldron with no comments

• Article: Oracle password system comes under fire

  Data base Administrators should watch for further developments as this weakness will most likely be corrected in the future.  Article: Oracle password system comes under fire QUOTE: Attackers could easily uncover Oracle database users'passwords because of a weak protection mechanism, putting corporate data at risk of exposure, experts have warned.  The technique Oracle uses to store and encrypt user passwords doesn't provide sufficient security, said Joshua Wright of the SANS Institute and Carlos Sid of Royal Holloway college, University of London. Posted Oct 30 2005, 09:27 AM by hwaldron with no comments

• Microsoft documents security improvements planned for IE 7

  As noted in this Tech Republic Article, Internet Explorer version 7 will support a more robust protocol for encrypting user data and securing online transactions. http://blogs.msdn.com/ie/archive/2005/10/22/483795.aspx QUOTE:  In a posting on the Microsoft Internet Explorer blog, IE program manager Eric Lawrence said that IE7 would support the Transport Layer Security (TLS) protocol by default.  Lawrence also explained how IE7 will behave differently from earlier versions when it encounters potential security problems. "Whenever IE6 encountered a problem with a HTTPS-delivered Web page, the user was informed via a modal dialog box and was asked to make a security decision. IE7 follows the XPSP2 'secure by default' paradigm by defaulting to the secure behavior," said Lawrence. IE7 will not give users the option of seeing both secure and insecure items within an HTTPS page. With IE6, this option appears when the browser encounters an HTTPS page that includes some HTTP content. But in IE7, only the secure content will be rendered by default, forcing the user to choose to access the rest via the information bar. "This is an important change because very few users (or web developers) fully understand the security risks of rendering HTTP-delivered content within a HTTPS page," Lawrence claimed. Posted Oct 29 2005, 09:11 AM by hwaldron with no comments

• Virkel.A - New sophisticated Instant Messaging virus

  This new Instant Messenger (IM) threat should be closely watched as it contains a security backdoor and other sophisticated capabilities. http://secunia.com/virus_information/22890/virkel.a/ Virkel is a backdoor with IM (Instant Messenger) spreading capabilities. It was first found on October 26th, 2005. The backdoor can provide a hacker with information about a system, work as a proxy, update itself, perform a Denial of Service (DoS) attack, open remote shell, download files. It also kills processes of anti-virus and security software and blocks access to many different sites that belong to anti-virus and security software vendors. Posted Oct 26 2005, 04:57 PM by hwaldron with no comments

• Windows XP Security Guide - New 2.1 version released

  Microsoft has just updated the Windows XP security guide and this free resource can be found through the following link: Windows XP Security Guide Any IT environment is only as secure as its weakest link. Unfortunately, client operating systems are often overlooked during security projects. As your organization plans to implement Microsoft® Windows® XP Professional with Service Pack 2 (SP2), ensure that security is an integral part of your deployment plans. Although the default installation of Windows XP is quite secure, it is important to remember the trade-offs that exist between security, usability, and functionality of the client computers in your environment. A thorough understanding of these trade-offs places your organization in a position to maximize the security of your Windows XP deployment. The guide provides specific recommendations about how to harden computers that run Windows XP with SP2 in three distinct environments: • Enterprise Client (EC). Client computers in this environment are located in an Active Directory® directory service domain and only need to communicate with systems that run Windows 2000 or later versions of the Windows operating system. • Stand-Alone (SA). Client computers in this environment are not members of an Active Directory domain and may need to communicate with systems that run Windows NT® 4.0. • Specialized Security – Limited Functionality (SSLF). Concern for security in this environment is so great that a significant loss of functionality and manageability is acceptable. For example, military and intelligence agency computers operate in this type of environment. Posted Oct 26 2005, 10:48 AM by hwaldron with no comments

• MS05-047: Two new exploits developed from MS October security bulletins

  Two more new exploits have developed as malicious individuals work to reverse engineer the changes and discover code weaknesses in unpatched systems.  These new potential attacks are based on the MS05-047 Microsoft Security Bulletin issued in October.  It's always a best practice to patch as soon as Microsoft performs a release which is usually the second Tuesday of each month.   2005-10-24 : Microsoft Windows Plug and Play "Umpnpmgr.dll" DoS Exploit (MS05-047) 2005-10-21 : Microsoft Windows Plug and Play "Umpnpmgr.dll" Remote Exploit (MS05-047) Posted Oct 25 2005, 06:01 AM by hwaldron with no comments

• MS05-039 -- Mocbot IRC Worm in the wild

  A new attack based on August's security bulletin MS05-039 surfaced overnight. This new threat remains at low risk currently.  This was initially reported as an MS05-047 exploit, but after further analysis McAfee has confirmed that while MS05-047 code was present, the MS05-039 exploit was used as the key method to infect unpatched PCs. MS05-039 -- Mocbot IRC Worm in the wild http://secunia.com/virus_information/22746/irc-mocbot/ http://www.f-secure.com/v-descs/mocbot.shtml http://vil.nai.com/vil/content/v_136637.htm This botnet client was spread using the MS05-039 vulnerability in October 2005. This trojan installs itself in the WINDOWS SYSTEM directory as wudpcom.exe. It creates a service called "wudpcom". Once instructed, the bot scans the class A subnet addresses, sending SYN packets via TCP 139 (netbios), and 445 (microsoft-ds). SYMPTOMS 1. Heavy netbois and microsoft-ds network traffic 2. Presense of the file wudpcom.exe in the WINDOWS SYSTEM directory 3. TCP 18067 connections to hostile websites -- AVERT / McAfee Update Oct 23, 2005 -- After further analysis, AVERT has confirmed that this threat does not exploit MS05-047, but rather MS05-039. Initial analysis suggested the MS05-047 was being exploited due to similarities between those exploits (including overlapping code between publicly available source code), field infection reports where administrators incorrectly stated that machines were patched from MS05-039, and similarities between an earlier MS05-039 exploiting bot, where the only significant change was the exploit code being used. Additionally, AVERT has confirmed that automated propagation has/had been configured on remote IRC servers, such that infected systems that are able to connect to the remote IRC server are immediately instructed to seek out vulnerable systems to infect them. This threat exploits the MS05-039 Microsoft Windows vulnerability. Posted Oct 23 2005, 08:23 AM by hwaldron with 1 comment(s)

• Oracle RDBMS - Critical security patches released in October

  During October, Oracle released several critical security patches that companies should quickly test and apply to safeguard information in these data base repositories.  2005-10-19 : Oracle Products Buffer Overflow and SQL Injection Vulnerabilities Multiple vulnerabilities were identified in various Oracle products, which may be exploited by remote or local attackers to cause a denial of service, execute arbitrary commands, conduct SQL injection attacks and cross site scripting attacks, or bypass certain security restrictions. These flaws are due to unspecified errors in Oracle Database Server, Application Server, Collaboration Suite, E-Business Suite, Applications, Enterprise Manager, PeopleSoft Enterprise, and JD Edwards EnterpriseOne. No further details have been disclosed. Posted Oct 20 2005, 07:46 AM by hwaldron with no comments

• Netscape 8.04 released to address critical security issues

  All Netscape 8.0x users should update to the latest version to stay protected as recent improvements in security have been released http://browser.netscape.com/ns8/security/alerts.jsp Fixed in Netscape Browser 8.0.4 • MFSA 2005-58 Firefox 1.0.7 / Mozilla Suite 1.7.12 Vulnerability Fixes • MFSA 2005-57 IDN heap overrun using soft-hyphens Posted Oct 20 2005, 07:30 AM by hwaldron with no comments

• Microsoft October Security Bulletins - Exploits in-the-wild

  So far, there are no published reports for MS05-051 which some security firms feel has the potential to be crafted into a possible Internet worm, that could especially impact Windows 2000 based PCs and Servers.  At least 3 proof-of-concept exploits were developed within a couple of days of the October 11th updates, so companies should carefully test their applications and patch expediently.  All users should stay as up-to-date as possible on any security patches that are released.    » 2005-10-13 : Microsoft Collaboration Data Objects Buffer Overflow PoC Exploit (MS05-048)    » 2005-10-13 : Microsoft Windows Network Connection Manager Local DoS Exploit (MS05-045)    » 2005-10-13 : Microsoft Windows FTP Client File Location Tampering Exploit (MS05-044) Posted Oct 20 2005, 07:22 AM by hwaldron with no comments

• PC World - Evaluation of 11 Anti-Spyware Products

  In the November 2005 issue of PC World magazine, 11 different products are evaluated.  Webroot Spysweeper continues to score near the top in all evaluations.  The MSAS beta release also had a positive review and scored as one of the best free products.  It's always best to look at more than one evaluation, as the review team can rank categories differently.   PC World - Evaluation of 11 Anti-Spyware Products PC World - Evaluation of 11 Anti-Spyware Product Grid Posted Oct 17 2005, 05:18 PM by hwaldron with no comments

• Microsoft Technet Security: New Learning Paths training Facility

  Microsoft's Technet Security team is introducting a new Learning Paths website that features resources on security threats and appropriate controls.  Each month new articles and training materials will be featured to provide on-going training for security professionals. http://www.microsoft.com/technet/security/learning/default.mspx Featured This Month: Internal Threats: Mitigate the Risks in Your Environment Today's IT Professionals work in a challenging environment where there's a constant effort to protect resources and vital information from internal misuse. Attend this series and learn about the risks, business challenges and recommendations for protecting your network from internal threats. We will cover topics such as Security risk management, assessment, and implementation as well as steps for meeting your business needs of operating in a more secure environment Posted Oct 17 2005, 02:43 PM by hwaldron with no comments

• October Microsoft Security Bulletins - more in-depth information

  Microsoft Security Release - October 2005 The following provides an overview of several important updates. Microsoft Security Release - October 2005 http://www.microsoft.com/technet/security/Bulletin/ms05-Oct.mspx Internet Storm Center - Excellent Technical Analysis http://isc.sans.org/diary.php?date=2005-10-11   Vulnerability in DirectShow Could Allow Remote Code Execution (904706) - Critical http://www.microsoft.com/technet/security/Bulletin/ms05-050.mspx Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400) - Critical http://www.microsoft.com/technet/security/Bulletin/ms05-051.mspx Cumulative Security Update for Internet Explorer (896688) - Critical http://www.microsoft.com/technet/security/Bulletin/ms05-052.mspx Vulnerability in the Client Services for Netware Could Allow Remote Code Execution (899589) - Important http://www.microsoft.com/technet/security/Bulletin/ms05-046.mspx Vulnerability in Plug and Play Could Allow Remote Code Execution and Local Elevation of Privilege (905749) - Important http://www.microsoft.com/technet/security/Bulletin/ms05-047.mspx Vulnerability in the Microsoft Collaboration Objects Could Allow Remote Code Execution (907245) - Important http://www.microsoft.com/technet/security/Bulletin/ms05-048.mspx Vulnerabilities in Windows Shell Could Allow Remote Code Execution (900725) - Important http://www.microsoft.com/technet/security/Bulletin/ms05-049.mspx Vulnerability in the Windows FTP Client Could Allow File Transfer Location and Tampering (905495) - Moderate http://www.microsoft.com/technet/security/Bulletin/ms05-044.mspx Vulnerability in Network Connection Manager Could Allow Denial Service (905414) - Important http://www.microsoft.com/technet/security/Bulletin/ms05-045.mspx Posted Oct 12 2005, 04:57 PM by hwaldron with no comments

• Microsoft Security Bulletins - October 2005

  2005-10-11 : Microsoft Internet Explorer Multiple Remote Vulnerabilities (MS05-052)  2005-10-11 : Microsoft Windows MSDTC and COM+ Multiple Vulnerabilities (MS05-051)  2005-10-11 : Microsoft Windows DirectShow Remote Code Execution (MS05-050)  2005-10-11 : Microsoft Windows Shell and Web View Vulnerabilities (MS05-049)  2005-10-11 : Microsoft Collaboration Data Objects Code Execution (MS05-048)  2005-10-11 : Microsoft Windows Plug and Play Remote Code Execution (MS05-047)  2005-10-11 : Microsoft Client Service for NetWare Remote Code Execution (MS05-046)  2005-10-11 : Microsoft Windows Network Connection Manager DoS (MS05-045)  2005-10-11 : Microsoft Windows FTP Client Directory Traversal Issue (MS05-044) Posted Oct 11 2005, 09:30 PM by hwaldron with no comments

• Zafi.F - Appears to be legitimate MSN email

  Zafi.F is spreading via email in English, Italian, Spanish, Russian, Swedish and several other languages. This new HTML based variant is authentic in appearance, from a social engineering perspective. SECUNIA http://secunia.com/virus_information/22349/zafi.f/ F-SECURE http://www.f-secure.com/v-descs/zafi_f.shtml McAfee http://vil.nai.com/vil/content/v_136426.htm DO NOT OPEN ATTACHMENTS ENDING WITH: pif, cmd, bat, com or zip file. Posted Oct 10 2005, 01:09 PM by hwaldron with no comments

• Common Malware Enumeration - New CME standard for AV vendors

  CERT provides one of the best websites related to computer security.  They have recently addressed a major issue among anti-virus companies, where common naming conventions don't exist due to the competitive nature of being first many times.  Also, some AV products can handle several variants with a single defiition, where other AV vendors must specifically define a new variant each time a new compression or packing technique is used on the executable.        Chris Mosby, a very talented security modertor in My IT Forums commented on this need in an “Open Letter to Anti-Virus Software Companies” in November 2004.  This new system won't be perfect, but it's a step in the right direction.  It'll help companies like the one I work for which uses corporate McAfee VS 8.0i on the desktop and SAV for email filtering. Common Malware Enumeration (CME) - Home Page http://cme.mitre.org/ Common Malware Enumeration (CME) - FAQ http://cme.mitre.org/about/faqs.html Common Malware Enumeration (CME) - Current List http://cme.mitre.org/data/list.html Common Malware Enumeration (CME) - How it Works http://cme.mitre.org/cme/process.html Common Malware Enumeration (CME) - Press Release http://cme.mitre.org/about/docs.html Posted Oct 09 2005, 08:05 AM by hwaldron with no comments

• Windows Vista - Review of Beta 1 by Tech Republic

  The following 3-part review was featured by Tech Republic on the  enhancements that will be forthcoming in Windows Vista, which is Microsoft's next generation operating system for client workstations.  http://www.winsupersite.com/reviews/winvista_beta1_01.asp http://www.winsupersite.com/reviews/winvista_beta1_02.asp http://www.winsupersite.com/reviews/winvista_beta1_02.asp Posted Oct 07 2005, 11:33 AM by hwaldron with no comments

• Sober.R - MEDIUM RISK by McAfee and difficult to remove

  The Sober virus family is always one to watch. This one is spreading rapidly and McAfee has declared Medium Risk. It is also very difficult to clean until enhanced cleaning capabilities are provided by AV companies. Sober.R - MEDIUM RISK by McAfee http://vil.nai.com/vil/content/v_136390.htm Other AV companies http://secunia.com/virus_information/22225/sober.s/ EMAIL TO AVOID - English & German variants Subject: Your new Password Body:  Your password was successfully changed! Please see the attached file for detailed information. This mass-mailing email virus arrives in an email message with one of the following attachment names: KlassenFoto.zip, pword_change.zip SPECIAL INSTRUCTIONS FOR INFECTED PCs Cleaning this new variant is difficult as some new techniques used by the virus writer lock down security of infected files, (blocks access to files using special registry settings), so that you have to clean in SAFE MODE until McAfee releases it's next DAT file (which will reset file access permissions in the registry to allow direct cleaning). Quote: Due to the nature in which this virus operates once a machine is successfully infected, read-access to its file may be denied. The AV scanner will not be able to detect the file in this case. Because of this, if a machine is suspected to be infected, users are recommended to follow the procedure below: Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode. Run a system scan using the specified engine/DATs. Delete files flagged as infected Restart machine in default mode. Posted Oct 06 2005, 06:56 AM by hwaldron with 4 comment(s)

• Spybot.YCL - Attacks 7 major unpatched vulnerabilities or other weak security vulnerabilities

  This new version of Spybot has to be one of the most comprehensive attacks I've seen today for this large family of viruses.  It attacks weak passwords, uses existing backdoor infections, plus attacks through some of the most prominent security vulnerabilities if a system is unpatched.   Spybot.YCL - Attacks 7 major unpatched vulnerabilities or other weak security vulnerabilities 1. Attacks several major security vulnerabilities in unpatched Microsoft, Dameware, and Veritas software:  The Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-026). The Microsoft Windows Local Security Authority Service Remote Buffer Overflow (as described in Microsoft Security Bulletin MS04-011) The Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039) The Microsoft Windows ntdll.dll Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS03-007). The Microsoft Windows SSL Library Denial of Service Vulnerability (described in Microsoft Security Bulletin MS04-011). The Microsft Windows ASN.1 Vulnerability (as described in Microsoft Security Bulletin MS04-007). The DameWare Mini Remote Control Server Pre-Authentication Buffer Overflow vulnerability (as described in Bugtraq ID 9213). The VERITAS Backup Exec Agent Browser Remote Buffer Overflow Vulnerability (as described here). 2. Spreads over network shares and Microsoft SQL server using weak usernames and passwords 3. Spreads to compromised computers by using back doors left behind by other malware such as: W32.Mydoom@mm W32.Beagle@mm Backdoor.Netdevil Backdoor.Optix Backdoor.Subseven Posted Oct 04 2005, 09:40 PM by hwaldron with 5 comment(s)