Updated: Bagle C Virus. New Vulnerability in RealSecure and BlackIce Products, Solaris 8 and 9 passwd(1) bulletin, WinZip flaw, IE cross-frame scripting issue
Bagle C
Just in: A new virus, appearently part of the Bagle family, was sighted.
The virus is not detected by common AV products at this point. It uses
.zip attachments. First sightings were reported around 5-6 PM EST (10-11pm UTC).
New Vulnerability in RealSecure and BlackIce Products
eEye Security released a bulletin last night with details concerning a serious vulnerability in RealSecure/BlackICE Server Message Block (SMB) Processing. Details are at
http://www.eeye.com/html/Research/Advisories/AD20040226.html
According to eEye, only one SMB packet is required to exploit this vulnerability. The issue is with the way that an SMB packet is processed, analyzed, and reassembled. It is during this phase that specially crafted data can be passed to an improperly checked heap-based buffer. Such a heap overwrite can lead to reliable remote code execution with this vulnerability. No known proof of concept or other public exploit is in current circulation, however systems running either of these products should be patched immediately.
Updates for these products are available from ISS at
http://www.iss.net/download/
Solaris 8 and 9 passwd(1) privilege escalation
Yesterday, Sun released a bulletin announcing a patch to a potential privilege escalation vulnerability in the passwd(1) program in certain versions of Solaris 8 and 9 (Solaris 7 is not vulnerable). Complete details are at
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57454&zone_32=category%3Asecurity
Solaris admins should read the bulletin and patch as soon as practical.
WinZip MIME parsing buffer overflow
iDefense published a bulletin today describing a vulnerability in the popular WinZip utility including WinZip 9 beta and WinZip 8.1 SR-1, though not the WinZip 9 final release. It is believed that earlier versions are also likely to be vulnerable. This vulnerability is in the MIME parameter parsing routines of WinZip. One workaround involves disabling the extension handlers for certain vulnerable file types to prevent exploitation by double-clicking on archives. Unlike many of the recent worms where infection required opening a document within a .zip attachment, this one could be exploited simply by opening the archive to see what was inside. As always, users are urged to be extremely cautious in opening e-mail attachment. Note that exploitation is also possible via web links or peer-to-peer file sharing. More details can be found here
http://www.idefense.com/application/poi/display?id=76&type=vulnerabilities&flashstatus=false
IE cross-frame scripting exposure
iDefense also published a bulletin today describing a cross-frame scripting vulnerability in patched versions of Internet Explorer. While exploit requires a user to click on a link, when coupled with the vulnerability described in Microsoft's bulletin MS04-004, the user may not actually be aware that they are following a link to a malicious web site and may inadvertantly supply sensitive personal information to unintended parties. IE users should be sure to apply the patch described in MS04-004 and then should verify the address of the web site in the address bar before supplying personal information in web forms. Complete details can be found here
http://www.idefense.com/application/poi/display?id=77&type=vulnerabilities&flashstatus=false
---Jim Clausing
Just in: A new virus, appearently part of the Bagle family, was sighted.
The virus is not detected by common AV products at this point. It uses
.zip attachments. First sightings were reported around 5-6 PM EST (10-11pm UTC).
New Vulnerability in RealSecure and BlackIce Products
eEye Security released a bulletin last night with details concerning a serious vulnerability in RealSecure/BlackICE Server Message Block (SMB) Processing. Details are at
http://www.eeye.com/html/Research/Advisories/AD20040226.html
According to eEye, only one SMB packet is required to exploit this vulnerability. The issue is with the way that an SMB packet is processed, analyzed, and reassembled. It is during this phase that specially crafted data can be passed to an improperly checked heap-based buffer. Such a heap overwrite can lead to reliable remote code execution with this vulnerability. No known proof of concept or other public exploit is in current circulation, however systems running either of these products should be patched immediately.
Updates for these products are available from ISS at
http://www.iss.net/download/
Solaris 8 and 9 passwd(1) privilege escalation
Yesterday, Sun released a bulletin announcing a patch to a potential privilege escalation vulnerability in the passwd(1) program in certain versions of Solaris 8 and 9 (Solaris 7 is not vulnerable). Complete details are at
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57454&zone_32=category%3Asecurity
Solaris admins should read the bulletin and patch as soon as practical.
WinZip MIME parsing buffer overflow
iDefense published a bulletin today describing a vulnerability in the popular WinZip utility including WinZip 9 beta and WinZip 8.1 SR-1, though not the WinZip 9 final release. It is believed that earlier versions are also likely to be vulnerable. This vulnerability is in the MIME parameter parsing routines of WinZip. One workaround involves disabling the extension handlers for certain vulnerable file types to prevent exploitation by double-clicking on archives. Unlike many of the recent worms where infection required opening a document within a .zip attachment, this one could be exploited simply by opening the archive to see what was inside. As always, users are urged to be extremely cautious in opening e-mail attachment. Note that exploitation is also possible via web links or peer-to-peer file sharing. More details can be found here
http://www.idefense.com/application/poi/display?id=76&type=vulnerabilities&flashstatus=false
IE cross-frame scripting exposure
iDefense also published a bulletin today describing a cross-frame scripting vulnerability in patched versions of Internet Explorer. While exploit requires a user to click on a link, when coupled with the vulnerability described in Microsoft's bulletin MS04-004, the user may not actually be aware that they are following a link to a malicious web site and may inadvertantly supply sensitive personal information to unintended parties. IE users should be sure to apply the patch described in MS04-004 and then should verify the address of the web site in the address bar before supplying personal information in web forms. Complete details can be found here
http://www.idefense.com/application/poi/display?id=77&type=vulnerabilities&flashstatus=false
---Jim Clausing
Keywords:
0 comment(s)
My next class:
LINUX Incident Response and Threat Hunting | Online | US Eastern | Jan 29th - Feb 3rd 2025 |
×
Diary Archives
Comments