Summary of Security Items from March 9 through March 15,
2006
The US-CERT Cyber Security
Bulletin provides a summary of new and updated
vulnerabilities, exploits, trends, and malicious code that
have recently been openly reported. Information in the Cyber
Security Bulletin is a compilation of open source and US-CERT
vulnerability information. As such, the Cyber Security
Bulletin includes information published by sources outside of
US-CERT and should not be considered the
result of US-CERT analysis or as an official report of
US-CERT. Although this information does reflect open
source reports, it is not an official description and should
be used for informational purposes only. The intention of the
Cyber Security Bulletin is to serve as a comprehensive
directory of pertinent vulnerability reports, providing brief
summaries and additional sources for further investigation.
The tables below summarize vulnerabilities
that have been reported by various open source organizations
or presented in newsgroups and on web sites. Items
in bold designate updates that have been made to past
entries. Entries are grouped by the operating
system on which the reported software operates, and
vulnerabilities which affect both Windows and Unix/ Linux
Operating Systems are included in the Multiple Operating
Systems table. Note, entries in each table are not
necessarily vulnerabilities in that operating
system, but vulnerabilities in software which operate on
some version of that operating system.
Entries may contain additional US-CERT
sponsored information, including Common Vulnerabilities and
Exposures (CVE) numbers, National Vulnerability Database
(NVD) links, Common Vulnerability Scoring System (CVSS)
values, Open Vulnerability and Assessment Language (OVAL)
definitions, or links to US-CERT Vulnerability Notes.
Metrics, values, and information included in the Cyber
Security Bulletin which has been provided by other US-CERT
sponsored programs, is prepared, managed, and contributed by
those respective programs. CVSS values are managed and
provided by the US-CERT/ NIST National Vulnerability
Database. Links are also provided to patches and workarounds
that have been provided by the product’s vendor.
The Risk levels are defined below:
High - Vulnerabilities
will be labeled “High” severity if they have a CVSS base
score of 7.0-10.0.
Medium - Vulnerabilities
will be labeled “Medium” severity if they have a base CVSS
score of 4.0-6.9.
Low - Vulnerabilities will
be labeled “Low” severity if they have a CVSS base score of
0.0-3.9.
Note that scores provided prior to
11/9/2005 are approximated from only partially available
CVSS metric data. Such scores are marked as "Approximated"
within NVD. In particular, the following CVSS metrics are
only partially available for these vulnerabilities and NVD
assumes certain values based on an approximation algorithm:
AccessComplexity, Authentication, ConfImpact of 'partial',
IntegImpact of 'partial', AvailImpact of 'partial', and the
impact biases.
Windows Operating Systems
Only
Vendor &
Software Name
Description
Common
Name
CVSS
Resources
Adobe
Graphics Server 2.1, Document Server 6.0
A vulnerability has been reported in Graphics
Server and Document Server that could let remote
malicious users execute arbitrary code.
An input validation vulnerability has been reported
in Easy File Sharing Web Server that could let remote
malicious users conduct Cross-Site Scripting or cause
a Denial of Service.
No workaround or patch available at time of
publishing.
A Proof of Concept exploit script has been
published.
Easy File Sharing Web Server Cross-Site Scripting
or Denial of Service
A buffer overflow vulnerability has been reported
in IMail Secure Server and Collaboration Suite, IMAP
fetch command, that could let remote malicious users
cause a Denial of Service or execute arbitrary
code.
Mac OS X Server 10.4-10.4.5, 10.3-10.3.9,
10.2-10.2.8, 10.1-10.1.5, 10.0-10.0.4, Mac OS
0.4-10.4.5, 10.3-10.3.9, 10.2-10.2.8, 10.1-10.1.5,
10.0-10.0.4
A heap overflow vulnerability has been reported in
the 'mach_msg_send()' function of the kernel, which
could let a malicious user cause a Denial of Service and
possibly compromise a system.
No workaround or patch available at time of
publishing.
Currently we are not aware of any exploits for this
vulnerability.
Apple Mac OS X Kernel MACH_MSG _SEND Heap Overflow
Multiple vulnerabilities have been reported: a
vulnerability was reported in JavaScript because in
certain circumstances because it is possible to bypass
the same-origin policy; a buffer overflow vulnerability
was reported in Mail due to a boundary error, which
could let a remote malicious user execute arbitrary
code; and a vulnerability was reported in
Safari/LaunchServices due to an error which could lead
to the execution of a malicious file.
Apple Security Update, APPLE-SA-2006-03-13, March
13, 2006
BlueZ Project
hcidump 1.29
A remote Denial of Service vulnerability has been
reported in '12cap.c' due to an error when handling
L2CAP (Logical Link Control and Adaptation Layer
Protocol) layer.
Mandriva Linux Security Update Advisory,
MDKSA-2005: 091, May 19, 2005
Turbolinux Security Advisory,
TLSA-2005-60, June 1, 2005
SUSE Security Summary Report, SUSE-SR:2005:015,
June 7, 2005
OpenPKG Security Advisory,
OpenPKG- SA-2005.008, June 10, 2005
RedHat Security Advisory, RHSA-2005: 474-15,
June 16, 2005
FreeBSD Security Advisory,
FreeBSD-SA-05:14, June 29, 2005
Conectiva Linux Announce -ment, CLSA-2005:972,
July 6, 2005
Debian Security Advisory, DSA 741-1, July
7, 2005
SGI Security Advisory, 20050605 -01-U, July
12, 2005
Security Focus, Bugtraq ID: 13657, August 26, 2005
Fedora Legacy Update Advisory, FLSA:158801, November
14, 2005
SGI Security Advisory, 20060301-01-U, March
8, 2006
bzip2
bzip2 1.0.2 & prior
A vulnerability has been reported when an archive is
extracted into a world or group writeable directory,
which could let a malicious user modify file permissions
of target files.
Mandriva Linux Security Update Advisory,
MDKSA-2005: 091, May 19, 2005
Debian Security Advisory, DSA 730-1, May 27,
2005
Turbolinux Security Advisory,
TLSA-2005-60, June 1, 2005
OpenPKG Security Advisory,
OpenPKG-SA-2005.008, June 10, 2005
RedHat Security Advisory,
RHSA-2005 :474-15, June 16, 2005
FreeBSD Security Advisory, FreeBSD-SA-05:14, June
29, 2005
Conectiva Linux Announcement, CLSA-2005:972, July
6, 2005
SGI Security Advisory, 20050605- 01-U, July 12,
2005
Fedora Legacy Update Advisory, FLSA:158801, November
14, 2005
Mandriva Security Advisory, MDKSA-2006:026, January
30, 2006
SGI Security Advisory, 20060301-01-U, March
8, 2006
CGI::Session
CGI::Session 4.03
Several vulnerabilities have been reported: a
vulnerability was reported due to the insecure default
read permissions on files created by 'Driver::file,'
'Driver::db_file,' and 'Driver::sqlite,' which could let
a remote malicious user obtain sensitive information;
and a vulnerability was reported in the 'cgisess.db'
session file that is created by the 'Driver::db_file' in
the same directory as the CGI script, which could let a
remote malicious user obtain sensitive information.
No workaround or patch available at time of
publishing.
Vulnerabilities can be exploited through use of a web
client.
CGI::Session Insecure File
Permissions
Not Available
Secunia Advisory: SA19211, March 13, 2006
Crossfire
Crossfire 1.9 , 1.8
A buffer overflow vulnerability has been reported in
'request.c' due to an error in the 'SetUp()' function
when handling the 'setup' command, which could let a
remote malicious user cause a Denial of Service and
potentially execute arbitrary code.
No workaround or patch available at time of
publishing.
A Proof of Concept exploit script,
crossfire_bof_exp.c, has been published.
A Cross-Site Scripting vulnerability has been
reported in Mediamanager due to an unspecified input
validation error when handling EXIF data, which could
let a remote malicious user execute arbitrary HTML and
script code.
A buffer overflow vulnerability has been reported in
'Inet_server' due to a failure due to insufficient
bounds checking prior to copying to an
insufficiently-sized memory buffer, which could let a
malicious user execute arbitrary code.
Mandriva Linux Security Advisory MDKSA-2006:053,
March 7, 2006
Debian Security Advisory, DSA-994-1,
March 13, 2006
Gentoo Linux Security Advisory, GLSA
200603-11, March 16, 2006
GNU
Mailman 2.1-2.1.5, 2.0-2.0.14
A remote Denial of Service vulnerability has been
reported in 'Scrubber.py' due to a failure to handle
exception conditions when Python fails to process an
email file attachment that contains utf8 characters in
its filename.
Mandriva Linux Security Advisory, MDKSA-2005:222,
December 2, 2005
SUSE Security Summary Report, SUSE-SR:2006:001,
January 13, 2006
Ubuntu Security Notice, USN-242-1 January 16,
2006
Debian Security Advisory, DSA-955-1, January 25, 2006
RedHat Security Advisory, RHSA-2006:0204-10, March 7,
2006
Trustix Secure Linux Security Advisory
#2006-0012, March 10, 2006
GNU
tar 1.15.90, 1.15.1, 1.14.90, 1.15, 1.14
A buffer overflow vulnerability has been reported
when handling PAX extended headers due to a boundary
error, which could let a remote malicious user cause a
Denial of Service and potentially execute arbitrary
code.
Mandriva Security Advisory, MDKSA-2006:046, February
21, 2006
Ubuntu Security Notice, USN-257-1, February 23,
2006
Trustix Secure Linux Security Advisory, #2006-0010,
February 24, 2006
RedHat Security Advisory, RHSA-2006:0232-3, March 1,
2006
SUSE Security Summary Report, SUSE-SR:2006:005, March
3, 2006
Debian Security Advisory, DSA-987-1, March 7,
2006
Gentoo Linux Security Advisory, GLSA
200603-06, March 10, 2006
GNU
GNU Privacy Guard prior to 1.4.2.2.
A vulnerability has been reported caused due to an
error in the detection of unsigned data, which could let
a remote malicious user inject arbitrary data and bypass
verification.
Debian Security Advisory, DSA 993-1, March 10, 2006
Gentoo Linux Security Advisory, GLSA 200603-08, March
10, 2006
SUSE Security Announcement, SUSE-SA:2006:014, March
10, 2006
Slackware Security Advisory, SSA:2006-072-02, March
13, 2006
RedHat Security Advisory, RHSA-2006:0266-8, March 15,
2006
GnuPG
GnuPG / gpg prior to 1.4.2.1
A vulnerability has been reported because 'gpgv'
exits with a return code of 0 even if the detached
signature file did not carry any signature (if 'gpgv" or
"gpg --verify' is used), which could let a remote
malicious user bypass security restrictions.
Fedora Update Notification, FEDORA-2006-116,
February 17, 2006
Debian Security Advisory, DSA-978-1, February 17,
2006
Mandriva Security Advisory, MDKSA-2006:043, February
17, 2006
Ubuntu Security Notice, USN-252-1, February 17,
2006
Gentoo Linux Security Advisory, GLSA 200602-10,
February 18, 2006
SuSE Security Announcement, SUSE-SA:2006:009,
February 20, 2006
SUSE Security Announcement, SUSE-SA:2006:013, March
1, 2006
SUSE Security Summary Report, SUSE-SR:2006:005, March
3, 2006
Slackware Security Advisory, SSA:2006-072-02,
March 13, 2006
RedHat Security Advisory, RHSA-2006:0266-8,
March 15, 2006
GNU
zgrep 1.2.4
A vulnerability has been reported in 'zgrep.in' due
to insufficient validation of user-supplied arguments,
which could let a remote malicious user execute
arbitrary commands.
Mandriva Linux Security Update Advisory,
MDKSA-2005: 092, May 19, 2005
Turbolinux Security Advisory, TLSA-2005-59, June
1, 2005
RedHat Security Advisory, RHSA-2005: 357-19,
June 13, 2005
RedHat Security Advisory, RHSA-2005: 474-15,
June 16, 2005
SGI Security Advisory, 20050603 -01-U, June 23,
2005
Fedora Update Notification, FEDORA- 2005-471,
June 27, 2005
SGI Security Advisory, 20050605 -01-U, July 12,
2005
Secunia Advisory: SA16159, July 21, 2005
Ubuntu Security Notice, USN-158-1, August 01,
2005
Trustix Secure Linux Security Advisory,
TSLSA-2005-0040, August 5, 2005
Avaya Security Advisory, ASA-2005-172, August 29,
2005
Fedora Legacy Update Advisory, FLSA:158801, November
14, 2005
SCO Security Advisories, SCOSA-2005.58 &
SCOSA-2005.59, December 16, 2005
Mandriva Security Advisories, MDKSA-2006:026 &
MDKSA-2006:027, January 30, 2006
SGI Security Advisory, 20060301-01-U, March
8, 2006
Himpfen Consulting
PHP SimpleNEWS 1.x, SimpleNEWS MySQL 1.x
A vulnerability has been reported in 'admin.php' due
to an insecure authentication process, which could let a
remote malicious user bypass security restrictions.
No workaround or patch available at time of
publishing.
Currently we are not aware of any exploits for this
vulnerability.
PHP SimpleNEWS Authentication Bypass
Not Available
Secunia Advisory: SA19195, March 10, 2006
Horde Project
Horde Application Framework 3.0.9 & prior
A vulnerability has been reported in
'services/go.php' due to insufficient verification of
the 'url' parameter before using in a 'readfile()' call,
which could let a remote malicious user obtain sensitive
information.
Currently we are not aware of any exploits for this
vulnerability.
Horde Information Disclosure
Not Available
Secunia Advisory: SA19246, March 15, 2006
Image Magick
ImageMagick 6.2.4.5
A vulnerability has been reported in the delegate
code that is used by various ImageMagick utilities when
handling an image filename due to an error, which could
let a remote malicious user execute arbitrary commands;
and a format string vulnerability has been reported when
handling filenames received via command line arguments,
which could let a remote malicious user execute
arbitrary code.
Ubuntu Security Notice, USN-246-1, January 24,
2006
Debian Security Advisory, DSA-957-1, January 26,
2006
Mandriva Security Advisory, MDKSA-2006:024, January
26, 2006
Gentoo Linux Security Advisory, GLSA 200602-06,
February 13, 2006
RedHat Security Advisory, RHSA-2006:0178-4, February
14, 2006
Gentoo Linux Security Advisory, GLSA 200602-13,
February 26, 2006
SGI Security Advisory, 20060301-01-U, March
8, 2006
Julian Pawlowski
CAPI4HylaFAX 1.3
A vulnerability has been reported due to the insecure
creation of temporary files, which could let a malicious
user overwrite sensitive data or configuration
files.
No workaround or patch available at time of
publishing.
A vulnerability has been reported in 'dwnld.php' due
to insufficient sanitization of the 'pg' parameter,
which could let a remote malicious user overwrite
arbitrary files.
A vulnerability has been reported due to a flaw in
its creation of IVs (Initialization Vectors) for ciphers
with a blocksize larger than 8 when the RandonIV-style
header is used, which could let a remote malicious user
bypass security restrictions.
Debian Security Advisory, DSA-996-1, March
13, 2006
Metamail
Metamail 2.7
A buffer overflow vulnerability has been reported
when handling boundary headers within email messages,
which could let a remote malicious user execute
arbitrary code. Note: According to Security Tracker
this is a Linux/Unix vulnerability. Previously
classified as multiple operating systems.
Security Focus, Bugtraq ID: 16611, February 13, 2006
RedHat Security Advisory, RHSA-2006:0217-4, February
21, 2006
Mandriva Security Advisory, MDKSA-2006:047, February
22, 2006
SUSE Security Summary Report, SUSE-SR:2006:005, March
3, 2006
Debian Security Advisory, DSA-995-1, March
13, 2006
Multiple Vendors
Xpdf 3.0 pl2 & pl3, 3.0 1, 3.00, 2.0-2.03, 1.0 0,
1.0 0a, 0.90-0.93; RedHat Fedora Core4, Core3,
Enterprise Linux WS 4, WS 3, WS 2.1 IA64, WS 2.1, ES 4,
ES 3, ES 2.1 IA64, 2.1, Enterprise Linux AS 4, AS 3, 2.1
IA64, 2.1, Desktop 4.0, 3.0, Advanced Workstation for
the Itanium Processor 2.1 IA64, 2.1; teTeX 2.0.1, 2.0;
Poppler poppler 0.4.2; KDE kpdf 0.5, KOffice 1.4.2 ;
PDFTOHTML DFTOHTML 0.36
Multiple vulnerabilities have been reported: a
heap-based buffer overflow vulnerability was reported in
the 'DCTStream::read BaselineSOF()' function in
'xpdf/Stream.cc' when copying data from a PDF file,
which could let a remote malicious user potentially
execute arbitrary code; a buffer overflow vulnerability
was reported in the
'DCTStream::read ProgressiveSOF()' function in
'xpdf/Stream.cc' when copying data from a PDF file,
which could let a remote malicious user potentially
execute arbitrary code; a buffer overflow vulnerability
was reported in the
'StreamPredictor:: StreamPredictor()' function in
'xpdf/Stream.cc' when using the 'numComps' value to
calculate the memory size, which could let a remote
malicious user potentially execute arbitrary code; and a
vulnerability was reported in the
'JPXStream: :readCodestream()' function in
'xpdf/JPXStream.cc' when using the 'nXTiles' and
'nYTiles' values from a PDF file to copy data from the
file into allocated memory, which could let a remote
malicious user potentially execute arbitrary code.
Fedora Update Notifications, FEDORA-2005-1007
& 1013, October 20, 2005
Security Focus, Bugtraq ID: 15156, October 31, 2005
Ubuntu Security Notice, USN-219-1, November 22,
2005
SUSE Security Announcement, SUSE-SA:2005:067,
December 6, 2005
SUSE Security Announcement, SUSE-SA:2005:068,
December 14, 2005
RedHat Security Advisory, RHSA-2006:0140-9, January
19, 2006
RedHat Security Advisories, RHSA-2006:0190-5 &
RHSA-2006:0191-9, February 1, 2006
SmoothWall Advisory, March 15, 2006
Multiple Vendors
Fast Lexical Analyzer Generator (Flex) prior to
2.5.33
A buffer overflow vulnerability has been reported in
'flex.skl' due to a boundary error, which could let a
remote malicious user execute arbitrary code.
A race condition vulnerability has been reported in
ia32 emulation, that could let local malicious users
obtain root privileges or create a buffer overflow.
Trustix Secure Linux Security Advisory,
TSLSA-2005- 0036, July 14, 2005
SUSE Security Announce- ment, SUSE-SA:2005:044,
August 4, 2005
RedHat Security Advisory, RHSA-2005:663-19, September
28, 2005
Debian Security Advisory, DSA 921-1, December 14,
2005
SmoothWall Advisory, March 15, 2006
Multiple Vendors
Linux kernel 2.2.x, 2.4.x, 2.6.x
A buffer overflow vulnerability has been reported in
the 'elf_core_dump()' function due to a signedness
error, which could let a malicious user execute
arbitrary code with ROOT privileges.
A vulnerability has been reported due to the way
console keyboard mapping is handled, which could let a
malicious user modify the console keymap to include
scripted macro commands.
Security Focus, Bugtraq ID: 15122, October 17, 2005
Mandriva Linux Security Advisories, MDKSA-2005:218,
219 & 220, November 30, 2005
Fedora Update Notification, FEDORA-2005-1138,
December 13, 2005
Conectiva Linux Announcement, CLSA-2006:1059, January
2, 2006
SmoothWall Advisory, March 15, 2006
Multiple Vendors
Linux kernel 2.6-2.6.15 .4
Multiple vulnerabilities have been reported: a Denial
of Service vulnerability has been reported in the
'nfs_get_user_pages()' function due to insufficient
checks on the return value; a Denial of Service
vulnerability has been reported due to missing checks
for bad elf entry addresses; and a Denial of Service
vulnerability has been reported in the 'sys_mbind()'
function due to insufficient sanity checks.
A vulnerability has been reported due to an
implementation flaw of a zero IP ID information
disclosure countermeasure, which could let a remote
malicious user obtain sensitive information.
No workaround or patch available at time of
publishing.
Currently we are not aware of any exploits for this
vulnerability.
MandrakeSoft Multi Network Firewall 2.0, Linux
Mandrake 2006.0 x86_64, 2006.0, 10.2 x86_64, 10.2,
Corporate Server 3.0 x86_64, 3.0; GNU wget 1.10;
Daniel Stenberg curl 7.14.1, 7.13.1, 7.13, 7.12.1-
7.12.3, 7.11- 7.11.2, 7.10.6- 7.10.8
A buffer overflow vulnerability has been reported due
to insufficient validation of user-supplied NTLM user
name data, which could let a remote malicious user
execute arbitrary code.
Security Tracker Alert ID: 1015056, October 13, 2005
Mandriva Linux Security Update Advisories,
MDKSA-2005:182 & 183, October 13, 200
Ubuntu Security Notice, USN-205-1, October 14,
2005
Fedora Update Notifications FEDORA-2005-995 &
996, October 17, 2005
Fedora Update Notification, FEDORA-2005-1000,
October 18, 2005
Trustix Secure Linux Security Advisory,
TSLSA-2005-0059, October 21, 2005
Gentoo Linux Security Advisory. GLSA 200510-19,
October 22, 2005
RedHat Security Advisories, RHSA-2005:807-6 &
RHSA-2005:812-5, November 2, 2005
SUSE Security Summary Report, SUSE-SR:2005:025,
November 4, 2005
Slackware Security Advisory, SSA:2005-310-01,
November 7, 2005
Debian Security Advisor, DSA 919-1, December 12, 2005
SCO Security Advisory, SCOSA-2006.10, March
14, 2006
Multiple Vendors
RedHat Enterprise Linux WS 4, WS 3, 2.1, IA64, ES 4,
ES 3, 2.1, IA64, AS 4, AS 3, AS 2.1, IA64, Desktop 4.0,
3.0, Advanced Workstation for the Itanium Processor 2.1,
IA64; OpenSSL Project OpenSSL 0.9.3-0.9.8, 0.9.2 b,
0.9.1 c; FreeBSD 6.0 -STABLE, -RELEASE, 5.4 -RELENG,
-RELEASE, 5.3 -STABLE, -RELENG, -RELEASE, 5.3, 5.2.1
-RELEASE, -RELENG, 5.2 -RELEASE, 5.2, 5.1 -RELENG,
-RELEASE/Alpha, 5.1 -RELEASE-p5, -RELEASE, 5.1, 5.0
-RELENG, 5.0, 4.11 -STABLE, -RELENG, 4.10 -RELENG,
-RELEASE, 4.10
A vulnerability has been reported due to the
implementation of the
'SSL_OP_MSIE_ SSLV2_RSA_PADDING' option that
maintains compatibility with third party software, which
could let a remote malicious user bypass security.
Ubuntu Linux 5.10 powerpc, i386, amd64, 5.0 4
powerpc, i386, amd64, 4.1 ppc, ia64, ia32; Linux
kernel 2.6-2.6.15 .3
A race condition vulnerability has been reported in
the security key functionality, which could let a
malicious user cause a Denial of Service and possibly
obtain sensitive information.
Security Focus, Bugtraq ID: 16248, January 16, 2006
Ubuntu Security Notice, USN-242-1 January 16,
2006
Debian Security Advisory, DSA-955-1, January 25, 2006
RedHat Security Advisory, RHSA-2006:0204-10, March 7,
2006
Trustix Secure Linux Security Advisory
#2006-0012, March 10, 2006
PCRE
PCRE 6.1, 6.0, 5.0
A vulnerability has been reported in 'pcre_compile.c'
due to an integer overflow, which could let a
remote/local malicious user potentially execute
arbitrary code.
Gentoo Linux Security Advisory, GLSA 200509-19,
September 27, 2005
Debian Security Advisory, DSA 821-1, September 28,
2005
Conectiva Linux Announcement, CLSA-2005:1013,
September 27, 2005
Turbolinux Security Advisory, TLSA-2005-92, October
3, 2005
Avaya Security Advisory, ASA-2005-216, October 18,
2005
Trustix Secure Linux Security Advisory,
TSLSA-2005-0059, October 21, 2005
HP Security Bulletin, HPSBUX02074, November 16, 2005
Trustix Secure Linux Security Advisory,
TSLSA-2005-0062, November 22, 2005
Security Focus, Bugtraq ID: 14620, November 25,
2005
SCO Security Advisory, SCOSA-2006.10, March
14, 2006
Rahul Dhesi
Zoo 2.10
A buffer overflow vulnerability has been reported in
the 'fullpath()' in 'misc.c' due to insufficient bounds
checking, which could let a remote malicious user
execute arbitrary code.
Security Tracker Alert ID: 1015668, February 23, 2006
SUSE Security Summary Report, SUSE-SR:2006:005, March
3, 2006
Gentoo Linux Security Advisory, GLSA 200603-05, March
6, 2006
Debian Security Advisory, DSA 991-1, March
10, 2006
RedHat
RedHat initscripts 7.93.24, Enterprise Linux WS 4, ES
4, AS 4m Desktop 4.0
A vulnerability has been reported when the
'sbin/service' command is run due to an error when
handling certain variables, which could let a malicious
user obtain elevated privileges.
RedHat Security Advisory, RHSA-2006:0016-18, March
7, 2006
sa-exim
sa-exim 4.0-4.2
A vulnerability has been reported in
'greylistclean.cron' when deleting files containing
spaces in their filenames in the greylist cache
directory, which could let a remote malicious user
bypass security restrictions.
Currently we are not aware of any exploits for this
vulnerability.
sa-exim Security Restriction Bypass
Not Available
Security Focus, Bugtraq ID: 17110, March 14, 2006
Ubuntu
Ubuntu Linux 5.10 powerpc, i386, amd64
A vulnerability has been reported because user
credentials are written to world-readable installation
log files during installation, which could let a
malicious user obtain sensitive information
Security Focus, Bugtraq ID: 16710, February 17, 2006
Debian Security Advisory, DSA-1000-1,
March 14, 2006
Apple
QuickTime Player 7.0.4, 7.0.3, iTunes 6.0.2, 6.0.1
An integer overflow and heap-based buffer overflow
vulnerability have been reported in Apple QuickTime and
iTunes, which could let a remote malicious user execute
arbitrary code.
No workaround or patch available at time of
publishing.
There is no exploit code required.
Apple QuickTime/iTunes Integer &
Heap Overflow
Not Available
Security Focus, Bugtraq ID: 17074, March 11, 2006
Belchior Foundry
vCard 2.9, 2.8
Cross-Site Scripting vulnerabilities have been
reported in 'create.php' due to insufficient
sanitization of the 'card_id,' 'uploaded,'
'card_fontsize,' and 'card_color' parameters before
returning to the user, which could let a remote
malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of
publishing.
Vulnerabilities can be exploited through a web
client; however, a Proof of Concept exploit has been
published.
Several vulnerabilities have been reported: a remote
Denial of Service vulnerability was reported in the
'enet_protocol_handle_ incoming_commands()' function
when validating a pointer; and a remote Denial of
Service vulnerability was reported when handling
fragmented packet reassembly.
No workaround or patch available at time of
publishing.
There is no exploit code required; however, a Proof
of Concept exploit script, enet_exploit.c, has been
published.
A buffer overflow vulnerability has been reported due
to a boundary error when processing error messages,
which could let a remote malicious user execute
arbitrary code.
Multiple vulnerabilities have been reported: an SQL
injection vulnerability was reported due to insufficient
sanitization of the 'memName' cookie parameter before
using in an SQL query, which could let a remote
malicious user execute arbitrary SQL code; and a script
insertion vulnerability was reported due to insufficient
sanitization of the 'msg' parameter when signing the
guestbook before using, which could let a remote
malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of
publishing.
Vulnerabilities can be exploited with a web client.;
however, a Proof of Concept exploit script,
d2kblog-sql-inj.pl, has been published.
Multiple Cross-Site Scripting vulnerabilities have
been reported due to insufficient sanitization of
user-supplied input, which could let a remote malicious
user execute arbitrary HTML and script code.
No workaround or patch available at time of
publishing.
Vulnerabilities can be exploited through use of a web
client; however, Proof of Concept exploits have been
published.
Technical University of Vienna Security
Advisory TUVSA-0603-001, March 9, 2006
Drupal
Drupal prior to 4.5.8 & 4.6.6
Multiple vulnerabilities have been reported: a
vulnerability was reported when using 'menu.module' to
create a menu item, which could let a remote malicious
user bypass security restrictions; a Cross-Site
Scripting vulnerability was reported due to insufficient
sanitization of unspecified input before returning to
the user, which could let a remote malicious user
execute arbitrary HTML and script code; a vulnerability
was reported when handling sessions during login due to
an error, which could let a remote malicious user hijack
another user's session; and a vulnerability was reported
due to insufficient sanitization of unspecified input
before using in mail headers, which could let a remote
malicious user inject arbitrary headers in outgoing
mails.
An SQL injection vulnerability has been reported in
the 'index.php' script due to insufficient validation of
the 'X-Forwarded-For' HTTP header parameter before using
in an SQL query, which could let a remote malicious user
execute arbitrary SQL code.
No workaround or patch available at time of
publishing.
Currently we are not aware of any exploits for this
vulnerability.
Security Tracker Alert ID: 1015756, March 13, 2006
DSPortal
DSNewsletter 1.1
An SQL injection vulnerability has been reported due
to insufficient sanitization of the 'email' parameter
before using in an SQL query, which could let a remote
malicious user execute arbitrary SQL code.
No workaround or patch available at time of
publishing.
Vulnerability can be exploited through a web client.
Security Tracker Alert ID: 1015757, March 13, 2006
DSPortal
DSPoll 1.1
An SQL injection vulnerability has been reported in
the 'pollid' parameter due to insufficient sanitization
before using in an SQL query, which could let a remote
malicious user execute arbitrary SQL code.
No workaround or patch available at time of
publishing.
Vulnerability can be exploited through a web client.
Security Tracker Alert ID: 1015758, March 13, 2006
DSPortal
DSDownload 1.0
SQL injection vulnerabilities have been reported in
'downloads.php' due to insufficient sanitization of the
'category' parameter and in 'search.php' due to
insufficient sanitization of the 'key' parameter, which
could let a remote malicious user execute arbitrary SQL
code.
No workaround or patch available at time of
publishing.
Currently we are not aware of any exploits for these
vulnerabilities.
A buffer overflow vulnerability has been reported in
the 'dissect_ospf_ v3_address_ prefix()' function in
the OSPF protocol dissector due to a boundary error when
converting received binary data to a human readable
string, which could let a remote malicious user execute
arbitrary code.
Ethereal Security Advisory, enpa-sa-00022, December
27, 2005
Mandriva Linux Security Advisory MDKSA-2006:002,
January 3, 2006
RedHat Security Advisory, RHSA-2006:0156-6, January
11, 2006
Avaya Security Advisory, ASA-2006-046, February 13,
2006
SUSE Security Summary Report, SUSE-SR:2006:004,
February 24, 2006
SGI Security Advisory, 20060201-01-U, March
14, 2006
FFmpeg
FFmpeg 0.4.9 -pre1, 0.4.6-0.4.8, FFmpeg
CVS
A buffer overflow vulnerability has been reported in
the 'avcodec_default_get_buffer()' function of 'utils.c'
in libavcodec due to a boundary error, which could let a
remote malicious user execute arbitrary code.
Ubuntu Security Notice, USN-230-1, December 14,
2005
Mandriva Linux Security Advisories
MDKSA-2005:228-232, December 15, 2005
Ubuntu Security Notice, USN-230-2, December 16,
2005
Gentoo Linux Security Advisory, GLSA 200602-01,
February 5, 2006
Gentoo Linux Security Advisory, GLSA 200603-03, March
4, 2006
Debian Security Advisory, DSA-992-1, March
10, 2006
free-av.de
AntiVir Personal Edition Classic 7
A vulnerability has been in 'notepad' because the
application is run with SYSTEM privileges when clicking
on the 'Report' button after an update is completed,
which could let a malicious user obtain elevated
privileges.
No workaround or patch available at time of
publishing.
There is no exploit code required.
AntiVir Update Report Elevated
Privileges
Not Available
Secunia Advisory: SA19217, March 13, 2006
Gallery Project
Gallery 2.0.3 & prior
A file include vulnerability has been reported in
'upgrade/index.php' and 'install/index.php' due to
insufficient verification of the 'stepOrder[]' parameter
before using to include files, which could let a remote
malicious user include arbitrary files and execute
arbitrary PHP code.
No workaround or patch available at time of
publishing.
A Proof of Concept exploit script,
gallery_stepOrder_ watermark.php, has been published.
A remote Denial of Service vulnerability has been
reported due to an error in the client when handling
malformed XML data.
No workaround or patch available at time of
publishing.
There is no exploit code required; however, a Proof
of Concept exploit script, ggzcdos.c, has been
published.
GGZ Gaming Remote Denial of
Service
Not Available
Secunia Advisory: SA19212, March 13, 2006
Gnome Ltd.
Dwarf HTTP Server 1.3.2
Several vulnerabilities have been reported: a
vulnerability was reported due to a validation error in
the filename extension supplied by the user in the URL,
which could let a remote malicious user obtain sensitive
information; and a Cross-Site Scripting vulnerability
was reported due to insufficient sanitization of input
passed to the URL before returning to the user in an
error message, which could let a remote malicious user
execute arbitrary HTML and script code.
A vulnerability has been reported in the HTTP
interface of Tivoli LCF (Lightweight Client Framework),
which could let a remote malicious user obtain sensitive
information.
A Cross-Site Scripting vulnerability has been
reported in 'messanger.php' due to insufficient
sanitization of the 'mess' and 'user' parameters before
returning to the user, which could let a remote
malicious user execute arbitrary HTML and script
code.
No workaround or patch available at time of
publishing.
Vulnerability can be exploited through a web client;
however, a Proof of Concept exploit has been published.
Security Tracker Alert ID: 1015744 , March 9, 2006
Jupiter CMS
Jupiter CMS 1.1.5, 1.1.4
An HTML injection vulnerability has been reported in
the 'image' BBcode due to insufficient sanitization of
user-supplied input before using it in dynamically
generated content, which could let a remote malicious
user execute arbitrary HTML and script code.
No workaround or patch available at time of
publishing.
Vulnerability can be exploited through use of a web
client; however, exploit details, JupiterCMS.txt, have
been published.
A vulnerability has been reported in 'index.php' due
to insufficient sanitization of user-supplied input,
which could let a remote malicious user execute
arbitrary PHP code.
No workaround or patch available at time of
publishing.
There is no exploit code required; however, a Proof
of Concept exploit script, lwc_rce_index.php.pl, has
been published.
Light Weight Calendar Remote Command
Execution
Not Available
Security Focus, Bugtraq ID: 17059, March 9, 2006
L-Soft
Listserv 14.4, 14.3
Multiple unspecified vulnerabilities have been
reported which could let a remote malicious user execute
arbitrary code.
Multiple vulnerabilities have been reported: an
input validation vulnerability was reported in
'lurker.cgi,' which could let a remote malicious user
obtain sensitive information; a vulnerability was
reported due to an unspecified error which could let a
remote malicious user create or overwrite arbitrary
files in any directory called 'mbox;' and a
vulnerability was reported due to insufficient
sanitization of unspecified input before returning to
the user, which could let a remote malicious user
execute arbitrary HTML and script code.
Debian Security Advisory, DSA-999-1, March
14, 2006
manas tungare Site Membership
manas tungare Site Membership Script 0
Several vulnerabilities have been reported: a
Cross-Site Scripting vulnerability was reported in
'login.asp' and 'default.asp' due to insufficient
sanitization of the 'Error' parameter before returning
to the user, which could let a remote malicious user
execute arbitrary HTML and script code; and an SQL
injection vulnerability was reported in 'login.asp' due
to insufficient sanitization of the 'username' parameter
before using in an SQL query, which could let a remote
malicious user execute arbitrary SQL code.
Cross-Site Scripting vulnerabilities has been
reported in 'vmview.php' due to insufficient
sanitization of the 'ArtCat' parameter, in 'foot.php'
due to insufficient sanitization the 'ctrrowcol'
parameter and in 'wmcomments.php' due to insufficient
sanitization of the 'ArtID' parameter, which could let a
remote malicious user execute arbitrary HTML and script
code.
No workaround or patch available at time of
publishing.
Vulnerabilities can be exploited through a web
client.
Mandriva Linux Security Advisory, MDKSA-2005:193-1,
October 26, 2005
Gentoo Linux Security Advisor, GLSA 200510-25,
October 30, 2005
SUSE Security Summary Report, SUSE-SR:2005:025,
November 4, 2005
Conectiva Security Announcement, CLSA-2005:1043,
November 8, 2005
Mandriva Linux Security Advisory MDKSA-2006:002,
January 3, 2006
Avaya Security Advisory, ASA-2006-046, February 13,
2006
SUSE Security Summary Report, SUSE-SR:2006:005, March
3, 2006
SGI Security Advisory, 20060201-01-U, March
14, 2006
Multiple Vendors
Mozilla Browser 0.8-0.9.9, 0.9.35, 0.9.48,
1.0-1.7.12, Thunderbird 0.x, 1.x, Firefox 0.x, 1.x;
SeaMonkey 1.0; RedHat Enterprise Linux WS 4, WS 3, WS
2.1 IA64, WS 2.1, ES 4, ES 3, ES 2.1 IA64, ES 2.1, AS 4,
AS 3, AS 2.1 IA64, AS 2.1, Desktop 4.0, 3.0, Advanced
Workstation for the Itanium Processor 2.1 IA64, 2.1
Multiple vulnerabilities have been reported:
vulnerabilities were reported because temporary
variables that are not properly protected are used in
the JavaScript engine's garbage collection, which could
let a remote malicious user cause a Denial of Service or
execute arbitrary code; a vulnerability was reported
because a remote malicious user can create HTML that
will dynamically change the style of an element from
position:relative to position:static; a vulnerability
was reported because a remote malicious user can create
HTML that invokes the QueryInterface() method of the
built-in Location and Navigator objects; a vulnerability
was reported in the 'XULDocument.persist()' function due
to improper validation of the user-supplied attribute
name, which could let a remote malicious user execute
arbitrary code; an integer overflow vulnerability was
reported in the 'E4X,' 'SVG,' and 'Canvas' features,
which could let a remote malicious user execute
arbitrary code; a vulnerability was reported in the XML
parser because data can be read from locations beyond
the end of the buffer, which could lead to a Denial of
Service; and a vulnerability was reported because the
'E4X' implementation's internal 'AnyName' object is
incorrectly available to web content, which could let a
remote malicious user bypass same-origin restrictions.
Mandriva Security Advisories, MDKSA-2006:036 &
MDKSA-2006:037, February 7, 2006
SGI Security Advisory, 20060201-01-U, March
14, 2006
myBloggie
myBloggie 2.1.3 Beta, 2.1.3, 2.1.2
Multiple Cross-Site Scripting vulnerabilities have
been reported due to insufficient sanitization of
user-supplied input, which could let a remote malicious
user execute arbitrary HTML and script code.
No workaround or patch available at time of
publishing.
Vulnerabilities can be exploited through use of a web
client; however, Proof of Concept exploits have been
published.
Technical University of Vienna Security
Advisory TUVSA-0603-002, March 9, 2006
Nodez Project
Nodez 4.6.1.1 & prior
Several vulnerabilities have been reported: a file
include vulnerability was reported due to insufficient
verification of the 'op' parameter, which could let a
remote malicious user execute arbitrary PHP code; and a
Cross-Site Scripting vulnerability was reported in the
'op' parameter due to insufficient sanitization before
returning to the user, which could let a remote
malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of
publishing.
Vulnerabilities can be exploited through use of a web
client; however, Proof of Concept exploits have been
published.
Security Tracker Alert ID: 1015747, March 10, 2006
NZEO
Zeroboard 4.1 pl 7 released 2005-04-04 &
prior
Multiple HTML injection vulnerabilities have been
reported due to insufficient sanitization of the memo
subject, user email address, and the user homepage field
before saving, which could let a remote malicious user
execute arbitrary HTML and script code.
A buffer overflow vulnerability has been reported
when handling parameters received in an URL due to a
boundary error, which could let a remote malicious user
execute arbitrary code.
Several vulnerabilities have been reported: a
vulnerability was reported due to insufficient of the
session ID in the session extension before returning to
the user, which could let a remote malicious user inject
arbitrary HTTP headers; a format string vulnerability
was reported in the 'mysqli' extension when processing
error messages, which could let a remote malicious user
execute arbitrary code; and a vulnerability was reported
due to insufficient sanitization of unspecified input
that is passed under certain error conditions, which
could let a remote malicious user execute arbitrary HTML
and script code.
Mandriva Security Advisory, MDKSA-2006:028, February
1, 2006
Ubuntu Security Notice, USN-261-1, March 10,
2006
QwikiWiki
QwikiWiki 1.5, 1.4
Cross-Site Scripting vulnerabilities have been
reported in 'index.php,' 'login.php,' 'pageindex.php,'
and 'recentchanges.php' due to insufficient sanitization
of user-supplied input before returning to the user,
which could let a remote malicious user execute
arbitrary HTML and script code.
No workaround or patch available at time of
publishing.
Vulnerabilities can be exploited through use of a web
client; however, Proof of Concept exploits have been
published.
An SQL injection vulnerability has been reported in
'rss.php' due to insufficient sanitization of the
'cat_id' parameter before using in SQL query, which
could let a remote malicious user execute arbitrary SQL
code.
No workaround or patch available at time of
publishing.
Vulnerability can be exploited through a web client;
however, a Proof of Concept exploit script,
redblog-05-exploit.php, has been published.
Multiple vulnerabilities have been reported including
a buffer overflow vulnerability and several Denials of
Service, which could let a remote malicious user execute
arbitrary machine code or crash both clients and
servers.
Gentoo Linux Security Advisory, GLSA
200603-10, March 13, 2006
sBlog
sBlog 0.7.2
Multiple vulnerabilities have been reported: a
vulnerability was reported in 'search.php' due to
insufficient sanitization of the 'keyword' parameter in
an HTTP POST request, which could let a remote malicious
user execute arbitrary HTML and script code; and a
vulnerability was reported due to insufficient
sanitization of the 'username' form field when posting a
comment, which could let a remote malicious user execute
arbitrary HTML and script code.
Multiple vulnerabilities have been reported: a
Cross-Site Scripting vulnerability was reported in
'webmail.php' due to insufficient sanitization of the
'right_main' parameter before returning to the user,
which could let a remote malicious user execute
arbitrary HTML and script code; a Cross-Site Scripting
vulnerability was reported due to insufficient
sanitization of input passed to comments in styles
before returning to the user, which could let a remote
malicious user execute arbitrary HTML and script code;
and a vulnerability was reported in the
'sqimap_mailbox_select mailbox' parameter due to
insufficient sanitization before using in an IMAP query,
which could let a remote malicious user inject arbitrary
IMAP commands.
The vulnerabilities have been fixed in the CVS
repository and fixes will be included in the upcoming
1.4.6 version.
Mandriva Linux Security Advisory, MDKSA-2006:049,
February 27, 2006
Fedora Update Notification, FEDORA-2006-133, March
3, 2006
SUSE Security Summary Report, SUSE-SR:2006:005, March
3, 2006
Debian Security Advisory DSA-988-1, March
8, 2006
Gentoo Linux Security Advisory, GLSA
200603-09, March 12, 2006
txtForum
txtForum 1.0.4 -dev, 1.0.3 -dev
Multiple Cross-Site Scripting vulnerabilities have
been reported due to insufficient sanitization of
user-supplied input, which could let a remote malicious
user execute arbitrary HTML and script code.
No workaround or patch available at time of
publishing.
Vulnerabilities can be exploited through use of a web
client; however, Proof of Concept exploits have been
published.
Technical University of Vienna Security
Advisory TUVSA-0603-004, March 9, 2006
unalz
unalz 0.53
A Directory Traversal vulnerability has been reported
due to an input validation error when extracting an ALZ
archive, which could let a remote malicious user obtain
sensitive information.
Several vulnerabilities have been reported: an HTML
injection vulnerability was reported in 'signup.php' due
to insufficient sanitization of the 'real_name,'
'email,' and 'login' parameters before using, which
could let a remote malicious user execute arbitrary HTML
and script code; and an SQL injection vulnerability was
reported in 'password.php' due to insufficient
sanitization of the 'email' parameter and in various
scripts due to insufficient sanitization of the 'id'
parameter, which could let a remote malicious user
execute arbitrary SQL code.
No workaround or patch available at time of
publishing.
Vulnerabilities can be exploited through use of a web
client.
@1 File Store HTML Injection & SQL
Injection
Not Available
Security Focus, Bugtraq ID: 17090, March 14, 2006
Vegas Forum
Vegas Forum 1.0
An SQL injection vulnerability has been reported in
'forumlib.php' due to insufficient sanitization, which
could let a remote malicious user execute arbitrary SQL
code.
No workaround or patch available at time of
publishing.
Vulnerability can be exploited through a web client;
however, a Proof of Concept exploit has been published.
An HTML injection vulnerability has been reported due
to insufficient sanitization of the subject field, which
could let a remote malicious user execute arbitrary HTML
and script code.
No workaround or patch available at time of
publishing.
Vulnerability can be exploited with a web browser;
however, a Proof of Concept exploit has been published.
Multiple unspecified vulnerabilities have been
reported including a buffer overflow and vulnerabilities
related to the handling of multipart/byteranges content.
The impact was not specified.
Fedora Update Notifications, FEDORA- 2005-952
& 953, October 7, 2005
Mandriva Linux Security Advisory, MDKSA-2005:210,
November 10, 2005
Ubuntu Security Notice, USN-220-1, December 01,
2005
SCO Security Advisory, SCOSA-2006.10, March
14, 2006
Web Calendar
Web Calendar 1.0.1
Several vulnerabilities have been reported: SQL
injection vulnerabilities were reported due to
insufficient sanitization of 'export_handler.php,'
'activity_log.php,' 'admin_handler.php,' and
'edit_template.php' before using in an SQL query, which
could let a remote malicious user execute arbitrary SQL
code; and a vulnerability was reported in
'export_handler.php' due to insufficient verification of
the 'id' and 'format' parameters before used to save
data files, which could let a remote malicious user
overwrite saved data files.
Security Focus, Bugtraq ID: 15606, December 1, 2005
Debian Security Advisory, DSA-1002-1,
March 15, 2006
Web Calendar
WebCalendar 1.0.1
An HTTP response splitting vulnerability has been
reported in 'Layers_Toggle.php' due to insufficient
sanitization, which could let a remote malicious user
influence or misrepresent how Web content is served,
cached or interpreted.
Debian Security Advisory, DSA-1002-1,
March 15, 2006
Xpdf
Xpdf 3.01
A heap-based buffer overflow vulnerability has been
reported when handling PDF splash images with overly
large dimensions, which could let a remote malicious
user execute arbitrary code.
Slackware Security Advisories, SSA:2006-045-04&
SSA:2006-045-09, February 14, 2006
Gentoo Linux Security Advisory, GLSA 200602-12,
February 21, 2006
Debian Security Advisory, DSA-998-1,
March 14, 2006
Zoph
Zoph 0.x
SQL injection vulnerabilities have been reported due
to insufficient sanitization of unspecified input before
using in an SQL query, which could let a remote
malicious user execute arbitrary SQL code.
The vulnerabilities have been fixed in version
0.5pre1.
This section contains wireless
vulnerabilities, articles, and malicious code that has been
identified during the current reporting period.
hcidump
Bluetooth L2CAP Remote Denial of Service: Debian has released an update for the Denial
of Service vulnerability in the L2CAP (Logical Link Control
and Adaptation Layer Protocol) layer.
Metro
Wi-Fi Networks To Grow 8,400% By 2010:According to a report from ABI Research, by
2010 municipal Wi-Fi networks will cover 126,000 square
miles (over 325,000 square km) worldwide. This is an
increase from about 1,500 square miles in 2005 (3885 square
kilometers). ABI says the
growth of municipal Wi-Fi is being driven by several trends,
including use of the wireless networks for public safety and
increased efficiency.
This section contains brief
summaries and links to articles which discuss or present
information pertinent to the cyber security community.
Virus names
likely a lost cause: In early February, antivirus firms
warned customers about a computer virus programmed to delete
files on the third of each month, but almost every company
called the program by a different name. While this episode
highlighted the continuing issues for the average Internet
user, the incident became the first success for an effort to
create a single identifier among responders for common
threats. While consumers may have wondered about which
threat to be worried about, incident response teams and
information-technology managers had a single name for the
attack, CME-24. The designation comes from the Common Malware Enumeration (CME)
Project, an initiative spearheaded by federal
contractor MITRE Corp. The project does not intend to solve
the naming problem for consumers, but to provide a neutral
common identifier that incident responders can use.
Americans
Want Banks To Spy On Their Accounts: According to a survey conducted by RSA
Security, nine out of ten Americans want their banks to
monitor their online accounts for signs of suspicious
behavior. The poll also found that although consumers aren't
seeing a rise in the number of phishing e-mails, they are
increasingly wary of all electronic communiqués from their
banks. According to telephone survey, 79 percent said that
they were less likely to respond to e-mail from their bank
because of worry over phishing scams; that's up nine points
from 2004.
The
Tracks We Leave Behind: Web searches are not very
private. They leave behind footprints in server logs that
record their activities. The logs show the IP address of a
user's computer, the date and time a visitor clicked on a
Web page, the user's PC operating system and browser, and
the referring URL that brought them to a site. An IP address
can, with a reasonable degree of accuracy, be used to
identify a user's location, through a geolocation service or
an Internet service provider. When compelled by law or
sometimes merely at the request of legal authorities, ISPs
will identify their subscribers.
Clever
Phishers Dodge Spoofed Site Shutdowns: A new technique
is being used by fraudsters in order to keep their spoofed
Web sites up and running. According to RSA Security's
Naftali Bennett, the senior vice president of its Cyota
anti-fraud division, some phishers have started using a
tactic called "smart site redirection" to stay a step ahead
of the law.
A
list of high threat viruses, as reported to various anti-virus
vendors and virus incident reporting organizations, has been
ranked and categorized in the table below. For the purposes of
collecting and collating data, infections involving multiple
systems at a single location are considered a single
infection. It is therefore possible that a virus has infected
hundreds of machines but has only been counted once. With the
number of viruses that appear each month, it is possible that
a new virus will become widely distributed before the next
edition of this publication. To limit the possibility of
infection, readers are reminded to update their anti-virus
packages as soon as updates become available. The table lists
the viruses by ranking (number of sites affected), common
virus name, type of virus code (i.e., boot, file, macro,
multi-partite, script), trends (based on number of infections
reported since last week), and approximate date first found.
Rank
Common
Name
Type of Code
Trend
Date
Description
1
Netsky-P
Win32 Worm
Stable
March 2004
A mass-mailing worm that uses its own SMTP engine
to send itself to the email addresses it finds when
scanning the hard drives and mapped drives. The worm
also tries to spread through various file-sharing
programs by copying itself into various shared
folder.
2
Zafi-B
Win32 Worm
Stable
June 2004
A mass-mailing worm that spreads via e-mail using
several different languages, including English,
Hungarian and Russian. When executed, the worm makes
two copies of itself in the %System% directory with
randomly generated file names.
3
Lovgate.w
Win32 Worm
Stable
April 2004
A mass-mailing worm that propagates via by using
MAPI as a reply to messages, by using an internal
SMTP, by dropping copies of itself on network shares,
and through peer-to-peer networks. Attempts to access
all machines in the local area network.
4
Mytob-GH
Win32 Worm
Stable
November 2005
A variant of the mass-mailing worm that disables
security related programs and allows other to access
the infected system. This version sends itself to
email addresses harvested from the system, forging the
sender’s address.
5
Netsky-D
Win32 Worm
Stable
March 2004
A simplified variant of the Netsky mass-mailing
worm in that it does not contain many of the text
strings that were present in NetSky.C and it does not
copy itself to shared folders. Netsky.D spreads itself
in e-mails as an executable attachment only.
6
Mytob-AS
Win32 Worm
Stable
June 2005
A slight variant of the mass-mailing worm that
disables security related programs and processes,
redirection various sites, and changing registry
values. This version downloads code from the net and
utilizes its own email engine.
7
Sober-Z
Win32 Worm
Stable
December 2005
This worm travels as an email attachment, forging
the senders address, harvesting addresses from
infected machines, and using its own mail engine. It
further download code from the internet, installs into
the registry, and reduces overall system security.
8
Mytob.C
Win32 Worm
Stable
March 2004
A mass-mailing worm with IRC backdoor
functionality which can also infect computers
vulnerable to the Windows LSASS (MS04-011) exploit.
The worm will attempt to harvest email addresses from
the local hard disk by scanning files.
9
Zafi-D
Win32 Worm
Stable
December 2004
A mass-mailing worm that sends itself to email
addresses gathered from the infected computer. The
worm may also attempt to lower security settings,
terminate processes, and open a back door on the
compromised computer.
10
Mytob-BE
Win32 Worm
Stable
June 2005
A slight variant of the mass-mailing worm that
utilizes an IRC backdoor, LSASS vulnerability, and
email to propagate. Harvesting addresses from the
Windows address book, disabling antivirus, and
modifying data.
