Category Archives: Emerging Threats

US-CERT Issues Warning for Excel Trojan

Posted on by
Reply

The US-CERT has issued a warning in response to a Trojan actively exploiting MS08-014. First off, MS08-014 is for Microsoft Excel. The patch was released today that fixes critical vulnerabilities in MS Excel. These vulnerabilities could be exploited via a maliciously crafted Excel file to take complete control over a users system. Secondly, the Trojan they speak of is spreading through email with Excel attachments. The two attachment file names that US-CERT is aware of are OLYMPIC.xls and SCHEDULE.xls. These files may also contain Windows executables that can compromise an affected system. Patch now please.

RealPlayer Active Exploitation, MaxDB, others

Posted on by
Reply

A vulnerability has been reported in RealPlayer. An activex control, rmoc3260.dll, is vulnerable to remote code execution. This can be exploited when a user browses to a malicious page, and will execute code in the context of the user running the application. SANS reports that this vulnerability is being actively exploited in the wild. If you have RealPlayer installed on your system, it is highly recommended that you update to the latest version, however there is no patch available for the issue. The only current work around is to disable the affected activex control.
Two vulnerabilities have been reported in SAP’s MaxDB. These vulnerabilities can be exploited remotely and could result in code execution under the context of the running user. SAP AG has addressed this vulnerability by releasing a new version of MaxDB. For more information, consult SAP note 1140135.
Multiple vulnerabilities have been reported for IBM Informix Dynamic Server. These vulnerabilities can be exploited to cause a buffer overflow. These vulnerabilities can be exploited remotely. There is not currently a patch available. For more information see CVE-2008-0727 and CVE-2008-0949.

March Windows Updates

Posted on by
Reply

Looks like Microsoft has released 4 critical Microsoft Office updates this month. All four updates are resolving issues that could lead to remote code execution. There are also several other non security related updates for Windows, WSUS, and Windows Update. Of course, as always, we recommend that you test the updates immediately and then deploy them to production.

Panda Dos

Posted on by
Reply

Panda Antivirus and Firewall is vulnerable to a denial of service and system compromise. The kernel driver included with Panda Antivirus and Firewall 2008 does not handle IOCTL requests correctly. This can result in a local denial of service or execution of code on the local system. There is currently a hotfix available for this issue. If you, or anyone you know, runs Panda Antivirus give them a heads up to run the update utility.

Checkpoint VPN XSS, Multiple Java Vulns

Posted on by
Reply

Checkpoint VPN-1 UTM Edge is vulnerable to cross site scripting. This particular XSS vulnerability allows for reflective cross site scripting pre authentication. This could allow attackers to embed the login form in an html form for deceptive and malicious purposes. The latest firmware version, 7.5.48, reportedly does not contain this vulnerability.

There are multiple vulnerabilities in Java. This includes Java Web Start, the JRE and SDK. These vulnerabilities could lead to a Denial of Service or system compromise. All of the more recent versions of Java are vulnerable, so if you haven’t updated your Java install in a few weeks, now would be the time to do so.

Lighttpd, a popular light open source web server, is vulnerable to CGI source exposure and potential denial of service. Version 1.4.18-r2 is affected and a newer version is available.

New Advanced Botnets Discovered

Posted on by
Reply

Previously undetected botnets have been found to be running under the radar. The largest one has gained the name “MayDay”. MayDay has not infected a lot of systems yet, like Storm has, but has advanced capabilities to evade detection. Notably, it’s able to send HTTP traffic through an enterprises proxy. The bot also uses peer-to-peer technology, through two channels, to stay in contact. The bot appears to be using both TCP and ICMP for data transmission.Even though this bot isn’t a large threat yet, it shows that bot development isn’t going to stop any time soon. Bot writers are getting smarter and more clever, while detection and analysis techniques are lagging behind.

Increase in European “Options” HTTP Scans from Linux Systems

Posted on by
Reply

Over the weekend, we saw a large increase in HoneyPoint captures of HTTP fingerprinting scans using the “Options *” technique. Even more interesting was that nearly all of these scans originated in Europe. The scans were all originated from Linux boxes and simple port probes show all of the boxes to be running OpenSSH 4.3 (some with p2). Other ports show no consistency on the originating systems.

Clearly, it could be a coincidence, but for multiple hosts to show only that correlating port, it could also be a specific exploit for OpenSSH 2.4. Additional research shows a few known issues with this version of OpenSSH. Perhaps a new bot-net is being launched by leveraging this vulnerability?

We are deploying additional SSH HoneyPoints to try and capture more data about possible exploitation of systems meeting these implementations.

Editor’s Note: The current version is OpenSSH 4.7/4.7p1 – so if you are using older versions (including 4.2/4.3) you should upgrade as soon as possible to the current revision.

Post revised to update for identified existing OpenSSH issues. 

Multiple IBM AIX Vulnerabilities

Posted on by
Reply

Vulnerabilities have been discovered in AIX’s X server and inet_network libc library that can lead to a number of threats. These include the execution of arbitrary code in a root context, Denial of Service, or exposure of sensitive data. The original IBM advisories are located at:

AIX X server multiple vulnerabilities

AIX libc inet_network buffer overflow

Thunderbird 2 MIME vulnerability

Posted on by
Reply

Mozilla Thunderbird 2.0.0.9 has been found to contain a heap buffer overflow vulnerability due to the way it handles external-body MIME types. Systems running this version of Thunderbird are vulnerable to compromise or the execution of arbitrary code via specially crafted email messages. You should update to Thunderbird 2.0.0.12 as soon as possible.

Mozilla’s advisory is located at: http://www.mozilla.org/security/announce/2008/mfsa2008-12.html

ICQ Vulnerability Should Increase Your Vigilance

Posted on by
Reply

A newly discovered format string error in ICQ version 6 build 6043 once again highlights the need to be cautious about who you are conversing with. Interaction  with the embedded Internet Explorer component can allow specially crafted messages to execute arbitrary code on the affected system. Make sure that you only open messages from known and trusted contacts.  It is a good idea to clean unknown or untrusted contacts from your contact list and enable the “Accept messages only from contacts” option. The build named above is known to be vulnerable other versions may also be affected