Search US-CERT: customize
Current Activity Calendar
November 2005
Su M Tu W Th F Sa
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30      
Please click on a date above to see current activity for that day.

  • Latest Current Activity
  • November 17, 2005 - Current Activity

    This is an archived copy of current activity, if you would like to see the most recent version, please click here.

    updated Vulnerability in Macromedia Flash Player
    updated First 4 Internet XCP DRM Vulnerabilities
    Oracle Worm Proof-of-Concept Code
    Exploit for Snort Back Orifice Preprocessor Buffer Overflow Vulnerability
    Multiple Vulnerabilities in Skype
    Vulnerabilities in Oracle Products
    Vulnerability in Snort Back Orifice Preprocessor
    Hurricane Tragedies Spawn Phishing Sites
    Vulnerability in Cisco IOS Firewall Authentication Proxy



    Vulnerability in Macromedia Flash Player
    added November 14, 2005 | updated November 17, 2005

    US-CERT is aware of a buffer overflow vulnerability in Macromedia Flash Player versions 7.0.53.0 and earlier. If exploited, the vulnerability could allow a remote attacker to execute arbitrary code with privileges of the user on the affected system. We are not aware of any public exploits at this time.

    More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

    • VU#146284 - Macromedia Flash Player fails to properly validate the frame type identifier read from a "SWF" file

    US-CERT encourages users to upgrade to the appropriate software version as described in the Macromedia Security Bulletin MPSB05-07.


    First 4 Internet XCP DRM Vulnerabilities
    added November 15, 2005 | updated November 17, 2005

    US-CERT is aware of several vulnerabilities regarding the XCP Digital Rights Management (DRM) software by First 4 Internet, which is distributed by some Sony BMG audio CDs. The XCP copy protection software uses "rootkit" technology to hide certain files from the user. This technique can pose a security threat, as malware can take advantage of the ability to hide files. We are aware of malware that is currently using this technique to hide.

    One of the uninstallation options provided by Sony also introduces vulnerabilities to a system. Upon submitting a request to uninstall the DRM software, the user will receive via email a link to a Sony BMG web page. This page will attempt to install an ActiveX control when it is displayed in Internet Explorer. This ActiveX control is marked "Safe for scripting," which means that any web page can utilize the control and its methods. Some of the methods provided by this control are dangerous, as they may allow an attacker to download and execute arbitrary code.

    More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

    • VU#312073 - First 4 Internet XCP "Software Updater Control" ActiveX control incorrectly marked "safe for scripting"

    US-CERT recommends the following ways to help prevent the installation of this type of rootkit:

    • Do not run your system with administrative privileges. Without administrative privileges, the XCP DRM software will not install.
    • Use caution when installing software. Do not install software from sources that you do not expect to contain software, such as an audio CD.
    • Read the EULA (End User License Agreement) if you do decide to install software. This document can contain information about what the software may do.
    • Disable automatically running CD-ROMs by editing the registry to change the Autorun value to 0 (zero) as described in Microsoft Article 155217.

    Oracle Worm Proof-of-Concept Code
    added November 1, 2005 | updated November 7, 2005

    US-CERT is aware of publicly available proof-of-concept code for an Oracle worm. Currently, US-CERT cannot confirm if this code works. We are working with Oracle to determine the threat posed by this code.

    Although there is limited information concerning this potential threat, US-CERT strongly encourages Oracle system administrators to implement the following workarounds:

    • Change default user credentials for Oracle installations
    • Change the default port for the TNS listener
    • Restrict Oracle network access to trusted hosts only
    • Revoke CREATE DATABASE LINK privileges from the CONNECT role

    For additional information on Oracle Database Security, please refer to the following webpage:

    US-CERT will continue to investigate the issue and provide updates as they become available.


    Exploit for Snort Back Orifice Preprocessor Buffer Overflow Vulnerability
    added October 27, 2005

    US-CERT is aware of publicly available exploit code for a buffer overflow vulnerability in the Snort Back Orifice preprocessor. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code, possibly with root or SYSTEM privileges.

    More information about this vulnerability can be found in the following:

    • US-CERT Vulnerability Note: VU#175500 - Buffer overflow in Snort Back Orifice preprocessor
    • Technical Cyber Security Alert: TA05-291A - Snort Back Orifice Preprocessor Buffer Overflow

    US-CERT encourages Snort users to upgrade to version 2.4.3 as soon as possible. Until a fixed version of Snort can be deployed, disabling the Back Orifice preprocessor will mitigate this vulnerability.


    Multiple Vulnerabilities in Skype
    added October 26, 2005

    US-CERT is aware of several buffer overflow vulnerabilities in Skype that may allow a remote attacker to execute arbitrary code.

    The most critical of these issues can be exploited by sending a specially crafted packet to a vulnerable Skype installation. More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

    • VU#905177 - Skype vulnerable to heap-based buffer overflow

    The other two vulnerabilities can be exploited by accessing a specially crafted VCARD or Skype URI. More information about these vulnerabilities can be found in the following US-CERT Vulnerability Notes:

    • VU#668193 - Skype VCARD handling routine contains a buffer overflow
    • VU#930345 - Skype URI handling routine contains a buffer overflow

    Skype has released the following Security Bulletins to address these vulnerabilities:

    US-CERT encourages Skype users to upgrade to the latest fixed version of Skype as soon as possible.


    Vulnerabilities in Oracle Products
    added October 19, 2005

    US-CERT is aware of multiple vulnerabilities in Oracle products. The impact of these vulnerabilities varies depending on the product, component, and configuration of the system. Potential consequences include remote execution of arbitrary code or commands, access to sensitive information, and denial of service.

    Many of these vulnerabilities are corrected by the Oracle Critical Patch Update (CPU) for October 2005. According to public reports, the patches included in this update, as well as previous updates, may not adequately correct all security vulnerabilities.

    More information about this vulnerability can be found in the following:

    • US-CERT Vulnerability Note: VU#210524 - Oracle products contain multiple vulnerabilities
    • Technical Cyber Security Alert: TA05-292A - Oracle products contain multiple vulnerabilities

    US-CERT is continuing to investigate these reports and will provide further information as it becomes available.


    Vulnerability in Snort Back Orifice Preprocessor
    added October 18, 2005

    US-CERT is aware of a buffer overflow vulnerability in the Snort Back Orifice preprocessor. If exploited, the vulnerability could allow a remote, unauthenticated attacker to execute arbitrary code with possibly root or SYSTEM privileges on the affected system. We are not aware of any public exploits at this time.

    More information about this vulnerability can be found in the following:

    • US-CERT Vulnerability Note: VU#175500 - Buffer overflow in Snort Back Orifice preprocessor
    • Technical Cyber Security Alert: TA05-291A - Snort Back Orifice Preprocessor Buffer Overflow

    US-CERT encourages Snort users to upgrade to version 2.4.3 as soon as possible.


    Hurricane Tragedies Spawn Phishing Sites
    added August 31, 2005 | updated September 23, 2005

    US-CERT warns users to expect an increase in targeted phishing emails due to recent events such as Hurricane Katrina and Hurricane Rita. US-CERT has received reports of multiple phishing sites that attempt to trick users into donating funds to fraudulent foundations in the aftermath of Hurricane Katrina. US-CERT expects to see the same type of malicious activity during the aftermath of Hurricane Rita.

    Phishing emails may appear as requests from a charitable organization asking the users to click on a link that will then take them to a fraudulent site that appears to be a legitimate charity. The users are then asked to provide personal information that can further expose them to future compromises.

    Users are encouraged to take the following measures to protect themselves from this type of phishing attack:

    1. Do not follow unsolicited web links received in email messages
    2. Contact your financial institution immediately if you believe your account/and or financial information has been compromised

    US-CERT strongly recommends that all users reference the Federal Emergency Management Agency (FEMA)web site for a list of legitimate charities to donate to their charity of choice.


    Vulnerability in Cisco IOS Firewall Authentication Proxy
    added September 8, 2005

    US-CERT is aware of a buffer overflow vulnerability in Cisco IOS Firewall Authentication Proxy for FTP and Telnet Sessions. If exploited, the vulnerability could allow a remote unauthenticated attacker to execute arbitrary code or cause a denial-of-service condition on the affected system. We are not aware of any public exploits at this time.

    More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

    • VU#236045 - Cisco IOS Firewall Authentication Proxy vulnerable to buffer overflow via specially crafted user authentication credentials

    US-CERT urges users to review the fixes, updates, and workarounds described in the Cisco Security Advisory.