10657851 2003-09-08 14:50 -0400 /344 rader/ CERT Advisory <cert-advisory@cert.org>
Sänt av: bellman@lysator.liu.se
Importerad: 2003-09-08 21:24 av Brevbäraren
Extern mottagare: cert-advisory@cert.org
Mottagare: Bugtraq (import) <28884>
Sänt: 2003-09-09 00:56
Ärende: CERT Summary CS-2003-03
------------------------------------------------------------
From: CERT Advisory <cert-advisory@cert.org>
To: cert-advisory@cert.org
Message-ID: <CS-2003-03.1@cert.org>
-----BEGIN PGP SIGNED MESSAGE-----
CERT Summary CS-2003-03
September 8, 2003
Each quarter, the CERT Coordination Center (CERT/CC) issues the
CERT Summary to draw attention to the types of attacks
reported to our incident response team, as well as other
noteworthy incident and vulnerability information. The summary
includes pointers to sources of information for dealing with the
problems.
Past CERT summaries are available from:
CERT Summaries
http://www.cert.org/summaries/
______________________________________________________________________
Recent Activity
Since the last regularly scheduled CERT summary, issued in June 2003
(CS-2003-02), we have seen a large volume of reports related to a mass
mailing worm, referred to as W32/Sobig.F, and have issued advisories
on the exploitation of vulnerabilities in Microsoft's RPC
implementation. The culmination of the RPC vulnerabilities resulted in
the W32/Blaster Worm, which affected many Microsoft users. We have
also reported on a vulnerability in the Cisco IOS interface as well as
on multiple vulnerabilities in Microsoft Windows libraries and
Internet Explorer.
For more current information on activity being reported to
the CERT/CC, please visit the CERT/CC Current Activity page. The
Current Activity page is a regularly updated summary of the
most frequent, high-impact types of security incidents and
vulnerabilities being reported to the CERT/CC. The information on
the Current Activity page is reviewed and updated as reporting
trends change.
CERT/CC Current Activity
http://www.cert.org/current/current_activity.html
1. W32/Sobig.F Worm
On August 18, the CERT/CC began receiving a large
volume of reports of a mass mailing worm, referred to
as W32/Sobig.F, spreading on the Internet. The W32/Sobig.F
worm is an e-mail borne malicious program with a specially
crafted attachment that has a .pif extension. The
W32/Sobig.F worm requires a user to execute the attachment
either manually or by using an e-mail client that will open
the attachment automatically. The CERT/CC has released an
Incident Note on the W32/Sobig.F worm.
CERT Incident Note IN-2003-03
W32/Sobig.F Worm
http://www.cert.org/incident_notes/IN-2003-03.html
2. Exploitation of Vulnerabilities in Microsoft RPC Interface
In late July, the CERT/CC began receiving reports of widespread
scanning and exploitation of two recently discovered
vulnerabilities in Microsoft Remote Procedure Call (RPC)
Interface. The CERT/CC released an advisory and a Vulnerability
Note which described these vulnerabilities approximately two weeks
prior to the reports of exploitation.
CERT Advisory CA-2003-19
Exploitation of Vulnerabilities in Microsoft RPC
Interface
http://www.cert.org/advisories/CA-2003-19.html
CERT Advisory CA-2003-16
Buffer Overflow in Microsoft RPC
http://www.cert.org/advisories/CA-2003-16.html
Vulnerability Note VU#568148
Microsoft Windows RPC vulnerable to buffer overflow
http://www.kb.cert.org/vuls/id/568148
a. W32/Blaster Worm
Shortly after we released multiple documents describing
Microsoft RPC vulnerabilities, we began receiving reports
of widespread activity related to a new piece of
malicious code known as W32/Blaster. The W32/Blaster worm
exploits a vulnerability in the Microsoft DCOM RPC
interface. On August 11, the CERT/CC released an advisory on
W32/Blaster. We also released step-by-step recovery tips for
W32/Blaster.
CERT Advisory CA-2003-20
W32/Blaster Worm
http://www.cert.org/advisories/CA-2003-20.html
W32/Blaster Recovery tips
http://www.cert.org/tech_tips/w32_blaster.html
b. W32/Welchia
Additionally, a worm was reported that attempted to exploit the
same vulnerability as W32/Blaster. This worm, known alternately as
'W32/Welchia', 'W32/Nachi', or 'WORM_MS_BLAST.D', has been
reported to kill and remove the msblast.exe artifact left behind
by W32/Blaster, perform ICMP scanning to identify systems to
target for exploitation, apply the patch from Microsoft (described
in MS03-026), and reboot the system. The greatest impact of this
worm appears to be the potential for denial-of-service conditions
within an organization due to high levels of ICMP traffic.
3. Cisco IOS Interface Blocked by IPv4 Packet
On July 16, the CERT/CC reported on a vulnerability in many versions
of Cisco IOS that could allow an intruder to execute a
denial-of-service attack against a vulnerable device. We also released
a companion Vulnerability Note on the same topic.
CERT Advisory CA-2003-15
Cisco IOS Interface Blocked by IPv4 Packet
http://www.cert.org/advisories/CA-2003-15.html
Vulnerability Note VU#411332
Cisco IOS Interface Blocked by IPv4 Packet
http://www.kb.cert.org/vuls/id/411332
Two days later we released an advisory which provided
information about the availability of a public exploit for
the Cisco IOS vulnerability.
CERT Advisory CA-2003-17
Exploit available for the Cisco IOS Interface Blocked
Vulnerabilities
http://www.cert.org/advisories/CA-2003-17.html
4. Vulnerabilities in Microsoft Windows Libraries and Internet
Explorer
During this quarter, there were a number of vulnerabilities
reported in Microsoft Windows Libraries and within Internet
Explorer. Below is a summary of those vulnerabilities.
a. Buffer Overflow in Microsoft Windows HTML Conversion Library
A buffer overflow vulnerability exists in a shared HTML
conversion library included in Microsoft Windows. An
attacker could exploit this vulnerability to execute
arbitrary code or cause a denial of service. On July 14,
the CERT/CC issued an advisory describing this vulnerability.
CERT Advisory CA-2003-14
Buffer Overflow in Microsoft Windows HTML Conversion
Library
http://www.cert.org/advisories/CA-2003-14.html
Vulnerability Note VU#823260
Microsoft Windows HTML conversion library vulnerable
to buffer overflow
http://www.kb.cert.org/vuls/id/823260
b. Integer Overflows in Microsoft Windows DirectX MIDI Library
A set of integer overflows exists in a DirectX library included in
Microsoft Windows. An attacker could exploit these vulnerabilities
to execute arbitrary code or to cause a denial of service. On July
25, the CERT/CC issued an advisory describing these
vulnerabilities.
CERT Advisory CA-2003-18
Integer Overflows in Microsoft Windows DirectX MIDI
Library
http://www.cert.org/advisories/CA-2003-18.html
Vulnerability Note VU#561284
Microsoft Windows DirectX MIDI library does not
adequately validate Text or Copyright parameters in MIDI
files
http://www.kb.cert.org/vuls/id/561284
Vulnerability Note VU#265232
Microsoft Windows DirectX MIDI library does not
adequately validate MThd track values in MIDI files
http://www.kb.cert.org/vuls/id/265232
c. Multiple Vulnerabilities in Microsoft Internet Explorer
Microsoft Internet Explorer (IE) contains multiple
vulnerabilities, the most serious of which could allow a remote
attacker to execute arbitrary code with the privileges of the user
running Internet Explorer. On August 26, the CERT/CC issued an
advisory describing these vulnerabilities.
CERT Advisory CA-2003-22
Multiple Vulnerabilities in Microsoft Internet Explorer
http://www.cert.org/advisories/CA-2003-22.html
Vulnerability Note VU#205148
Microsoft Internet Explorer does not properly evaluate
Content-Type and Content-Disposition headers
http://www.kb.cert.org/vuls/id/205148
Vulnerability Note VU#865940
Microsoft Internet Explorer does not properly evaluate
"application/hta" MIME type referenced by DATA attribute
of OBJECT element
http://www.kb.cert.org/vuls/id/865940
Vulnerability Note VU#548964
Microsoft Windows BR549.DLL ActiveX control contains
vulnerability
http://www.kb.cert.org/vuls/id/548964
Vulnerability Note VU#813208
Internet Explorer does not properly render an input type
tag
http://www.kb.cert.org/vuls/id/813208
Vulnerability Note VU#334928
Microsoft Internet Explorer contains buffer overflow in
Type attribute of OBJECT element on double-byte character
set systems
http://www.kb.cert.org/vuls/id/334928
5. Malicious Code Propagation and Antivirus Software Updates
Recent reports to the CERT/CC have highlighted that the speed at which
viruses are spreading is increasing and that users who were
compromised may have been under the incorrect impression that merely
having antivirus software installed was enough to protect them from
all malicious code attacks. On July 14, the CERT/CC issued an Incident
Note describing this trend.
CERT Incident Note IN-2003-01
Malicious Code Propagation and Antivirus Software Updates
http://www.cert.org/incident_notes/IN-2003-01.html
______________________________________________________________________
New CERT Coordination Center (CERT/CC) PGP Key
On September 5, the CERT/CC issued a new PGP key, which should be
used when sending sensitive information to the CERT/CC.
CERT/CC PGP Public Key
https://www.cert.org/pgp/cert_pgp_key.asc
Sending Sensitive Information to the CERT/CC
https://www.cert.org/contact_cert/encryptmail.html
______________________________________________________________________
What's New and Updated
Since the last CERT Summary, we have published new and updated
* Advisories
http://www.cert.org/advisories/
* Vulnerability Notes
http://www.kb.cert.org/vuls
* CERT/CC Statistics
http://www.cert.org/stats/cert_stats.html
* Congressional Testimony
http://www.cert.org/congressional_testimony
* Incident Handling Certification
http://www.cert.org/certification/
* Training Schedule
http:/www.cert.org/training/
______________________________________________________________________
This document is available from:
http://www.cert.org/summaries/CS-2003-03.html
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by
email. Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for
more information.
Getting security information
CERT publications and other security information are available
from our web site http://www.cert.org/
To subscribe to the CERT mailing list for advisories and
bulletins, send email to majordomo@cert.org. Please include in
the body of your message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the
U.S. Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY Any material furnished by Carnegie Mellon University
and the Software Engineering Institute is furnished on an
"as is" basis. Carnegie Mellon University makes no warranties of
any kind, either expressed or implied as to any matter
including, but not limited to, warranty of fitness for a
particular purpose or merchantability, exclusivity or results
obtained from use of the material. Carnegie Mellon University does
not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
______________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright ©2003 Carnegie Mellon University.
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBP1zEHzpmH2w9K/0VAQEqXAP9FHdMZvoEMC4aLxZzP+e52RhSh6p9rzZ2
W+p3aBh6VOsf1mqpDnlJSZy2kydOLzTwklMm4ESxeSER81TfdbKUIgr7pfzNANn8
4DhrXxUZwcc1+5TWY6/LejrrCjZ2OpK9UxkjDSJKMEcrLqIhaEUL3Vr24iTvNliR
JKkslK9BDGk=
=w9dI
-----END PGP SIGNATURE-----
(10657851) /CERT Advisory <cert-advisory@cert.org>/(Ombruten)