June 2005 - Posts
http://isc.sans.org/diary.php?date=2005-06-29
If you're using the popular phpBB bulletin board package, it's time to upgrade. Version 2.0.16, released earlier this week, fixes a critical security issue that can lead to the compromise of the vulnerable web server. The problem is with the viewtopic.php script, which, according to the FrSIRT advisory, fails to properly validate input when processing the "highlight" parameter. A similar vulnerability was being exploited by the Santy worm to deface web sites about half a year ago, as we reported in the December 21, 2004 diary. Please update your copy of phpBB to help prevent another such worm from gaining steam.
For information about the phpBB 2.0.16 release, see the phpBB Group announcement. You can get the updated package from their downloads page.
MS05-017 Exploit
http://isc.sans.org/diary.php?date=2005-06-28
The FrSIRT published new exploit for MS05-017 vulnerability. The MS05-017 is vulnerability in Message Queuing, the remote attacker can execute command from remote. It's time to patch and filter some unnecessary port.
The Veritas Backup utility suites offer advanced functionality and some of security controls associated with remote control functionality have been compromised. This includes a new in-the-wild exploit and administrators should review trusted Firewall port settings and move to the latest versions of the software as noted in the advisories below.
http://isc.sans.org/diary.php?date=2005-06-25
QUOTE: We received some reports about spikes on port 10000. The main reason for that is the release of the exploit for Veritas, and used by the Metasploit Framework. ... It seems this exploit is crashing the service listening on port 10000. If sysadmins know they have backup exec installed and they scan the system they will see port 6101 and 10000 normally. After the exploit it will show only the port 6101 still listening."
Veritas Security Bulletins
Veritas Backup Exec/NetBackup Request Packet Denial Of Service Vulnerability
Veritas Backup Exec Server Remote Registry Access Vulnerability
Veritas Backup Exec Remote Agent Null Pointer Dereference Denial Of Service Vulnerability
Veritas Backup Exec Remote Agent for Windows Servers Authentication Buffer Overflow Vulnerability
Veritas Backup Exec Admin Plus Pack Option Remote Heap Overflow Vulnerability
VERITAS Backup Exec Web Administration Console Remote Buffer Overflow Vulnerability
FrSirt - Veritas Backup Exec Agent "CONNECT_CLIENT_AUTH" Request Exploit
http://www.frsirt.com/exploits/20050625.backupexec_agent.pm.php
I've attended two past Tech Ed conferences and they provide highly focused technical training opportunties. Microsoft shares a number of post-conference links and publications as noted below:
http://microsoft.sitestream.com/teched2005/
Track Descriptions
Keynotes
Strategic Briefings
Breakout Sessions
Manuals for Hands on Labs & Instructor Led Labs
Continuing Your Education
Hopefully, most companies and individuals are up-to-date on Microsoft security patches. This new exploit has just been developed from the MS05-030 security bulletin published in June. It could be adapted for use in future computer viruses and worms.
MS05-030: Microsoft Outlook Express NNTP Buffer Overflow Exploit
http://www.frsirt.com/exploits/20050624.MS05-030-NNTP.c.php
MS05-030: Cumulative Security Update in Outlook Express (897715)
http://www.microsoft.com/technet/security/Bulletin/MS05-030.mspx
Hopefully, most companies and individuals are up-to-date on Microsoft security patches. This new exploit has just been developed from the MS05-011 security bulletin published in February. It could be adapted for use in future computer viruses and worms.
MS05-011 - Exploit Code to attack SMB vulnerabilities published
http://isc.sans.org/diary.php?date=2005-06-23
QUOTE: FrSIRT has published exploit code for the recent flaw in Microsoft Server Message Block (SMB). The advisory and patch related to this vulnerability were released on February 8th, 2005. If you still have not patched, you are further urged to do so in light of the release of exploit code.
FfSIRT - Published exploit (be care as POC code is here)
http://www.frsirt.com/exploits/20050623.mssmb_poc.c.php
The June 2005 TechNet security newletter featured the following security planning guides:
Review the Latest Microsoft Server Security Guides
Microsoft's Security Guidance Center
Home Security Protection
Get the information you need to protect your home PC. This site puts valuable tips, tools, and training at your fingertips.
Learn about Computer Security At Home
Security for IT Professionals
Find the tools, training, and updates you need to assist with planning and managing a security strategy for your organization.
Find answers in the TechNet Security Center
Small Business Security Protection
Access important resources for updating software, setting up a firewall, and backing up data in a small business environment.
Visit the Small Business Security Guidance Center
Designing and Developing Secure Applications
Learn how to write more secure code with these developer-focused articles, tools, and security resources.
Get Security Guidance for Developers
Secunia Research has discovered a vulnerability in various browsers, which can be exploited by malicious web sites to spoof dialog boxes. The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open e.g. a prompt dialog box, which appears to be from a trusted site.
If you go to the test page, please make sure no critical applications are open and test cautiously:
Secunia Browser - Dialog Origin Vulnerability Test
Click Here: Microsoft resources to prepare for SQL-Server 2005
quote: Microsoft Learning Resources
Whether you are interested in database administration, database development, or business intelligence, you will find classroom training, books, free skills assessments, and free* e-learning to help you get up to speed on the newest features of the software. The online assessments help you analyze your current skills, and provide you with a learning plan that recommends books, e-learning, classroom training, TechNet and MSDN resources. Our E-Learning courses are an effective way to learn on your own schedule and feature hands-on virtual labs that provide an in-depth, online training experience.
QUOTE: Opera Software today released the first Opera 8 update, Opera 8.01, for Windows and Linux. To fine-tune the well-received browser, Opera 8.01 includes security and small bug fixes as well as JavaScript improvements. This update succeeds the release of Opera 8 on April 19, 2005, which has now reached more than five million downloads.
Accompanying the Opera 8.01 release for Windows and Linux is the final version of Opera 8 for Macintosh. Read the press release.
To download Opera 8 visit http://www.opera.com/download/
View the changelog.
Sharing a quick update on latest discoveries. The primary cause of this exposure is improper storage and use of confidential information on their servers, followed by hackers discovering this due to weak security controls. 
1. A
new phishing attack has been launched to capitalize on this
http://www.theregister.co.uk/2005/06/20/mastercard_phishing/
| Quote: |
| From: Master Bank [master@masterbank.com] To: Subject: **Your Mastercard online Confirmation** Dear User, During our regular update and verification of the accounts, we couldn't verify your current information. Either your information has changed or it is incomplete. If the account information is not updated to current information within 5 days then, your access will be restricted. |
2. According to reports, 68,000 MasterCard cardholders have already found fraudulent charges on their accounts.
3. The head of a credit card processing company whose Tucson center was hit by computer hackers says compromised consumer records shouldn't even have been in the data base. Under rules established by Visa and MasterCard, processors aren't supposed to retain cardholder information after handling transactions.
4. CardSystems Solutions C-E-O John Perry tells The New York Times the data was being stored for "research purposes" to determine why some transactions registered as unauthorized or uncompleted.
5. He says that the records known to have been stolen covered roughly 200-thousand of the 40 (m) million compromised credit card accounts. They include Visa, Mastercard and other companies.
All new versions of the Bagle/Beagle worm are important to watch as they are technically advanced and disguised well to trick users into opening attachments (use of zip extension).
Beagle.BT - (aka Bagle worm) New Variant
Beagle.BT - new version of Bagle worm
W32.Beagle.BT@mm is a mass-mailing worm that uses its own SMTP engine to send out copies of a Trojan.Tooso variant. The worm also opens a back door on the compromised computer on TCP port 80.
EMAIL FORMAT
From: Spoofed.
Subject: Blank.
Message: "The password is" or "Password:"
Attachment: ZIP ... Multiple Zip files may contain copies of the virus, plus an executable copy of the Trojan.Tooso.
Please check your statements carefully during the next few billing cycles as hackers recently obtained key information related to Master Card accounts.
Google News Links
CNet Article
Business Week Article
Information Week Article
Reuters Article
KEY IMPACTS
* As many as 40 million cards may have been exposed, making it the largest breach of personal financial data in a string of recent cases.
* The breach occurred at Card Systems Solutions, Inc., a third-party processor of payment card data who processes transactions on behalf of financial institutions and merchants.
* CardSystems has already taken steps to improve the security of its system, MasterCard said it was giving the company "a limited amount of time" to demonstrate compliance with MasterCard security requirements.
Microsoft Security Updates - June 2005 Bulletin Summary:
http://www.microsoft.com/technet/security/Bulletin/ms05-Jun.mspx
Critical Bulletins:
Cumulative Security Update for Internet Explorer (883939)
http://www.microsoft.com/technet/security/Bulletin/ms05-025.mspx
Vulnerability in HTML Help Could Allow Remote Code Execution (896358)
http://www.microsoft.com/technet/security/Bulletin/ms05-026.mspx
Vulnerability in Server Message Block Could Allow Remote Code Execution
(896422)
http://www.microsoft.com/technet/security/Bulletin/ms05-027.mspx
Important Bulletins:
Vulnerability in Web Client Service Could Allow Remote Code Execution
(896426)
http://www.microsoft.com/technet/security/Bulletin/ms05-028.mspx
Vulnerability in Outlook Web Access for Exchange Server 5.5 Could Allow
Cross-Site Scripting Attacks (895179)
http://www.microsoft.com/technet/security/Bulletin/ms05-029.mspx
Cumulative Security Update in Outlook Express (897715)
http://www.microsoft.com/technet/security/Bulletin/ms05-018.mspx
Cumulative Security Update in Outlook Express (897715)
http://www.microsoft.com/technet/security/Bulletin/ms05-030.mspx
Vulnerability in Step-by-Step Interactive Training Could Allow Remote
Code Execution (898458)
http://www.microsoft.com/technet/security/Bulletin/ms05-031.mspx
Moderate Bulletins:
Vulnerability in Microsoft Agent Could Allow Spoofing (890046)
http://www.microsoft.com/technet/security/Bulletin/ms05-032.mspx
Vulnerability in Telnet Client Could Allow Information Disclosure
(896428)
http://www.microsoft.com/technet/security/Bulletin/ms05-033.mspx
Cumulative Security Update for ISA Server 2000 (899753)
http://www.microsoft.com/technet/security/Bulletin/ms05-034.mspx
Re-Released Bulletins:
SQL Server Installation Process May Leave Passwords on System (Q263968)
http://www.microsoft.com/technet/security/Bulletin/ms02-032.mspx
ASP.NET Path Validation Vulnerability (887219)
http://www.microsoft.com/technet/security/Bulletin/ms05-004.mspx
Vulnerability in Outlook Web Access for Exchange Server 5.5 Could Allow
Cross-Site Scripting Attacks (895179)
http://www.microsoft.com/technet/security/Bulletin/ms05-029.mspx
IE 7 will provide better protection from Spyware threats
IE7 being developed to resist spyware
http://msn.com.com/2100-1009_22-5745044.html
IE Blog Information
http://blogs.msdn.com/ie/archive/2005/06/09/427410.aspx
McAfee has highlighted 13 new variants during June (one for each day so far). Mytob is one of the most advanced worms and virus writers can easily modify the source code to develop new variants AV vendors must adjust for. This virus hides in a stealth like manner and appears as an email message from an administrator.
Mytob may be worst virus of 2005
The Mytob family is one of the worst of 2005 so far. The Netsky variants continue to be reported as #1 in volume each month. Netsky.P is like the Klez.H worm a few years ago. However, the older Netsky variants are better blocked with current AV definitions.
Each day the virus writers can easily modify the Mytob source code, seed fresh copies, and create new versions that AV products cannot detect. This requires AV vendors to scramble in providing protection for the latest code derivations and compression techniques. Probably, since this family was introduced during March 2005, we are most likely averaging one new copy per day.
Some key reasons are:
* It is stealth-like and it can hide on an infected PCs while lowering security settings.
* It is socially engineered well and appears as an official message from an email administrator (thankfully, most copies use same email format which can be blocked with proper rules)
* Some Mytob variants can exploits some unpatched Microsoft security vulnerabilities (MS04-011),
* It usually carries a secondary payload (e.g., Spybot, Backdoor) which in an unpatched corporate network can spread rapidly
13 new versions in 13 days
http://vil.nai.com/VIL/newly-discovered-viruses.asp
W32/Mytob.cv 06/13/2005 Low Low 4513
W32/Mytob.ch 06/11/2005 Low Low 4512
W32/Mytob.cg 06/11/2005 Low Low 4512
W32/Mytob.cc 06/08/2005 Low Low 4510
W32/Mytob.ca 06/08/2005 Low Low 4509
W32/Mytob.bx 06/07/2005 Low Low 4508
W32/Mytob.gen!eml 06/07/2005 Low Low 4508
W32/Mytob.bw 06/06/2005 Low Low 4508
W32/Mytob.bv 06/06/2005 Low Low 4508
W32/Mytob.br 06/05/2005 Low Low 4507
W32/Mytob.bo 06/02/2005 Low Low 4506
W32/Mytob.bl 06/01/2005 Low Low 4505
W32/Mytob.bk 06/01/2005 Low Low 4504
EMAIL messages to avoid
The virus arrives in an email message from a systems administrator. Always verify these types of messages from your email provider and never click on either links or attachments in an email message even if it looks official.
The general format of Mytob messages are as follows:
From: (Spoofed email sender - may choose from the following list)
support
administrator
mail
service
admin
info
register
webmaster
Subject: (Varies, such as)
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
This email has no attachment, but if you click on the link a trojan horse can be downloaded on your PC. This downloader attack can open up your PC from a security perspective. MS00-37, which is a five year old Help File security flaw is also used to attack any completely unpatched PCs. While this new threat is not widespread, the media is reporting it on the news this morning.
ZDnet: Hackers use email URL create Jackson rumor
Trend Micro - PHELP.P Trojan
AVOID CLICKING ON THE URL IF YOU RECEIVE THIS EMAIL MESSAGE
News from Neverland -- Last night, while in his Neverland Ranch, Michael Jackson has made a suicidal attempt. They suggest this attempt follows the last claim was made against the king of pop. 46 years old Michael has left pre-suicid note which describes and interpretes some of his sins.
Read http://mega{BLOCKED}buz.com more...
On June 14, 2005, the Microsoft Security Response Center is planning to release:
Security Updates
• 7 Microsoft Security Bulletins affecting Microsoft Windows. The greatest aggregate, maximum severity rating for these security updates is Critical. Some of these updates will require a restart. 5 of these updates will be detectable using the Microsoft Baseline Security Analyzer (MBSA), 2 of these updates will be detectable using the Enterprise Scanning Tool (EST).
• 1 Microsoft Security Bulletin affecting Microsoft Windows and Microsoft Services for UNIX. The greatest aggregate, maximum severity rating for these security updates is Moderate. These updates may require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer (MBSA) and using the Enterprise Scanning Tool (EST).
• 1 Microsoft Security Bulletin affecting Microsoft Exchange. The greatest aggregate, maximum severity rating for this security update is Important. This update will not require a restart. This update will be detectable using the Microsoft Baseline Security Analyzer (MBSA) and using the Enterprise Scanning Tool (EST).
• 1 Microsoft Security Bulletin affecting Microsoft Internet Security and Acceleration (ISA) Server and Small Business Server. The greatest aggregate, maximum severity rating for these security updates is Moderate. These updates may require a restart. This update will be detectable using the Enterprise Scanning Tool (EST).
Microsoft Windows Malicious Software Removal Tool
• Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center. Note that this tool will NOT be distributed using Software Update Services (SUS).
More Posts
Next page »