Summary of Security Items from August 31 through September 6, 2005
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
Information in the US-CERT Cyber Security Bulletin is a compilation and includes information published by outside sources, therefore the information should not be considered the result of US-CERT analysis. Software vulnerabilities are categorized in the appropriate section reflecting the operating system on which the vulnerability was reported; however, this does not mean that the vulnerability only affects the operating system reported since this information is obtained from open-source information.
This bulletin provides a summary of new or updated vulnerabilities, exploits, trends, viruses, and trojans. Updates to vulnerabilities that appeared in previous bulletins are listed in bold text. The text in the Risk column appears in red for vulnerabilities ranking High. The risks levels applied to vulnerabilities in the Cyber Security Bulletin are based on how the "system" may be impacted. The Recent Exploit/Technique table contains a "Workaround or Patch Available" column that indicates whether a workaround or patch has been published for the vulnerability which the script exploits.
Vulnerabilities
The table below summarizes vulnerabilities that have been identified, even if they are not being exploited. Complete details about patches or workarounds are available from the source of the information or from the URL provided in the section. CVE numbers are listed where applicable. Vulnerabilities that affect both Windows and Unix Operating Systems are included in the Multiple Operating Systems section.
Note: All the information included in the following tables has been discussed in newsgroups and on web sites.
The Risk levels defined below are based on how the system may be impacted:
Note: Even though a vulnerability may allow several malicious acts to be performed, only the highest level risk will be defined in the Risk column.
- High - A high-risk vulnerability is defined as one that will allow an intruder to immediately gain privileged access (e.g., sysadmin or root) to the system or allow an intruder to execute code or alter arbitrary system files. An example of a high-risk vulnerability is one that allows an unauthorized user to send a sequence of instructions to a machine and the machine responds with a command prompt with administrator privileges.
- Medium - A medium-risk vulnerability is defined as one that will allow an intruder immediate access to a system with less than privileged access. Such vulnerability will allow the intruder the opportunity to continue the attempt to gain privileged access. An example of medium-risk vulnerability is a server configuration error that allows an intruder to capture the password file.
- Low - A low-risk vulnerability is defined as one that will provide information to an intruder that could lead to further compromise attempts or a Denial of Service (DoS) attack. It should be noted that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered t
o be a "High" threat.
| Windows Operating Systems Only | ||||
Vendor & Software Name | Vulnerability - Impact Patches - Workarounds Attacks Scripts | Common Name / CVE Reference | Risk | Source |
Network Supervisor 5.0.2, Network Director 1.0, 2.0 | An input validation/ directory traversal vulnerability has been reported in Network Supervisor that could let remote malicious users disclose files. Vendor patch available: There is no exploit code required. | 3Com Network Supervisor File Disclosure | Medium | Secunia, Advisory: SA16639, September 2, 2005 |
ALZip 5.51, 5.52, 6.03, 6.1beta, 6.11 | A buffer overflow vulnerability has been reported in ALZip (ACE archives) that could let a malicious users obtains unauthorized system control. Upgrade to version 6.1 : There is no exploit code required. | ALZip Unauthorized System Control | Medium | Secunia Advisory: SA16479, September 7, 2005 |
Reflection for Secure IT Windows Server 6.0 | Multiple vulnerabilities have been reported in Reflection for Secure IT that could let malicious users disclose information or obtain unauthorized access. Vendor workaround available: There is no exploit code required. | Reflection for Secure IT Multiple Vulnerabilities | Medium | Security Tracker Alert ID: 1014835, September 1, 2005 |
Dameware prior to 4.9.0 | A vulnerability has been reported in Dameware that could let remote malicious users execute arbitrary code. Upgrade to version 4.9.0: An exploit script has been published. | DameWare Arbitrary Code Execution | High | Security Focus, 14707, August 31, 2005 |
Free SMTP Server 2.2 | A vulnerability has been reported in Free SMTP Server that could let remote malicious users create an open mail relay. No workaround or patch available at time of publishing. An exploit script has been published. | Free SMTP Server As Open Relay | Medium | Secunia Advisory: SA16698, September 5, 2005 |
Indiatimes Messenger6.0 | A buffer overflow vulnerability has been reported in Indiatimes Messenger that could let malicious users cause a Denial of Service. No workaround or patch available at time of publishing. A Proof of Concept exploit script has been published. | Indiatimes Messenger Denial of Service | Low | Security Tracker Alert ID: 1014842, September 2, 2005 |
Windows 2000 SP3 and SP4 Windows XP SP1 and SP2 Windows XP 64-Bit Edition SP1 and 2003 (Itanium) Windows Server 2003 Windows Server 2003 for Itanium-based Systems Windows 98, 98 SE, and ME | Multiple vulnerabilities have been reported that include errors in the font, Kernel, Object Management Vulnerability and CSRSS. These are due to input validation and buffer overflow errors. A malicious user could deny service or obtain escalated privileges. Updates available:
href="http://www.microsoft.com/technet/security/Bulletin/MS05-018.mspx">h An exploit has been published. | Microsoft Windows Kernel Elevation of Privilege and Denial of Service Vulnerabilities
href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0060">CAN-2005-0060 | Medium
| Microsoft Security Bulletin MS05-018, April 12, 2005 href="http://www.kb.cert.org/vuls/id/259197">US-CERT VU#259197 Security Focus, 13115, September 6, 2005 |
Rediff Bol 7.0 | A vulnerability has been reported in Rediff India Abroad that could let remote malicious users disclose the Window's address book. No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit script has been published. | Rediff Bol Window's Address Book Disclosure | Medium | Secunia, Advisory: SA16685, September 5, 2005 |
Savant Web Server 3.1 | A vulnerability has been reported in Savant Web Server that could let local malicious users disclose other user information. No workaround or patch available at time of publishing. There is no exploit code required. | Savant Web Server User Information Disclosure | Medium | Secunia Advisory: SA16666, September 6, 2005 |
A vulnerability has been reported in SlimFTPd (USER and PASS commands) that could let a remote malicious users cause a Denial of Service. No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit script has been published. | SlimFTPd Denial of Service | Low | Security Tracker, Alert ID: 1014831 , September 1, 005 | |
Symantec Anti Virus Corporate Edition (LiveUpdate 2.7) | A vulnerability has been reported in Symantec Anti Virus (internal LiveUpdate feature) that could let local malicious users disclose password information. Upgrade to newest version of LiveUpdate: These is no exploit code required. | Symantec Anti Virus Password Disclosure | Medium | Security Tracker Alert ID: 1014834, September 1, 2005 |
| UNIX / Linux Operating Systems Only | ||||
Vendor & Software Name | Vulnerability - Impact Patches - Workarounds Attacks Scripts | Common Name / CVE Reference | Risk | Source |
Adobe Version Cue 1.0.1, 1.0 | A vulnerability has been reported due to insecure file permissions on internal Version Cue application files, which could let a malicious user obtain elevated privileges. Patches available at: Exploit scripts have been published. | Adobe Version Cue for Mac OS X Elevated Privileges | Medium | Security Focus, Bugtraq ID: 14638, August 23, 2005 Security Focus, Bugtraq ID: 14638, August 31, 2005 |
Apache 2.0.x | A vulnerability has been reported in 'modules/ssl/ssl_engine Patch available at: OpenPKG: RedHat: Ubuntu: There is no exploit code required. | Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass | Medium | Security Tracker Alert ID: 1014833, September 1, 2005 OpenPKG Security Advisory, OpenPKG-SA-2005.017, September 3, 2005 RedHat Security Advisory, RHSA-2005:608-7, September 6, 2005 Ubuntu Security Notice, USN-177-1, September 07, 2005 |
CVS 1.12.7-1.12.12, 1.12.5, 1.12.2 , 1.12.1, 1.11.19, 1.11.17 | A vulnerability has been reported in the 'cvsbug.in' script due to the insecure creation of temporary files, which could let a malicious user cause data loss or a Denial of Service. Misclassified as multiple operating systems. Fedora: Trustix:
href="http://http.trustix.org/pub/trustix/updates/"> FreeBSD: SGI: There is no exploit code required. | CVS 'Cvsbug.In' Script Insecure Temporary File Creation | Low | Fedora Update Notifications Trustix Secure Linux Security Advisory, TSLSA-2005-0045, August 26, 2005 RedHat Security Advisory, RHSA-2005:756-3, September 6, 2005 SGI Security Advisory, 20050901-01-U, September 7, 2005 FreeBSD Security Advisory, FreeBSD-SA-05:20, September 7, 2005 |
frox 0.7.18 | A vulnerability has been reported which could let a malicious user obtain sensitive information.
No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit has been published. | Frox Arbitrary Configuration File Access | Medium | Security Focus Bugtraq ID: 14711, September 1, 2005 |
net-analyzer/net-snmp 5.2.1 .2, 5.2.1 -r1 | A vulnerability has been reported because a malicious user with portage group privileges can create a shared object that will be loaded by the Net-SNMP Perl modules, which could lead to elevated privileges.
Gentoo: There is no exploit code required. | Gentoo Net-SNMP Elevated Privileges | Medium | Gentoo Linux Security Advisory, GLSA 200509-05, September 6, 2005 |
gzip 1.2.4 a, 1.2.4, 1.3.3-1.3.5 | A Directory Traversal vulnerability has been reported due to an input validation error when using 'gunzip' to extract a file with the '-N' flag, which could let a remote malicious user obtain sensitive information. Ubuntu: Trustix:
href="http://http.trustix.org/pub/trustix/updates/"> Gentoo:
href="http://security.gentoo.org/glsa/glsa-200505-05.xml"> IPCop: Mandriva: TurboLinux: FreeBSD: OpenPKG: RedHat: SGI: Conectiva: Debian: Sun: Avaya: Proof of Concept exploit has been published. | Medium | Bugtraq, 396397, April 20, 2005 Ubuntu Security Notice, Trustix Secure Linux Security Advisory, Gentoo Linux Security Advisory, GLSA 200505-05, May 9, 2005 Security Focus,13290, May 11, 2005 Mandriva Linux Security Update Advisory, MDKSA-2005:092, May 19, 2005 Turbolinux Security Advisory, TLSA-2005-59, June 1, 2005 FreeBSD OpenPKG Security Advisory, OpenPKG-SA-2005.009, June 10, 2005 RedHat Security Advisory, SGI Security Advisory, 20050603-01-U, June 23, 2005 Conectiva Linux Announce-ment, CLSA-2005:974, July 6, 2005 Debian Security Advisory DSA 752-1, July 11, 2005 Sun(sm) Alert Notification Avaya Security Advisory, ASA-2005-172, August 29, 2005 | |
gzip 1.2.4, 1.3.3 | A vulnerability has been reported when an archive is extracted into a world or group writeable directory, which could let a malicious user modify file permissions. Ubuntu: Trustix:
href="http://http.trustix.org/pub/trustix/updates/"> Gentoo:
href="http://security.gentoo.org/glsa/glsa-200505-05.xml"> Mandriva: TurboLinux: FreeBSD: RedHat: SGI: Conectiva: Debian: Sun: Avaya: There is no exploit code required. | Medium | Security Focus, Ubuntu Security Notice, Trustix Secure Linux Security Advisory, Gentoo Linux Security Advisory, GLSA 200505-05, May 9, 2005 Mandriva Linux Security Update Advisory, MDKSA-2005:092, Turbolinux Security Advisory, TLSA-2005-59, June 1, 2005 FreeBSD Security Advisory, FreeBSD-SA-05:11, June 9, 2005 RedHat Security Advisory, SGI Security Advisory, 20050603-01-U, June 23, 2005 Conectiva Linux Announce-ment, CLSA-2005:974, July 6, 2005 Debian Security Advisory DSA 752-1, July 11, 2005 Sun(sm) Alert Notification Avaya Security Advisory, ASA-2005-172, August 29, 2005 | |
wget 1.9.1 | A vulnerability exists which could permit a remote malicious user to create or overwrite files on the target user's system. Wget does not properly validate user-supplied input. A remote user can bypass the filtering mechanism if DNS can be modified so that '..' resolves to an IP address. A specially crafted HTTP response can include control characters to overwrite portions of the terminal window. SUSE: Mandriva: Trustix:
href="http://http.trustix.org/pub/trustix/updates/"> RedHat: TurboLinux: Ubuntu: A Proof of Concept exploit script has been published. | Medium | Security Tracker Alert ID: 1012472, December 10, 2004 SUSE Security Summary Report, SUSE-SR:2005:004, February 11, 2005 SUSE Security Summary Report, SUSE-SR:2005:006, February 25, 2005 SUSE Security Summary Report, SUSE-SR:2005:011, April 15, 2005 Mandriva Linux Security Update Advisory, MDKSA-2005:098, June 9, 2005 Trustix Secure Linux Security Advisory, TLSA-2005-0028, June 13, 2005 Turbolinux Security Advisory, TLSA-2005-66, June 15, 2005 Ubuntu Security Notice, USN-145-1, June 28, 2005 Ubuntu Security Notice, USN-145-2, September 06, 2005 | |
zgrep 1.2.4 | A vulnerability has been reported in 'zgrep.in' due to insufficient validation of user-supplied arguments, which could let a remote malicious user execute arbitrary commands. A patch for 'zgrep.in' is available in the following bug report: Mandriva: TurboLinux: RedHat: RedHat: SGI: Fedora: SGI: F5: Ubuntu: Trustix: Avaya: There is no exploit code required. | High | Security Tracker Alert, 1013928, Mandriva Linux Security Update Advisory, Turbolinux RedHat Security Advisory, RedHat Security Advisory, SGI Security Advisory, 20050603 Fedora Update Notification, SGI Security Advisory, 20050605 Secunia Advisory: SA16159, July 21, 2005 Ubuntu Security Notice, Trustix Secure Linux Security Advisory, TSLSA-2005-0040, August 5, 2005 Avaya Security Advisory, ASA-2005-172, August 29, 2005 | |
HP-UX B.11.00, B.11.11, B.11.22, B.11.23; only if converted to trusted systems | A vulnerability has been reported that could let a remote malicious user access the system. HP-UX systems that have been converted to trusted systems contain an unspecified vulnerability that allows a remote user to gain unauthorized access to the target system.
The vendor has issued the following fixes, available at: http://itrc.hp.com For HP-UX B.11.00 - PHCO_29249 and PHNE_17030 For HP-UX B.11.22, action: disable remshd (OS-Core.CORE2-SHLIBS) and avoid the telnet -t option. Avaya: Currently we are not aware of any exploits for this vulnerability. | HP-UX Trusted Systems Grant Access to Remote Users | Medium | HP Security Bulletin, Avaya Security Advisory, ASA-2005-169, August 29, 200 |
SqWebMail 5.0.4 | A vulnerability has been reported because the '<script>' tag can be used in HTML comments, which could let a remote malicious user execute arbitrary code when malicious email is viewed. Patch available at: There is no exploit code required; however, a Proof of Concept exploit has been published. | SqWebMail HTML Email Script Tag Script Injection | Medium | Secunia Advisory: SA16704, September 6, 2005 |
SqWebMail 5.0.4, 5.0 .1, 5.0.0, 4.0.5 -4.0.7, 4.0.4.20040524, 3.6.1, 3.6 .0, 3.5.0-3.5.3 , 3.4.1 | A vulnerability has been reported due to insufficient sanitization of HTML emails, which could let a remote malicious user execute arbitrary HTML and script code. Updates available at: Debian: There is no exploit code required; however, a Proof of Concept exploit has been published. | Medium | Secunia Advisory: SA16600, August 29, 2005 Debian Security Advisory, DSA 793-1, September 1, 2005 | |
Urban 1.5.3 | Buffer overflow vulnerabilities have been reported in 'config/config.cc,' 'engine/game.cc,' 'highscor/highscor.cc,' and 'meny/meny.cc,' files when handling an overly long 'HOME' environment variable, which could let a malicious user execute arbitrary code with 'games' group privileges. Patches available at: A Proof of Concept exploit has been published. | Urban Multiple Buffer Overflows | High | Security Tracker Alert ID: 1014848, September 3, 2005 |
KDE 3.2.0 up to including 3.4.2 | A vulnerability has been reported in 'kcheckpass.c' due to the insecure creation of the lock file, which could let a malicious user obtain superuser privileges. Patches available at: Mandriva: There is no exploit code required. | KDE kcheckpass Superuser Privilege Escalation | High | KDE Security Advisory, September 5, 2005 Mandriva Linux Security Update Advisory, MDKSA-2005:160, September 6, 2005 |
KDE 3.0 - 3.4.2 | A vulnerability was reported in 'langen2kvtml' due to the insecure creation of temporary files, which could let malicious user obtain elevated privileges.
Patches available at: Fedora: Fedora: Mandriva: There is no exploit code required. | KDE langen2kvtml Insecure Temporary File Creation | Medium | KDE Security Advisory, August 15, 2005 Fedora Update Notification, Fedora Update Notifications, Mandriva Linux Security Update Advisory, MDKSA-2005:159, September 6, 2005 |
man2web 0.88, 0.87 | A vulnerability has been reported in multiple scripts because a remote malicious user can submit arbitrary commands through HTTP GET requests, which could lead to the execution of arbitrary code.
No workaround or patch available at time of publishing. There is no exploit code required; however a, a Proof of Concept exploit script has been published. | Man2web Multiple Scripts Command Execution | High | Security Focus, Bugtraq ID: 14747, September 6, 2005 |
MPlayer 1.0 pre7, .0 pre6-r4, 1.0 pre6-3.3.5-20050130 | A buffer overflow vulnerability has been reported due to insufficient validation of user-supplied strings, which could let a remote malicious user execute arbitrary code. Gentoo: Mandriva:
href="http://www.mandriva.com/security/advisories">http://www.mandriva.com/ Currently we are not aware of any exploits for this vulnerability. | MPlayer Audio Header Buffer Overflow | High | Security Tracker Alert ID: 1014779, August 24, 2005 Gentoo Linux Security Advisory, GLSA 200509-01, September 1, 2005 Mandriva Linux Security Update Advisory, MDKSA-2005:158, September 7, 2005 |
Gentoo Linux 0.5, 0.7, 1.1 a, 1.2, 1.4, rc1-rc3; libdbi-perl libdbi-perl 1.21, 1.42 | A vulnerability exists in libdbi-perl due to the insecure creation of temporary files, which could let a remote malicious user overwrite arbitrary files.
Debian: Gentoo: RedHat: Ubuntu: Mandrake: SUSE: Gentoo: Fedora: There is no exploit code required. | Libdbi-perl Insecure Temporary File Creation | Medium | Debian Security Advisory, DSA 658-1, January 25, 2005 Ubuntu Security Notice, USN-70-1, January 25, 2005 Gentoo Linux Security Advisory, GLSA 200501-38, January 26, 2005 RedHat Security Advisory, RHSA-2005:069-08, February 1, 2005 MandrakeSoft Security Advisory, MDKSA-2005:030, February 8, 2005 SUSE Security Summary Report, SUSE-SR:2005:004, February 11, 2005 Gentoo Linux Security Advisory [UPDATE], GLSA 200501-38:03, March 15, 2005 Fedora Update Notification, |
Glyph and Cog Xpdf 3.0, pl2 & pl3; Ubuntu Linux 5.0 4 powerpc, i386, amd64; | A remote Denial of Service vulnerability has been reported when verifying malformed 'loca' table in PDF files. RedHat: http://rhn.redhat.com/ http://rhn.redhat.com/ Ubuntu: KDE: Mandriva: SGI: Gentoo: Fedora: Debian: Trustix:
href="http://http.trustix.org/pub/trustix/updates/"> TurboLinux: Currently we are not aware of any exploits for this vulnerability. | Low | RedHat Security Advisories, RHSA-2005:670-05 & RHSA-2005:671-03, & RHSA-2005:708-05, August 9, 2005 Ubuntu Security Notice, USN-163-1, August 09, 2005 KDE Security Advisory, 20050809-1, August 9, 2005 Mandriva Linux Security Update Advisories, MDKSA-2005:134, 135, 136 & 138, August 11, 2005 SGI Security Advisory, 20050802-01-U, August 15, 2005 Gentoo Linux Security Advisory GLSA, 200508-08, August 16, 2005 Fedora Update Notifications, Debian Security Advisory, DSA 780-1, August 22, 2005 Trustix Secure Linux Security Advisory, TSLSA-2005-0043, September 2, 2005 Turbolinux Security Advisory, TLSA-2005-88, September 5, 2005 | |
SuSE Linux Professional | A buffer overflow vulnerability has been reported in the XFRM network architecture code due to insufficient validation of user-supplied input, which could let a malicious user execute arbitrary code. Patches available at: Ubuntu: SUSE: Currently we are not aware of any exploits for this vulnerability. | Linux Kernel XFRM Array Index Buffer Overflow | High | Security Focus, 14477, August 5, 2005 Ubuntu Security Notice, USN-169-1, August 19, 2005 SUSE Security Announcement, SUSE-SA:2005:050, September 1, 2005 |
Trustix Secure Linux 3.0, 2.2, Secure Enterprise Linux 2.0, SuSE Novell Linux Desktop 9.0, Linux Professional 9.3 x86_64, 9.3, 9.2 x86_64, 9.2, 9.1 x86_64, 9.1, Linux Personal 9.3 x86_64, 9.3, 9.2 x86_64, 9.2, 9.1 x86_64, 9.1, Linux Enterprise Server for S/390 9.0, Linux Enterprise Server 9; 2.6-2.6.12 .4 | A Denial of Service vulnerability has been reported due to a failure to handle malformed compressed files. Upgrades available at: Ubuntu: SUSE: Trustix:
href="http://http.trustix.org/pub/trustix/updates/"> Currently we are not aware of any exploits for this vulnerability. | Linux Kernel ZLib Null Pointer Dereference Denial of Service | Low | SUSE Security Announcement, SUSE-SA:2005:050, September 1, 2005 Trustix Secure Linux Security Advisory, TSLSA-2005-0043, September 2, 2005 |
zlib 1.2.2, 1.2.1, 1.2 .0.7, 1.1-1.1.4, 1.0-1.0.9; Ubuntu Linux 5.0 4, powerpc, i386, amd64, 4.1 ppc, ia64, ia32; SuSE Open-Enterprise-Server 9.0, Novell Linux Desktop 9.0, Linux Professional 9.3, x86_64, 9.2, x86_64, 9.1, x86_64, Linux Personal 9.3, x86_64, 9.2, x86_64, 9.1, x86_64, Linux Enterprise Server 9; Gentoo Linux; | A buffer overflow vulnerability has been reported due to insufficient validation of input data prior to utilizing it in a memory copy operation, which could let a remote malicious user execute arbitrary code. Debian: FreeBSD: Gentoo: SUSE: Ubuntu: Mandriva: OpenBSD: OpenPKG: RedHat: Trustix: Slackware: TurboLinux: Fedora: zsync: Apple: SCO: IPCop: Debian: Currently we are not aware of any exploits for this vulnerability. | Zlib Compression Library Buffer Overflow | High | Debian Security Advisory FreeBSD Security Advisory, Gentoo Linux Security Advisory, GLSA 200507- SUSE Security Announcement, SUSE-SA:2005:039, Ubuntu Security Notice, RedHat Security Advisory, RHSA-2005:569-03, Fedora Update Notifications, Mandriva Linux Security Update Advisory, OpenPKG Trustix Secure Slackware Security Turbolinux Security Fedora Update Notification, FEDORA-2005-565, July 13, 2005 SUSE Security Summary Security Focus, 14162, July 21, 2005 USCERT Vulnerability Note VU#680620, July 22, 2005 Apple Security Update 2005-007, SCO Security Advisory, SCOSA-2005.33, August 19, 2005 Security Focus, Bugtraq ID: 14162, August 26, 2005 Debian Security Advisor y, DSA 797-1, September 1, 2005 |
zlib 1.2.2, 1.2.1; Ubuntu Linux 5.04 powerpc, i386, amd64, | A remote Denial of Service vulnerability has been reported due to a failure of the library to properly handle unexpected compression routine input. Zlib: Debian: Ubuntu: OpenBSD: Mandriva: Fedora: Slackware: FreeBSD: SUSE: Gentoo: http://security.gentoo.org/ Trustix: Conectiva: Apple: TurboLinux: SCO: Debian: Currently we are not aware of any exploits for this vulnerability. | Multiple Vendor Zlib Compression Library Decompression Remote Denial of Service | Low | Security Focus, Bugtraq ID 14340, July 21, 2005 Debian Security Advisory DSA 763-1, July 21, 2005 Ubuntu Security Notice, USN-151-1, July 21, 2005 OpenBSD, Release Errata 3.7, July 21, 2005 Mandriva Security Advisory, MDKSA-2005:124, July 22, 2005 Secunia, Advisory: SA16195, July 25, 2005 Slackware Security Advisory, SSA:2005- FreeBSD Security Advisory, SA-05:18, July 27, 2005 SUSE Security Announce- Gentoo Linux Security Advisory, GLSA 200507-28, July 30, 2005 Gentoo Linux Security Advisory, GLSA 200508-01, August 1, 2005 Trustix Secure Linux Security Advisory, TSLSA-2005-0040, August 5, 2005 Conectiva Linux Announcement, CLSA-2005:997, August 11, 2005 Apple Security Update, APPLE-SA-2005-08-15, August 15, 2005 Turbolinux Security Advisory , TLSA-2005-83, August 18, 2005 SCO Security Advisory, SCOSA-2005.33, August 19, 2005 Debian Security Advisory, DSA 797-1, September 1, 2005 |
Linux kernel 2.6.8 rc1-rc3, 2.6.8, 2.6.11 -rc2-rc4, 2.6.11
| A Denial of Service vulnerability has been reported due to an error in the AIO (Asynchronous I/O) support in the "is_hugepage_only_range()" function. SUSE: An exploit script has been published. | Linux Kernel Asynchronous Input/Output Local Denial of Service | Low | Secunia Advisory, SA14718, SUSE Security Announcement, SUSE-SA:2005:050, September 1, 2005 |
Linux kernel 2.6-2.6.12 .1 | A vulnerability has been reported due to insufficient authorization before accessing a privileged function, which could let a malicious user bypass IPSEC policies.
Ubuntu: This issue has been addressed in Linux kernel 2.6.13-rc7. SUSE: Currently we are not aware of any exploits for this vulnerability. | Linux Kernel IPSec Policies Authorization Bypass | Medium | Ubuntu Security Notice, USN-169-1, August 19, 2005 Security Focus, Bugtraq ID 14609, August 19, 2005 Security Focus, Bugtraq ID 14609, August 25, 2005 SUSE Security Announcement, SUSE-SA:2005:050, September 1, 2005 |
Linux kernel | Several vulnerabilities have been reported: a Denial of Service vulnerability was reported due to an error when handling key rings; and a Denial of Service vulnerability was reported in the 'KE YCTL_JOIN_SESSION Patches available at: Ubuntu: : Trustix:
href="http://http.trustix.org/pub/trustix/updates/"> There is no exploit code required. | Linux Kernel Management Denials of Service | Low | Secunia Advisory: SA16355, August 9, 2005 Ubuntu Security Notice, USN-169-1, August 19, 2005 Trustix Secure Linux Security Advisory, TSLSA-2005-0043, September 2, 2005 |
Nikto 1.35; N-Stealth Free Edition 5.8, Commercial Edition 5.8 | A vulnerability has been reported in Stealth and Nikto, Web vulnerability scanners due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.
N-Stalker has released updated versions; users should contact the vendor for information regarding obtaining updates. Nikto has released an update advising users to be cautious when viewing HTML reports. There is no exploit code required. | Multiple Vendor Web Vulnerability Scanners HTML Injection | Medium | Security Focus, Bugtraq ID: 14717, September 1, 2005 |
Novell Evolution 2.0.2-2.0.4; LibTIFF 3.6.1; sy Software Products CUPS 1.1.12-1.1.23, 1.1.10, 1.1.7, 1.1.6, 1.1.4 -5, 1.1.4-3, 1.1.4 -2, 1.1.4, 1.1.1, 1.0.4 -8, 1.0.4; Ubuntu 4.10, 5.04 | A remote Denial of Service vulnerability has been reported due to insufficient validation of specific header values. Libtiff: Ubuntu: Mandriva: TurboLinux: A Proof of Concept exploit has been published. | LibTiff Tiff Image Header Remote Denial of Service
| Low | Security Focus Bugtraq ID 14417, July 29, 2005 Ubuntu Security Notice, USN-156-1, July 29, 2005 Mandriva Linux Security Update Advisory, MDKSA-2005:142, August 18, 2005 Turbolinux Security Advisory , TLSA-2005-89, September 5, 2005 |
RedHat Fedora Core3; Ubuntu Linux 4.1 ppc, ia64, ia32; | A vulnerability has been reported in xntpd when started using the '-u' option and the group is specified by a string, which could let a malicious user obtain elevated privileges. Upgrade available at: Ubuntu: Debian: Mandriva: There is no exploit code required. | XNTPD Insecure Privileges | Medium | Fedora Update Notification, Ubuntu Security Notice, USN-175-1, September 01, 2005 Debian Security Advisory, DSA 801-1, September 5, 2005 Mandriva Linux Security Update Advisory, MDKSA-2005:156, September 6, 2005 |
SILC Secure Internet Live Conferencing 1.0, 0.9.11-0.9.21; | A vulnerability has been reported due to the insecure creation of '/tmp' in 'silcd.c,' which could let a remote malicious user create/overwrite arbitrary files. No workaround or patch available at time of publishing. There is no exploit code required. | SILC Server Insecure Temporary File Creation | Medium | Security Focus, Bugtraq ID: 14716, September 1, 2005 |
Simpleproxy 3.0-3.2 , 2.2b; | A format string vulnerability has been reported when handling HTTP proxy replies, which could let a remote malicious user execute arbitrary code. Upgrades available at: Debian: Currently we are not aware of any exploits for this vulnerability. | Simpleproxy HTTP Proxy Reply Format String | High | Debian Security Advisory, DSA 786-1, August 26, 2005 |
Ubuntu Linux 5.0 4 powerpc, i386, amd64, | Several vulnerabilities have been reported: a buffer overflow vulnerability was reported due to the way away messages are handled, which could let a remote malicious user execute arbitrary code; and a remote Denial of Service vulnerability has been reported due to an error when handling file transfers. Updates available at: http://gaim.sourceforge. RedHat: http://rhn.redhat.com/ Ubuntu: Gentoo: SGI: Mandriva: Fedora: SUSE: Slackware: A Proof of Concept exploit has been published for the buffer overflow vulnerability. | Gaim AIM/ICQ Protocols Buffer Overflow & Denial of Service | High | RedHat Security Advisories, RHSA-2005:589-16 & RHSA-2005:627-11, August 9, 2005 Ubuntu Security Notice, USN-168-1, August 12, 2005 Gentoo Linux Security Advisory, GLSA 200508-06, August 15, 2005 SGI Security Advisory, 20050802-01-U, August 15, 2005 Mandriva Linux Security Update Advisory, MDKSA-2005:139, August 16, 2005 Fedora Update Notifications, SUSE Security Summary Report, SUSE-SR:2005:019, August 22, 2005 Slackware Security Advisory, SSA:2005-242-03, August 31, 2005 |
Ubuntu Linux 5.0 4 powerpc, i386, amd64, 4.1 ppc, ia64, ia32; | A remote Denial of Service vulnerability has been reported in the kernel driver for compressed ISO file systems when attempting to mount a malicious compressed ISO image. Ubuntu: SUSE: Currently we are not aware of any exploits for this vulnerability. | Linux Kernel ISO File System Remote Denial of Service | Low | Ubuntu Security Notice, USN-169-1, August 19, 2005 SUSE Security Announcement, SUSE-SA:2005:050, September 1, 2005 |
Ubuntu Linux 5.0 4 powerpc, i386, amd64, 4.1 ppc, ia64, ia32; | A Denial of Service vulnerability has been reported due to a failure to handle exceptional conditions. Upgrades available at: Ubuntu: SUSE: Trustix:
href="http://http.trustix.org/pub/trustix/updates/"> Currently we are not aware of any exploits for this vulnerability. | Linux Kernel ZLib Invalid Memory Access Denial of Service | Low | SUSE Security Announcement, SUSE-SA:2005:050, September 1, 2005 Trustix Secure Linux Security Advisory, TSLSA-2005-0043, September 2, 2005 |
Affix 3.0-3.2, | A vulnerability has been reported in the 'event_pin_code_request()' function due to an input validation error, which could let a remote malicious user inject arbitrary shell commands via a specially crafted Bluetooth device name. Patches available at: http://affix.sourceforge.net/ Debian: There is no exploit code required. | Nokia Affix BTSRV Device Name Remote Command Execution | High | DMA 2005-0826a Advisory, August 26, 2005 Debian Security Advisory, DSA 796-1, September 1, 2005 |
OpenSSL 0.9.6, 0.9.6 a-0.9.6 m, 0.9.7c | A vulnerability exists due to the insecure creation of temporary files, which could possibly let a malicious user overwrite arbitrary files.
Trustix: Gentoo: Ubuntu: Debian: Mandrakesoft: TurboLinux: FedoraLegacy: RedHat: SGI: Avaya: There is no exploit code required. | OpenSSL | Medium | Trustix Secure Linux Bugfix Advisory, TSL-2004-0050, September 30, 2004 Gentoo Linux Security Advisory, GLSA 200411-15, November 8, 2004 Ubuntu Security Notice, USN-24-1, November 11, 2004 Debian Security Advisory Mandrakesoft Security Advisory, MDKSA-2004:147, December 6, 2004 Turbolinux Security Announce- SGI Security Advisory, 20050602-01-U, June 23, 2005 Avaya Security Advisory, ASA-2005-170, August 29, 2005 |
pam_ldap Build 179, Build 169 | A vulnerability has been reported when handling a new password policy control, which could let a remote malicious user bypass authentication policies. Upgrades available at: Gentoo: There is no exploit code required. | PADL Software PAM_LDAP Authentication Bypass | Medium | Bugtraq ID: 14649, August 24, 2005 Gentoo Linux Security Advisory, GLSA 200508-22, August 31, 2005 |
PCRE 6.1, 6.0, 5.0 | A vulnerability has been reported in 'pcre_compile.c' due to an integer overflow, which could let a remote/local malicious user potentially execute arbitrary code. Updates available at: Ubuntu: Ubuntu: Fedora: Gentoo: Mandriva: SUSE: Slackware: Ubuntu: Debian: SUSE: Currently we are not aware of any exploits for this vulnerability. | PCRE Regular Expression Heap Overflow | High | Secunia Advisory: SA16502, August 22, 2005 Ubuntu Security Notice, USN-173-1, August 23, 2005 Ubuntu Security Notices, USN-173-1 & 173-2, August 24, 2005 Fedora Update Notifications, Gentoo Linux Security Advisory, GLSA 200508-17, August 25, 2005 Mandriva Linux Security Update Advisories, MDKSA-2005:151-155, August 25, 26, & 29, 2005 SUSE Security Announcements, SUSE-SA:2005:048 & 049, August 30, 2005 Slackware Security Advisories, SSA:2005-242-01 & 242-02 , August 31, 2005 Ubuntu Security Notices, USN-173-3, 173-4 August 30 & 31, 2005 Debian Security Advisory, DSA 800-1, September 2, 2005 SUSE Security Announcement, SUSE-SA:2005:051, September 5, 2005 |
PolyGen 1.0.6 | A Denial of Service vulnerability has been reported due to resource exhaustion. Debian: Currently we are not aware of any exploits for this vulnerability. | PolyGen Denial of Service | Low | Debian Security Advisory, DSA 794-1, September 1, 2005 |
| ProFTPd | Multiple format string vulnerabilities have been reported in ProFTPd that could let remote malicious users cause a Denial of Service or disclose information. Upgrade to version 1.3.0rc2: Gentoo: Trustix: TurboLinux: Mandriva: Debian: OpenPKG: Currently we are not aware of any exploits for these vulnerabilities. | ProFTPD Denial of Service or Information Disclosure | Medium | Secunia, Advisory: SA16181, July 26, 2005 Gentoo Linux Security Advisory, GLSA 200508-02, August 1, 2005 Trustix Secure Linux Security Advisory, TSLSA-2005-0040, August 5, 2005 Turbolinux Security Advisory, TLSA-2005-82, August 9, 2005 Mandriva Linux Security Update Advisory, MDKSA-2005:140, August 16, 2005 Debian Security Advisories, DSA 795-1 & 795-2, September 1, 2005 OpenPKG Security Advisory, OpenPKG-SA-2005.020, September 6, 2005 |
| pstotext V1.9 | A vulnerability has been reported in pstotext ('-dSAFER') that could let malicious users execute arbitrary postscript code. Debian: Gentoo: There is no exploit code required. | pstotext Arbitrary Code Execution | High | Secunia, Advisory: SA16183, July 25, 2005 Debian Security Advisory, DSA 792-1, August 31, 2005 Gentoo Linux Security Advisory, GLSA 200507-29, August 31, 2005 |
Smb4k 0.4-0.6 | A vulnerability has been reported due to the insecure creation of temporary files, which could let a malicious user obtain sensitive information. Patches available at: Upgrades available at: Mandriva: There is no exploit code required. | Smb4k Insecure Temporary File Creation | Medium | Security Focus, Bugtraq ID: 14756, September 7, 2005 Mandriva Linux Security Update Advisory, MDKSA-2005:157, September 6, 2005 |
Squid Web Proxy Cache 2.5 .STABLE1-STABLE 10, 2.4 .STABLE6 & 7, STABLE 2, 2.4, 2.3 STABLE 4&5, 2.1 Patch 2, 2.0 Patch 2 | A remote Denial of Service vulnerability has been reported in '/squid/src/ssl.c' when a malicious user triggers a segmentation fault in the 'sslConnectTimeout()' function. Patches available at: There is no exploit code required. | Squid 'sslConnect | Low | Security Tracker Alert ID: 1014846, September 2, 2005 |
gopherd 3.0.9 | A buffer overflow vulnerability has been reported in the 'VlfromLine()' function when copying an input line, which could let a remote malicious user obtain unauthorized access. No workaround or patch available at time of publishing. An exploit script has been published. | UMN Gopher Client Remote Buffer Overflow | Medium | Secunia Advisory: SA16614, August 30, 2005 |
| Vim V6.3.082 | A vulnerability has been reported in Vim that could let remote malicious users execute arbitrary code. Vendor patch available: Ubuntu: Trustix:
href="http://http.trustix.org/pub/trustix/updates/"> Fedora: Conectiva: Mandriva: RedHat: Avaya: There is no exploit code required; however, Proof of Concept exploits have been published. | Vim Arbitrary Code Execution | High | Security Focus, 14374, July 25, 2005 Ubuntu Security Notice, USN-154-1, July 26, 2005 Trustix Secure Linux Security Advisory, TSLSA-2005-0038, July 29, 2005 Fedora Update Notifications, Conectiva Security Advisory, CLSA-2005:995, Mandriva Linux Security Update Advisory, MDKSA-2005:148, August 22, 2005 RedHat Security, Advisory, RHSA-2005:745-10, August 22, 2005 Avaya Security Advisory, ASA-2005-189-, August 31, 2005 |
| Multiple Operating Systems - Windows / UNIX / Linux / Other | ||||
Vendor & Software Name | Vulnerability - Impact Patches - Workarounds Attacks Scripts | Common Name / CVE Reference | Risk | Source |
Barracuda Spam Firewall 3.1.17 firmware | Several vulnerabilities have been reported: a Directory Traversal vulnerability was reported in 'IMG.PL' which could let a remote malicious user obtain sensitive information; and a vulnerability was reported when user-supplied commands are submitted to the web interface, which could let a remote malicious user execute arbitrary commands. The vendor has released firmware version 3.1.18 to address this and other issues. Please contact the vendor to obtain the upgrade. There is no exploit code required; however, Proofs of Concept exploits have been published. | Barracuda Spam Firewall Remote Directory Traversal & Remote Command Execution | High | Security Focus, Bugtraq ID: 14710 & 14712, September 1, 2005 |
Cisco IOS 12.2ZH & 12.2ZL based trains, | A buffer overflow vulnerability has been reported in the authentication proxy, which could let a remote malicious user cause a Denial of Service or potentially execute arbitrary code. Patch information available at: Currently we are not aware of any exploits for this vulnerability. | Cisco IOS Firewall Authentication Proxy Buffer Overflow | High | Cisco Security Advisory, Document ID: 66269, September 7, 2005 |
CMS Made Simple 0.10 | Several vulnerabilities have been reported: a vulnerability was reported in the 'admin/lang.php' script due to insufficient authentication, which could let a remote malicious user bypass authentication procedures; and a vulnerability was reported in 'admin/lang.php' due to insufficient verification of the 'nls[file][vx][vxsfx]' parameter, which could let a remote malicious user include arbitrary files. No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit has been published. | CMS Made Simple Authentication Bypass & File Include | High | Secunia Advisory: SA16654, September 1, 2005 |
NetWorker 6.x, 7.1.3, 7.2; Sun StorEdge Enterprise Backup Software 7.0-7.2, Solstice Backup Software 6.0, 6.1
| Several vulnerabilities have been reported: a vulnerability was reported in 'AUTH_UNIX' due to weak authentication, which could let a remote malicious user execute arbitrary commands, view/modify configuration, cause a Denial of Service, or obtain sensitive information; a vulnerability was reported due to insufficient authentication of tokens, which could let a remote malicious user execute arbitrary commands as ROOT; and a vulnerability was reported in the Legato PortMapper because any host can call 'pmap_set' and 'pmap_unset,' which could let a remote malicious user cause a Denial of Service or eavesdrop on NetWorker process communications. Patch information available at: http://www.legato.com/ http://www.legato.com/ Sun: There is no exploit code required. | EMC Legato NetWorker Multiple Vulnerabilities | High | Sun(sm) Alert Notification Sun(sm) Alert Notification |
DownFile 1.3 | Several vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported in 'email.php,' 'index.php,'and 'del.php' due to insufficient sanitization of the 'id' parameter and in 'add_form.php' due to insufficient sanitization of the 'mode' parameter, which could let a remote malicious user execute arbitrary HTML and script code; and a vulnerability was reported because it is possible to access the administration section without authentication. No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit has been published. | DownFile Cross-Site Scripting & Authentication Bypass | High | Secunia Advisory: SA16630, September 1, 2005 |
Ethereal | Multiple dissector and zlib vulnerabilities have been reported in Ethereal that could let remote malicious users cause a Denial of Service or execute arbitrary code. Upgrade to version 0.10.12: Fedora: Mandriva: RedHat: SUSE: Avaya: Currently we are not aware of any exploits for these vulnerabilities. | Ethereal Denial of Service or Arbitrary Code Execution CAN-2005-2361 | High | Secunia, Advisory: SA16225, July 27, 2005 Mandriva Linux Security Update Advisory, MDKSA-2005:131, August 4, 2005 RedHat Security Advisory, RHSA-2005:687-03, August 10, 2005 SUSE Security Summary Report, SUSE-SR:2005:019, August 22, 2005 Avaya Security Advisory, ASA-2005-185, August 30, 2005
|
FlatNuke 2.5.6 | Several vulnerabilities have been reported: a Directory Traversal vulnerability was reported in 'index.php' due to insufficient verification of the 'ID' parameter, which could let a remote malicious user obtain sensitive information; and a Cross-Site Scripting vulnerability was reported due to insufficient sanitization of the 'USR' parameter, which could let a remote malicious user execute arbitrary HTML and script code. No workaround or patch available at time of publishing. There is no exploit code required; however, Proofs of Concept exploits have been published. | FlatNuke Directory Traversal & Cross-Site Scripting | Medium | Security Focus Bugtraq ID: 14702 & 14704 August 31, 2005 |
gBook 1.0.1, 1.0 | Cross-Site Scripting vulnerabilities have been reported due to insufficient sanitization of unspecified input before returned to user, which could let a remote malicious user execute arbitrary HTML and script code.
Upgrades available at: There is no exploit code required. | GBook Multiple Cross-Site Scripting | Medium | Secunia Advisory: SA16668, September 2, 2005 |
GuppY 4.5.3 a, 4.5.3, 4.5 | Several vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported in 'printfaq.php' due to insufficient sanitization of the 'pg' parameter, which could let a remote malicious user execute arbitrary HTML and script code; and a Cross-Site Scripting vulnerability was reported due to insufficient sanitization of the 'Referer' and 'User-Agent' HTTP headers, which could let a remote malicious user execute arbitrary HTML and script code. Upgrades available at: There is no exploit code required. | GuppY Cross-Site Scripting | Medium | Secunia Advisory: SA16707, September 6, 2005 |
Proliant DL585 Server, Integrated Lights Out 1.80 | A vulnerability has been reported because when the server is powered down a remote malicious user can obtain unauthorized access. Rev 1: Updated Summary, Resolution, and updated next release from V1.81 to V1.82 Updates available at: Currently we are not aware of any exploits for this vulnerability. | HP Proliant DL585 Server Unauthorized Remote Access | Medium | HP Security Bulletin, HP Security Bulletin, |
OpenView Event Correlation Services 3.31-3.33 Windows, 3.31-3.33 Solaris, 3.31-3.33 Linux, 3.31-3.33 HP-UX | A vulnerability has been reported in the 'cgi-bin/ecscmg.ovpl' script due to insufficient validation of user-supplied input before using as part of a system command, which could let a remote malicious user obtain elevated privileges. As a workaround, the vendor indicates that you can move the 'ecscmg.ovpl' file from the cgi-bin directory into another directory. The directory should not have write permissions for ordinary users. Currently we are not aware of any exploits for this vulnerability. | HP OpenView Event Correlation Services Remote Elevated Privileges | Medium | HP Security Bulletin, HPSBMA01225, September 4, 2005 |
FUDForum 2.6.15 | A vulnerability has been reported in the 'mid' parameter due to insufficient validation before retrieving a forum post, which could let a remote malicious user bypass certain security restrictions and obtain sensitive information. PHPGroupWare: Gentoo: Debian: There is no exploit code required. | FUDForum Security Restriction Bypass | Medium | Secunia Advisory: SA16414, August 12, 2005 Security Focus, Bugtraq ID: 14556, August 25, 2005 Gentoo Linux Security Advisory, GLSA 200508-20, August 30, 2005 Debian Security Advisory , DSA 798-1, September 2, 2005 |
MD-Pro 1.0.72 | Cross-Site Scripting vulnerabilities have been reported in the 'dl-search.php' and 'wl-search.php' scripts due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code; and a vulnerability was reported in the 'Downloads' section because it is possible to upload files that contain arbitrary file extensions. Upgrade available at: There is no exploit code required; however, detailed exploitation has been published. | MAXdev MD-Pro Cross-Site Scripting & File Upload | Medium | Secunia Advisory: SA16731, September 7, 2005 |
Firefox 0.x, 1.x | Multiple vulnerabilities have been reported: a vulnerability was reported due to an error because untrusted events generated by web content are delivered to the browser user interface; a vulnerability was reported because scripts in XBL controls can be executed even when JavaScript has been disabled; a vulnerability was reported because remote malicious users can execute arbitrary code by tricking the user into using the 'Set As Wallpaper' context menu on an image URL that is really a javascript; a vulnerability was reported in the 'InstallTrigger.install()' function due to an error in the callback function, which could let a remote malicious user execute arbitrary code; a vulnerability was reported due to an error when handling 'data:' URL that originates from the sidebar, which could let a remote malicious user execute arbitrary code; an input validation vulnerability was reported in the 'InstallVersion.compareTo()' function when handling unexpected JavaScript objects, which could let a remote malicious user execute arbitrary code; a vulnerability was reported because it is possible for remote malicious user to steal information and possibly execute arbitrary code by using standalone applications such as Flash and QuickTime to open a javascript: URL; a vulnerability was reported due to an error when handling DOM node names with different namespaces, which could let a remote malicious user execute arbitrary code; and a vulnerability was reported due to insecure cloning of base objects, which could let a remote malicious user execute arbitrary code.
Updates available at: Gentoo: Mandriva: Fedora: RedHat: Ubuntu: http://security.ubuntu.com/ http://security.ubuntu.com/ SUSE: Debian: http://security.debian. SGI: Gentoo: Slackware: Debian: Exploits have been published. | Firefox Multiple Vulnerabilities CAN-2005-2260 | High | Secunia Advisory: SA16043, July 13, 2005 Mandriva Linux Security Update Advisory, MDKSA-2005:120, July 13, 2005 Gentoo Linux Security Advisory, GLSA 200507-14, July 15, 2005 Gentoo Linux Security Advisory, GLSA 200507-17, July 18, 2005 Fedora Update Notifications, RedHat Security Advisory, RHSA-2005:586-11, July 21, 2005 Slackware Security Advisory, SSA:2005-203-01, July 22, 2005 Ubuntu Security Notices, USN-155-1 & 155-2 July 26 & 28, 2005 Ubuntu Security Notices, USN-157-1 & 157-2 August 1& 2, 2005 SUSE Security Announcement, SUSE-SA:2005:045, August 11, 2005 Debian Security Advisory, DSA 775-1, August 15, 2005 SGI Security Advisory, 20050802-01-U, August 15, 2005 Debian Security Advisory, DSA 777-1, August 17, 2005 Debian Security Advisory, DSA 779-1, August 20, 2005 Debian Security Advisory, DSA 781-1, August 23, 2005 Gentoo Linux Security Advisory, GLSA 200507-24, August 26, 2005 Mandriva Linux Security Update Advisory, MDKSA-2005:127-1, August 26, 2005 Slackware Security Advisory, SSA:2005-085-01, August 28, 2005 Debian Security Advisory, DSA 779-2, September 1, 2005 |
PHPGroupWare 0.9.16.000; Debian Linux 3.1, sparc, s/390, ppc, mipsel, mips, m68k, ia-64, ia-32, hppa, arm, amd64, alpha | A vulnerability has been reported because an authenticated administrator can edit the main screen messages to include arbitrary HTML, which could let a remote malicious user with administrative privileges inject arbitrary HTML. Upgrades available at: Debian: There is no exploit code required. | PHPGroupWare Main Screen Message Script Injection | Medium | Security Tracker Alert ID: 1014832, September 1, 2005 Debian Security Advisory, DSA 798-1, September 2, 2005 |
Squid Web Proxy Cache2.5. | A vulnerability has been reported in the DNS client when handling DNS responses, which could let a remote malicious user spoof DNS lookups. Patch available at: Trustix: Fedora: Ubuntu: RedHat: TurboLinux: SGI: Conectiva: Currently we are not aware of any exploits for this vulnerability. | Medium | Security Focus, 13592, Trustix Secure Linux Security Advisory, Fedora Update Notification, Ubuntu Security Notice, RedHat Security Advisory, RHSA-2005:415-16, June 14, 2005 Turbolinux Security Advisory, SGI Security Advisory, 20050605-01-U, July 12, 2005 Conectiva Linux Announcement, CLSA-2005:1000, August 31, 2005 | |
Windows XP, Server 2003 Windows Services for UNIX 2.2, 3.0, 3.5 when running on Windows 2000 Berbers V5 Release 1.3.6 AAA Intuit LX, Converged Communications Server (CCS) 2.x, MN100, Modular Messaging 2.x, S8XXX Media Servers | An information disclosure vulnerability has been reported that could let a remote malicious user read the session variables for users who have open connections to a malicious telnet server. Updates available: RedHat: Microsoft: SUSE: AAA: Trustix: RedHat: SGI: Mandriva: Microsoft: Bulletin revised to communicate the availability of security updates for Services for UNIX 2.0 and Services for UNIX 2.1. The “Security Update Information” section has also be revised with updated information related to the additional security updates. F5: SCO: Currently we are not aware of any exploits for this vulnerability. | Multiple Vendor Telnet Client Information Disclosure | Medium | Microsoft, iD EFENSE Security Advisory, June 14, 2005 Red Hat Security Advisory, Microsoft Security Bulletin, SUSE Security Summary AAA Security Advisory, ASA-2005-145, Trustix Secure Linux Security Advisory, TSLSA-2005-0030, RedHat Security Advisory, RHSA-2005:567-08, July 12, 2005 SGI Security Advisories, 20050605-01-U, 20050702-01-U, & 20050703-01-U, July 12 & 15, 2005 Microsoft Security Bulletin, Mandriva Linux Security Update Advisory, MDKSA-2005:119, July 14, 2005 SCO Security Advisory, SCOSA-2005.35, September 1, 2005 |
Gentoo Linux; | A remote Denial of Service vulnerability has been reported in the HTTP 'Range' header due to an error in the byte-range filter. Patches available at: Gentoo: RedHat: There is no exploit code required. | Apache Remote Denial of Service | Low | Secunia Advisory: SA16559, August 25, 2005 Security Advisory, GLSA 200508-15, August 25, 2005 RedHat Security Advisory, RHSA-2005:608-7, September 6, 2005 |
OpenTTD 0.4.0.1; | Multiple format string vulnerabilities have been reported in 'network_server.c,' 'network.c,' 'console_cmds.c,' and 'network_client.c' due to the way text messages are handled, which could let a remote malicious user cause a Denial of Service and potentially execute arbitrary code; and a vulnerability was reported in 'vsprint()' due to boundary errors, which could let a remote malicious user cause a Denial of Service and potentially execute arbitrary code. Gentoo: Currently we are not aware of any exploits for this vulnerability. | OpenTTD Multiple Format Strings | High | Gentoo Linux Security Advisory,GLSA 200509-03, September 5, 2005 |
PHPXMLRPC 1.1.1; | A vulnerability has been reported in XML-RPC due to insufficient sanitization of certain XML tags that are nested in parsed documents being used in an 'eval()' call, which could let a remote malicious user execute arbitrary PHP code.
PHPXMLRPC : Pear: Drupal: eGroupWare: MailWatch: Nucleus: RedHat: Ubuntu: Mandriva: Gentoo: http://security.gentoo.org/ http://security.gentoo.org/ Fedora: Debian: SUSE: Gentoo: http://security.gentoo.org/ Slackware: Debian: There is no exploit code required. | PHPXMLRPC and PEAR XML_RPC Remote Arbitrary Code Execution | High | Security Focus, Bugtraq ID 14560, August 15, 2995 Security Focus, Bugtraq ID 14560, August 18, 2995 RedHat Security Advisory, RHSA-2005:748-05, August 19, 2005 Ubuntu Security Notice, USN-171-1, August 20, 2005 Mandriva Linux Security Update Advisory, MDKSA-2005:146, August 22, 2005 Gentoo Linux Security Advisory, GLSA 200508-13 & 14, & 200508-18, Fedora Update Notifications, Debian Security Advisory, DSA 789-1, August 29, 2005 SUSE Security Announcement, SUSE-SA:2005:049, August 30, 2005 Gentoo Linux Security Advisory, GLSA GLSA 200508-20& 200508-21, August 30 & 31, 2005 Slackware Security Advisory, SSA:2005-242-02, August 31, 2005 Debian Security Advisory, DSA 798-1, September 2, 2005 SUSE Security Announcement, SUSE-SA:2005:051, September 5, 2005 |
MyBulletinBoard RC1-RC4, PR2 | A Cross-Site Scripting vulnerability has been reported in 'Forumdisplay.php' due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code. No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit has been published. | MyBulletinBoard Cross-Site Scripting | Medium | Security Focus Bugtraq ID: 14754, September 6, 2005 |
myBloggie 2.1.1-2.1.3 | An SQL injection vulnerability has been reported in 'login.php' due to insufficient sanitization of the 'username' parameter before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code. Patches available at: There is no exploit code required. | MyBloggie SQL Injection | Medium | Secunia Advisory: SA16699, September 5, 2005 |
GreyMatter 1.3.1 | A Cross-Site Scripting vulnerability has been reported in 'Gm.CGI' due to insufficient sanitization, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing. There is no exploit code required. | Greymatter Cross-Site Scripting | Medium | Security Focus, Bugtraq ID: 14703, August 31, 2005 |
Netware 6.5 SP2&3, 6.0, SP1-SP3, 5.1, SP4&5 | A remote Denial of Service vulnerability has been reported in 'CIFS.NLM' when handling password lengths. Patches available at: W32.Randex.CCC exploits this vulnerability. | Novell Netware CIFS.NLM Denial of Service | Low | Novell Technical Information Documents, TID2971821, 1822, 1832, August 30, 2005 |
NetMail 3.52-3.52 B, 3.10, a-h, 3.1 f, 3.1, 3.0.3, a&b, 3.0.1 | A buffer overflow vulnerability has been reported in the IMAP command continuation function due to insufficient boundary checks, which could let a remote malicious user execute arbitrary code.
Upgrades available at: Currently we are not aware of any exploits for this vulnerability. | Novell NetMail Remote IMAP Buffer Overflow | High | Security Focus, Bugtraq ID: 14718, September 1, 2005 |
OpenSSH 4.1, 4.0, p1 | Several vulnerabilities have been reported: a vulnerability was reported due to an error when handling dynamic port forwarding when no listen address is specified, which could let a remote malicious user cause "GatewayPorts" to be incorrectly activated; and a vulnerability was reported due to an error when handling GSSAPI credential delegation, which could let a remote malicious user be delegated with GSSAPI credentials. Upgrades available at: Fedora: There is no exploit code required. | OpenSSH DynamicForward Inadvertent GatewayPorts Activation & GSSAPI Credentials | Medium | Secunia Advisory: SA16686, September 2, 2005 Fedora Update Notification, |
PBLang 4.66, 4.65, 4.63, 4.56 (4.5 RC 2), 4.6, 4.0 | Several vulnerabilities have been reported: a vulnerability was reported because restricted forums can be accessed without proper permissions, a vulnerability was reported in 'register.php' and 'ucp.php' due to unspecified errors, which could let a remote malicious user obtain administrative privileges; and a vulnerability was reported because authenticated remote malicious users can delete private messages. Upgrades available at: There is no exploit code required. | PBLang Multiple Vulnerabilities | High | Security Focus, Bugtraq ID: 14728, September 2, 2005 |
Phorum 5.0.10-5.0.17 a | A Cross-Site Scripting vulnerability has been reported in 'register.php' due to insufficient sanitization of the 'username' field, which could let a remote malicious user execute arbitrary HTML and script code. Upgrades available at: There is no exploit code required. | Phorum Cross-Site Scripting | Medium | Secunia Advisory: SA16667, September 2, 2005 |
WebGUI 6.7.0-6.7.2, 6.6.x, 6.5.x, 6.4.x, 6.3.x, 6.2-6.2.9 , 5.2.4, 5.2.3 | Several vulnerabilities have been reported in 'Help.pm,' 'International.pm,' and 'WebGUI.pm' due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary Perl code.
Upgrades available at: There is no exploit code required. | Plain Black Software WebGUI Remote Perl Command Execution | High | Security Focus Bugtraq ID: 14732, September 2, 2005 |
SMF 1.0.5 | A vulnerability has been reported because external files can be used as avatars, which could let a remote malicious user obtain sensitive information. No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit has been published. | SMF Avatar Image Implementation Information Disclosure | Medium | Security Tracker Alert ID: 1014828, August 31, 2005 |
Java Web Start 1.x, | Several vulnerabilities have been reported: a vulnerability was reported due to an unspecified error which could let malicious untrusted applications execute arbitrary code; and a vulnerability was reported due to an unspecified error which could let a malicious untrusted applets execute arbitrary code.
Upgrades available at: http://java.sun.com/ Slackware: SUSE: HP: Currently we are not aware of any exploits for these vulnerabilities. | Java Web Start / | High | Sun(sm) Alert Notification, 101748 & 101749, Slackware Security Advisory, SSA:2005-170-01, SUSE Security Announce- HP Security Bulletin, HPSBUX01214, August 29, 2005 |
Sun Java JRE 1.3.x, 1.4.x, | A vulnerability exists due to a design error because untrusted applets for some private and restricted classes used internally can create and transfer objects, which could let a remote malicious user turn off the Java security manager and disable the sandbox restrictions for untrusted applets. Updates available at: Conectiva: Gentoo: HP: Symantec: SuSE: HP: Currently we are not aware of any exploits for this vulnerability. | Sun Java Plug-in Sandbox Security Bypass | Medium | Sun(sm) Alert Notification, 57591, November 22, 2004 US-CERT Vulnerability Note, VU#760344, November 23, 2004 Conectiva Linux Security Announcement, CLA-2004:900, November 26, 2004 Gentoo Linux Security Advisory, GLSA 200411-38, November 29, 2004 HP Security Bulletin, Sun(sm) Alert Notification, 57591, January 6, 2005 (Updated) Symantec Security Response, SYM05-001, SUSE Security Summary Report, SUSE-SR:2005:002, January 26, 2005 SUSE Security Summary Report, SUSE-SR:2005:003, February 4, 2005 HP Security Bulletin, HPSBUX01214, August 29, 2005 |
chfeedback.pl Feedback Form Perl Script 2.0.1 | A vulnerability has been reported because the application can be used as a mail relay, which could let a remote malicious user inject arbitrary SMTP headers. Users are advised to contact the vendor for an update. There is no exploit code required. | Feedback Form Perl Script CHFeedBack.PL Mail Relay | Medium | Security Focus, Bugtraq ID: 14749, September 6, 2005 |
Unclassified NewsBoard 1.5.3 | A vulnerability has been reported in the Description field due to insufficient sanitization of user-supplied input before using in dynamically generated content, which could let a remote malicious user execute arbitrary HTML and script code. No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit has been published. | Unclassified NewsBoard Description Field HTML Injection | Medium | Security Focus, Bugtraq ID: 14748, September 6, 2005 |
[back to top] Wireless
The section below contains wireless vulnerabilities, articles, and viruses/trojans identified during this reporting period.
- Mobile users clueless on data: According to a survey conducted by mobile software company, SurfKitchen, not one mobile phone user could correctly identify the data package on their phone.
The survey found that perceived high prices, poor usability and unreliability of service were the main reasons for customers shunning data services. Source: http://www.vnunet.com/vnunet/news/2141987/mobile-users-clueless. - F-Secure: Commwarrior claims first big victim: According to an F-Secure security expert, a mobile phone virus, Commwarrior.B is the first mobile virus that has infected an organization. "It's a particularly nasty version of Commwarrior, as it just doesn't give up." Source: http://news.com.com/F-
Secure+Commwarrior+claims+first+big+victim/2100-7349_3-845021.html?part=
rss&tag=5845021&subj=news . - Vendors Claim Mobile Viruses Worsening: Both F-Secure and Trend Micro, mobile anti-virus product vendors, claim that attacks on mobile devices are becoming more serious. Virus that have been reported attack Symbian-based devices. During July, three new viruses and five new variants of existing viruses appeared. Source: http://www.securitypipeline.com/news/170102188.
Wireless Vulnerabilities
- Nokia Affix BTSRV Device Name Remote Command Execution: An input validation vulnerability has been reported which could let a remote malicious user inject arbitrary shell commands. Updated information regarding Debian patch.
Recent Exploit Scripts/Techniques
The table below contains a sample of exploit scripts and "how to" guides identified during this period. The "Workaround or Patch Available" column indicates if vendors, security vulnerability listservs, or Computer Emergency Response Teams (CERTs) have published workarounds or patches.
Note: At times, scripts/techniques may contain names or content that may be considered offensive.
Date of Script | Script name | Workaround or Patch Available | Script Description |
| September 7, 2005 | dl-cups.c | Yes | Denial of Service exploit for the CUPs 1.x vulnerability. |
| September 7, 2005 | draft-gont-tcpm-icmp-attacks-04.txt | N/A | A document that discusses the use of the Internet Control Message Protocol (ICMP) to perform a variety of attacks against the Transmission Control Protocol (TCP) and other similar protocols. |
| September 7, 2005 | freeSMTP.pl.txt | No | Proof of Concept exploit for the Free SMTP Server As Open Relay vulnerability. |
| September 7, 2005 | MAXdevMD-Pro1.0.73.txt | Yes | Detailed exploitation for the MAXdev MD-Pro Cross-Site Scripting & File Upload vulnerabilities. |
| September 7, 2005 | ms05-018.c | Yes | Exploit for the Microsoft Windows Kernel CSRSS Local Privilege Escalation vulnerability. |
| September 7, 2005 | MSRC-6005bgs-EN.txt keybd.c | No | Proof of Concept exploits for the Microsoft Windows Keyboard Event Privilege Escalation vulnerability. |
| September 7, 2005 | phpcal.txt | No | Exploit details for the phpCommunityCalendar Multiple vulnerabilities. |
| September 7, 2005 | realchat_PoC.tgz | No | Proof of Concept exploit for Realchat user impersonation vulnerability. |
| September 7, 2005 | stealth_1.34.tar.gz | N/A | Stealth (SSH-based Trust Enhancement Acquired through a Locally Trusted Host) is a file integrity scanner. |
| September 7, 2005 | urbanGame.txt | Yes | Proof of Concept exploit for the Urban Multiple Buffer Overflows vulnerability. |
| September 6, 2005 | dl-mancgi.c | No | Proof of Concept exploit for the Man2web Multiple Scripts Command Execution vulnerability. |
| September 2, 2005 | FileZilla_pass.c | No | Proof of Concept exploit for the FileZilla FTP Client Hard-Coded Cipher Key vulnerability. |
| September 1, 2005 | cpanel-9x_RCE.c | No | Exploit for cPanel Remote Command Execution vulnerability. |
| September 1, 2005 | SlimFTPd-RemoteDoS.c | No | Exploit for the WhitSoft Development SlimFTPd Remote Denial of Service vulnerability. |
| August 31, 2005 | 0508-exploits.tgz | N/A | New Packet Storm exploits for August, 2005. |
| August 31, 2005 | AD20050830.txt | No | Exploit for the BNBT EasyTracker Remote Denial Of Service vulnerability. |
| August 31, 2005 | dameware.c | Yes | Script that exploits the DameWare Arbitrary Code Execution vulnerability. |
| August 31, 2005 | flat256.html flatnuke256.txt | No | Detailed exploitation for the FlatNuke Directory Traversal & Cross-Site Scripting vulnerabilities. |
| August 31, 2005 | fud.html | No | Remote code execution exploit for FUD Forum Upload Arbitrary Script vulnerability. |
| August 31, 2005 | HP_OV_NNM_RCE.c | Yes | Script that exploits the HP OpenView Network Node Manager Remote Arbitrary Code Execution vulnerability. |
| August 31, 2005 | lduSQL.txt | No | Exploitation details for the Land Down Under Multiple SQL Injection vulnerabilities. |
| August 31, 2005 | mybbSQL.pl.txt | No | Proof of Concept exploit for the MyBB SQL Injection vulnerability. |
| August 31, 2005 | phpldap.html phpLDAPadmin.pl.txt | No | Detailed exploitation for the phpLDAPadmin Multiple Vulnerabilities. |
| August 31, 2005 | Xcon2005_San.pdf | N/A | Document titled, "Hacking Windows CE." |
| August 31, 2005 | Xcon2005_SoBeIt.pdf | N/A | Document titled, "Windows Kernel Pool Overflow Exploitation." |
| August 31, 2005 | xosx-adobe-vcnative.pl xosx-adobe-vcnative-dyld.c | Yes | Exploit scripts for the Adobe Version Cue for Mac OS X Elevated Privileges vulnerabilities. |
| August 30, 2005 | BNBTDOS.py | No | Exploit for the BNBT EasyTracker Remote Denial Of Service vulnerability. |
| August 24, 2005 | solaris_lpd_unlink.pm.txt | Yes | This Metasploit module uses a vulnerability in the Solaris line printer daemon to delete arbitrary files on an affected system. |
[back to
top]
name=trends>Trends
- US-CERT has received reports of multiple phishing sites that attempt to trick users into donating funds to fraudulent foundations in the aftermath of Hurricane Katrina. US-CERT warns users to expect an increase in targeted phishing emails due to recent events in the Gulf Coast Region. Source: http://www.us-cert.gov/current/.
- The Common Malware Enumeration (CME) initiative: Article published in the September 2005 issue of the Virus Bulletin. The Common Malware Enumeration (CME) initiative is an effort headed by the United States Computer Emergency Readiness Team (US-CERT). The CME initiative works with private industry and government to: Assign unique identifiers to high priority malware events;
Facilitate the coordination of malware information;
and Improve the current state of public information needed to respond to malware events. For more information about CME, see: http://cve.mitre.org/cme/. - New Security Technology Won't Foil Identity Theft, Researcher Warns: According to a British criminology research new security technology such as smart ID cards or biometric safeguards won't stop identity thieves. Source: http://www.governmententerprise.com/news/showArticle.jhtml;
jsessionid=3F1ACA4TVPMDAQSNDBESKHA?articleId=170700832.
The Four Most Common Security Dangers: The four biggest threats are social engineering, faulty procedures, technical abuse and insider trading. Source: http://www.informationweek.com/story/
showArticle.jhtml?articleID=170700829&tid=6004.- Arabic Trojan butts into porn surfing: A malicious Trojan horse, Yusufali-A, that tries to interrupt the surfing of adult websites is circulating by displaying messages from the Koran. It monitors users' surfing habits by examining the title bar of the active window. Source: http://www.vnunet.com/vnunet/news/2141861/arabic-trojan-butts-porn.
- 6 ways to survive major Internet attacks: Federal Computer Week's editors met with information technology security officials from the government and industry to discuss what is being done to help their agencies and customers secure their networks. Six ways were suggested to avoid disruptive network attacks; define the problem; consolidate standards and purchasing power; think risks; fix configurations; better people mean more secure networks; and identify problems early and react fast, Source: http://www.fcw.com/article90656-09-05-05-Print .
- Mytob dominates August virus charts: According to security vendors, Mytob variants accounted for over half of the virus infections found in August. Source: http://www.vnunet.com/vnunet/news/
2141780/mytob-dominates-august-virus.
name=viruses id="viruses">Viruses/Trojans Top Ten Virus Threats
A list of high threat viruses, as reported to various anti-virus vendors and virus incident reporting organizations, has been ranked and categorized in the table below. For the purposes of collecting and collating data, infections involving multiple systems at a single location are considered a single infection. It is therefore possible that a virus has infected hundreds of machines but has only been counted once. With the number of viruses that appear each month, it is possible that a new virus will become widely distributed before the next edition of this publication. To limit the possibility of infection, readers are reminded to update their anti-virus packages as soon as updates become available. The table lists the viruses by ranking (number of sites affected), common virus name, type of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on number of infections reported since last week), and approximate date first found.
face="Arial, Helvetica, sans-serif">Rank | Common Name | Type of Code |
face="Arial, Helvetica, sans-serif">Trend | Date |
face="Arial, Helvetica, sans-serif">Description |
| 1 | Netsky-P | Win32 Worm | Stable | March 2004 | A mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives. The worm also tries to spread through various file-sharing programs by copying itself into various shared folders. |
| 2 | Zafi-D | Win32 Worm | Slight Increase | December 2004 | A mass-mailing worm that sends itself to email addresses gathered from the infected computer. The worm may also attempt to lower security settings, terminate processes, and open a back door on the compromised computer. |
| 3 | Lovgate.w | Win32 Worm | Increase | April 2004 | A mass-mailing worm that propagates via by using MAPI as a reply to messages, by using an internal SMTP, by dropping copies of itself on network shares, and through peer-to-peer networks. Attempts to access all machines in the local area network. |
| 4 | Zafi-B | Win32 Worm | Increase | June 2004 | A mass-mailing worm that spreads via e-mail using several different languages, including English, Hungarian and Russian. When executed, the worm makes two copies of itself in the %System% directory with randomly generated file names. |
| 5 | Netsky-Q | Win32 Worm | Slight Decrease | March 2004 | A mass-mailing worm that attempts to launch Denial of Service attacks against several web pages, deletes the entries belonging to several worms, and emits a sound through the internal speaker. |
| 6 | Mytob.C | Win32 Worm | Decrease | March 2004 | A mass-mailing worm with IRC backdoor functionality which can also infect computers vulnerable to the Windows LSASS (MS04-011) exploit. The worm will attempt to harvest email addresses from the local hard disk by scanning files. |
| 7 | Mytob-AS | Win32 Worm | Slight Decrease | June 2005 | A slight variant of the mass-mailing worm that disables security related programs and processes, redirection various sites, and changing registry values. This version downloads code from the net and utilizes its own email engine. |
| 8 | Netsky-D | Win32 Worm | Stable | March 2004 | A simplified variant of the Netsky mass-mailing worm in that it does not contain many of the text strings that were present in NetSky.C and it does not copy itself to shared folders. Netsky.D spreads itself in e-mails as an executable attachment only. |
| 9 | Netsky-Z | Win32 Worm | Stable | April 2004 | A mass-mailing worm that is very close to previous variants. The worm spreads in e-mails, but does not spread to local network and P2P and does not uninstall Bagle worm. The worm has a backdoor that listens on port 665. |
| 10 | Mytob-BE | Win32 Worm | Decrease | June 2005 | A slight variant of the mass-mailing worm that utilizes an IRC backdoor, LSASS vulnerability, and email to propagate. Harvesting addresses from the Windows address book, disabling antivirus, and modifying data. |
Table Updated September 4, 2005
Last updated
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.