[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CERT Summary CS-2003-03



-----BEGIN PGP SIGNED MESSAGE-----

CERT Summary CS-2003-03

   September 8, 2003

   Each  quarter, the CERT Coordination Center (CERT/CC) issues the CERT
   Summary  to  draw  attention  to  the types of attacks reported to our
   incident  response  team,  as  well  as  other noteworthy incident and
   vulnerability information. The summary includes pointers to sources of
   information for dealing with the problems.

   Past CERT summaries are available from:

          CERT Summaries
          http://www.cert.org/summaries/
   ______________________________________________________________________

Recent Activity

   Since  the  last regularly scheduled CERT summary, issued in June 2003
   (CS-2003-02), we have seen a large volume of reports related to a mass
   mailing  worm,  referred to as W32/Sobig.F, and have issued advisories
   on   the   exploitation   of   vulnerabilities   in   Microsoft's  RPC
   implementation. The culmination of the RPC vulnerabilities resulted in
   the  W32/Blaster  Worm,  which  affected many Microsoft users. We have
   also reported on a vulnerability in the Cisco IOS interface as well as
   on   multiple  vulnerabilities  in  Microsoft  Windows  libraries  and
   Internet Explorer.

   For  more  current  information  on  activity  being  reported  to the
   CERT/CC,  please  visit the CERT/CC Current Activity page. The Current
   Activity  page  is  a  regularly updated summary of the most frequent,
   high-impact  types  of  security  incidents  and vulnerabilities being
   reported  to the CERT/CC. The information on the Current Activity page
   is reviewed and updated as reporting trends change.

          CERT/CC Current Activity
          http://www.cert.org/current/current_activity.html


    1. W32/Sobig.F Worm

       On  August  18,  the  CERT/CC  began  receiving  a large volume of
       reports  of  a  mass  mailing  worm,  referred  to as W32/Sobig.F,
       spreading on the Internet. The W32/Sobig.F worm is an e-mail borne
       malicious  program  with a specially crafted attachment that has a
       .pif  extension.  The  W32/Sobig.F worm requires a user to execute
       the  attachment  either manually or by using an e-mail client that
       will  open  the attachment automatically. The CERT/CC has released
       an Incident Note on the W32/Sobig.F worm.

                CERT Incident Note IN-2003-03
                W32/Sobig.F Worm
                http://www.cert.org/incident_notes/IN-2003-03.html


    2. Exploitation of Vulnerabilities in Microsoft RPC Interface

       In  late  July,  the CERT/CC began receiving reports of widespread
       scanning    and    exploitation   of   two   recently   discovered
       vulnerabilities   in   Microsoft   Remote   Procedure  Call  (RPC)
       Interface.  The  CERT/CC  released an advisory and a Vulnerability
       Note which described these vulnerabilities approximately two weeks
       prior to the reports of exploitation.

                CERT Advisory CA-2003-19
                Exploitation of Vulnerabilities in Microsoft RPC 
                Interface
                http://www.cert.org/advisories/CA-2003-19.html

                CERT Advisory CA-2003-16
                Buffer Overflow in Microsoft RPC
                http://www.cert.org/advisories/CA-2003-16.html

                Vulnerability Note VU#568148 
                Microsoft Windows RPC vulnerable to buffer overflow
                http://www.kb.cert.org/vuls/id/568148

    a. W32/Blaster Worm

       Shortly  after we released multiple documents describing Microsoft
       RPC  vulnerabilities,  we  began  receiving  reports of widespread
       activity  related  to  a  new  piece  of  malicious  code known as
       W32/Blaster.  The W32/Blaster worm exploits a vulnerability in the
       Microsoft  DCOM  RPC interface. On August 11, the CERT/CC released
       an advisory on W32/Blaster. We also released step-by-step recovery
       tips for W32/Blaster.

                CERT Advisory CA-2003-20
                W32/Blaster Worm
                http://www.cert.org/advisories/CA-2003-20.html

                W32/Blaster Recovery tips
                http://www.cert.org/tech_tips/w32_blaster.html

    b. W32/Welchia

       Additionally,  a  worm  was reported that attempted to exploit the
       same vulnerability as W32/Blaster. This worm, known alternately as
       'W32/Welchia',   'W32/Nachi',   or   'WORM_MS_BLAST.D',  has  been
       reported  to  kill and remove the msblast.exe artifact left behind
       by  W32/Blaster,  perform  ICMP  scanning  to  identify systems to
       target for exploitation, apply the patch from Microsoft (described
       in  MS03-026),  and reboot the system. The greatest impact of this
       worm  appears to be the potential for denial-of-service conditions
       within an organization due to high levels of ICMP traffic.

   3. Cisco IOS Interface Blocked by IPv4 Packet

   On  July  16, the CERT/CC reported on a vulnerability in many versions
   of   Cisco   IOS   that   could   allow   an  intruder  to  execute  a
   denial-of-service attack against a vulnerable device. We also released
   a companion Vulnerability Note on the same topic.

          CERT Advisory CA-2003-15
          Cisco IOS Interface Blocked by IPv4 Packet
          http://www.cert.org/advisories/CA-2003-15.html

          Vulnerability Note VU#411332
          Cisco IOS Interface Blocked by IPv4 Packet
          http://www.kb.cert.org/vuls/id/411332

   Two  days  later  we  released  an advisory which provided information
   about  the  availability  of  a  public  exploit  for  the  Cisco  IOS
   vulnerability.

          CERT Advisory CA-2003-17
          Exploit available for the Cisco IOS Interface Blocked 
          Vulnerabilities
          http://www.cert.org/advisories/CA-2003-17.html

   4. Vulnerabilities in Microsoft Windows Libraries and Internet Explorer

   During  this  quarter, there were a number of vulnerabilities reported
   in  Microsoft Windows Libraries and within Internet Explorer. Below is
   a summary of those vulnerabilities.

    a. Buffer Overflow in Microsoft Windows HTML Conversion Library

       A buffer overflow vulnerability exists in a shared HTML conversion
       library  included  in Microsoft Windows. An attacker could exploit
       this  vulnerability to execute arbitrary code or cause a denial of
       service.  On  July  14,  the CERT/CC issued an advisory describing
       this vulnerability.

                CERT Advisory CA-2003-14
                Buffer Overflow in Microsoft Windows HTML Conversion 
                Library
                http://www.cert.org/advisories/CA-2003-14.html

                Vulnerability Note VU#823260 
                Microsoft  Windows  HTML conversion library vulnerable 
                to buffer overflow
                http://www.kb.cert.org/vuls/id/823260

    b. Integer Overflows in Microsoft Windows DirectX MIDI Library

       A set of integer overflows exists in a DirectX library included in
       Microsoft Windows. An attacker could exploit these vulnerabilities
       to execute arbitrary code or to cause a denial of service. On July
       25,    the   CERT/CC   issued   an   advisory   describing   these
       vulnerabilities.

                CERT  Advisory CA-2003-18
                Integer Overflows in Microsoft Windows DirectX MIDI 
                Library
                http://www.cert.org/advisories/CA-2003-18.html

                Vulnerability Note VU#561284
                Microsoft Windows DirectX MIDI library does not 
                adequately validate Text or Copyright parameters in MIDI
                files
                http://www.kb.cert.org/vuls/id/561284

                Vulnerability Note VU#265232
                Microsoft Windows DirectX MIDI library does not 
                adequately validate MThd track values in MIDI files
                http://www.kb.cert.org/vuls/id/265232

    c. Multiple Vulnerabilities in Microsoft Internet Explorer

       Microsoft     Internet    Explorer    (IE)    contains    multiple
       vulnerabilities,  the  most  serious of which could allow a remote
       attacker to execute arbitrary code with the privileges of the user
       running  Internet  Explorer.  On  August 26, the CERT/CC issued an
       advisory describing these vulnerabilities.

                CERT Advisory CA-2003-22
                Multiple  Vulnerabilities in Microsoft Internet Explorer
                http://www.cert.org/advisories/CA-2003-22.html

                Vulnerability Note VU#205148
                Microsoft Internet Explorer does not properly evaluate 
                Content-Type and Content-Disposition headers
                http://www.kb.cert.org/vuls/id/205148

                Vulnerability Note VU#865940
                Microsoft Internet Explorer does not properly evaluate 
                "application/hta" MIME type referenced by DATA attribute 
                of OBJECT element
                http://www.kb.cert.org/vuls/id/865940

                Vulnerability Note VU#548964
                Microsoft Windows BR549.DLL ActiveX control contains 
                vulnerability
                http://www.kb.cert.org/vuls/id/548964

                Vulnerability Note VU#813208
                Internet Explorer does not properly render an input type
                tag
                http://www.kb.cert.org/vuls/id/813208

                Vulnerability Note VU#334928
                Microsoft Internet Explorer contains buffer overflow in
                Type attribute of OBJECT element on double-byte character
                set systems
                http://www.kb.cert.org/vuls/id/334928

   5. Malicious Code Propagation and Antivirus Software Updates

   Recent reports to the CERT/CC have highlighted that the speed at which
   viruses   are   spreading  is  increasing  and  that  users  who  were
   compromised  may  have been under the incorrect impression that merely
   having  antivirus  software  installed was enough to protect them from
   all malicious code attacks. On July 14, the CERT/CC issued an Incident
   Note describing this trend.

          CERT Incident Note IN-2003-01
          Malicious Code Propagation and Antivirus Software Updates
          http://www.cert.org/incident_notes/IN-2003-01.html
   ______________________________________________________________________

New CERT Coordination Center (CERT/CC) PGP Key

   On September 5, the CERT/CC issued a new PGP key, which should be used
   when sending sensitive information to the CERT/CC.

          CERT/CC PGP Public Key
          https://www.cert.org/pgp/cert_pgp_key.asc

          Sending Sensitive Information to the CERT/CC
          https://www.cert.org/contact_cert/encryptmail.html
   ______________________________________________________________________

What's New and Updated

   Since the last CERT Summary, we have published new and updated

     * Advisories
       http://www.cert.org/advisories/

     * Vulnerability Notes
       http://www.kb.cert.org/vuls

     * CERT/CC Statistics
       http://www.cert.org/stats/cert_stats.html

     * Congressional Testimony
       http://www.cert.org/congressional_testimony

     * Incident Handling Certification
       http://www.cert.org/certification/

     * Training Schedule
       http:/www.cert.org/training/
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/summaries/CS-2003-03.html
   ______________________________________________________________________

CERT/CC Contact Information

   Email: cert@xxxxxxxx
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

    Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   http://www.cert.org/CERT_PGP.key

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more
   information.

    Getting security information

   CERT  publications  and  other security information are available from
   our web site
   http://www.cert.org/

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to majordomo@xxxxxxxxx Please include in the body of your
   message

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
   ______________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright ©2003 Carnegie Mellon University.

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBP1zEHzpmH2w9K/0VAQEqXAP9FHdMZvoEMC4aLxZzP+e52RhSh6p9rzZ2
W+p3aBh6VOsf1mqpDnlJSZy2kydOLzTwklMm4ESxeSER81TfdbKUIgr7pfzNANn8
4DhrXxUZwcc1+5TWY6/LejrrCjZ2OpK9UxkjDSJKMEcrLqIhaEUL3Vr24iTvNliR
JKkslK9BDGk=
=w9dI
-----END PGP SIGNATURE-----