August 15, 2005 - Current Activity

US-CERT has seen reports of multiple forms of malicious code that take advantage of the vulnerability described in Microsoft Bulletin MS05-039. We have also seen several variants of the Zotob worm. This worm scans for vulnerable systems on port 445/tcp. Once compromised, the worm will download and execute itself from another infected host via FTP on a random high TCP port. The FTP server is used by the worm to host the malicious code for download when other systems are compromised.

US-CERT has also seen reports that under certain conditions Windows XP, XP SP2 and 2003 may be vulnerable to attack by remote, unauthenticated users.

More information on the vulnerability is available in the following US-CERT Vulnerability Note:

• VU#998653 - Microsoft Plug and Play contains a buffer overflow vulnerability

US-CERT urges users to apply the update described in Microsoft Security Bulletin MS05-039. If users are unable to apply the update, Microsoft provides several workarounds that may help to mitigate against known attacks on this vulnerability.

US-CERT is aware of a public exploit for a vulnerability in VERITAS Backup Exec Remote Agent for Windows Servers. This exploit may allow a remote attacker to retrieve arbitrary files on a system. The VERITAS Backup Exec Remote Agent listens on network port 10000/tcp.

US-CERT is aware of reports that this vulnerability is being actively exploited. US-CERT has also seen reports of increased scanning activity on port 10000/tcp. This increase is believed to be attempts to locate vulnerable systems running the VERITAS Backup Exec Software. More information about this vulnerability can be found in US-CERT Technical Cyber Security Alert:

• TA05-224A - VERITAS Backup Exec Uses Hard-Coded Authentication Credentials

Please refer to TA05-224A for information on solutions and workarounds to mitigate against this vulnerability.

US-CERT is aware of a public exploit for a vulnerability in Microsoft Plug and Play that could allow an attacker to locally or remotely execute arbitrary code or cause a denial-of-service condition on a vulnerable system.

The exploit code targets Windows systems by connecting to NetBIOS ports 139/tcp or 445/tcp on a vulnerable system. A remote, unauthenticated attacker may be able to execute arbitrary code or cause a denial-of-service. More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

• VU#998653 - Microsoft Plug and Play contains a buffer overflow vulnerability

Microsoft has released a patch to address this vulnerability in Microsoft Security Bulletin MS05-039. Administrators are encouraged to apply the appropriate fixes as soon as possible.

US-CERT is aware of six Microsoft Security Bulletins issued today that describe several vulnerabilities in various Microsoft products. Public exploit code is available for several of these vulnerabilities.

The reported vulnerabilities range in severity from low to critical. If exploited, the critical vulnerabilities could allow a remote attacker to execute arbitrary code on the user's system. More information is available in US-CERT Technical Cyber Security Alert:

• TA05-221A - Microsoft Windows and Internet Explorer Vulnerabilities

US-CERT encourages Microsoft users to apply patches that are available on the Microsoft website.

US-CERT has seen reports indicating an increase in scanning activity of port 6070/tcp. This port is used by Computer Associates BrightStor ARCserve.

Recently, Computer Associates released security advisory (Vulnerability ID: 33239) describing a vulnerability in BrightStor ARCserve. Since this time exploits have been published that take advantage of this vulnerability. More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

• VU#279774 - Computer Associates BrightStor ARCserve Backup Agents vulnerable to buffer overflow

While reports of successful system compromises using this vulnerability have not been confirmed, US-CERT encourages BrightStor ARCserve users to upgrade or install patches, as recommended by Computer Associates vulnerability description.

US-CERT is aware of a new Computer Associates BrightStor ARCserve Backup Agents vulnerability. If exploited, the vulnerability could allow a remote attacker to execute arbitrary code on a vulnerable machine with SYSTEM privileges. Public exploits are available. More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

• VU#279774 - Computer Associates BrightStor ARCserve Backup Agents vulnerable to buffer overflow

Although there is limited information concerning the vulnerability, US-CERT encourages BrightStor ARCserve users to upgrade or install patches, as recommended by Computer Associates vulnerability description.

A presentation at the 2005 Black Hat Conference demonstrated proof-of-concept exploit code that targeted a vulnerability affecting Cisco IOS. More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

• VU#930892 - Cisco IOS vulnerable to DoS or arbitrary code execution via specially crafted IPv6 packet

All readers are encouraged to review the fixes, updates, and workarounds described in the Cisco Security Advisory.

US-CERT is aware of several new Mozilla Suite and Mozilla Firefox vulnerabilities, some of which have public exploits available. The vulnerabilities range in severity from moderate to critical. If exploited, the critical vulnerabilities could allow a remote attacker to execute arbitrary commands on the user's system with the privileges of the user running the vulnerable browser.

Although there is limited information concerning several of these vulnerabilities, US-CERT encourages Firefox users to upgrade to version 1.0.5 as and Mozilla Suite users to upgrade to version 1.7.10 as soon as possible.

US-CERT is aware of a vulnerability in Microsoft's Remote Desktop Protocol (RDP). Services that utilize the Remote Desktop Protocol (i.e., Terminal Services, Remote Desktop Services, Remote Assistance) could be affected.

By sending a specially crafted RDP request, a remote attacker could cause a denial-of-service condition on an affected system. We have no evidence of successful exploitation of this vulnerability. With the exception of Windows XP Media Center Edition, services that utilize the Remote Desktop Protocol are not enabled by default.

Microsoft has published a Security Advisory about this issue and is continuing to investigate the problem. Until a patch is available to address this vulnerability, US-CERT strongly encourages users to review the workarounds section of the Microsoft Security Advisory.