Mailing Lists & Feeds
Current Activity Calendar
| December 09, 2005 - Current ActivityThis is an archived copy of current activity, if you would like to see the most recent version, please click here.Cross Domain Vulnerability in Internet Explorer added December 8, 2005 US-CERT is aware of a cross domain violation in Internet Explorer. This may allow a script in one domain to access web content in a different domain. Web browsers should adhere to the "Same Origin Policy", which prevents documents or scripts loaded from one origin from getting or setting properties of a document from a different origin. Internet Explorer does not follow this policy when importing CSS documents. If the cross-domain violation in Internet Explorer occurs on a system that has Google Desktop Search (GDS) installed, then an attacker may be able to search for private data, execute programs, or execute arbitrary code on this vulnerable system. Note: Google has modified its web pages to prevent exploitation of GDS through this particular vulnerability in Internet Explorer. The cross-domain violation vulnerability in Internet Explorer is still present, however. Although there is limited information concerning this vulnerability, US-CERT encourages users to disable Active scripting to prevent exploitation. Users can also refer to the Microsoft Security Response Center Blog for some additional information on this vulnerability affecting Internet Explorer. Automatic Update Functionality in Sober.X Worm added December 7, 2005 US-CERT is aware of functionality that could allow the mass-mailing worm known as "W32/Sober.X" to automatically update itself. W32/Sober.X is a bi-lingual (English and German) mass-mailing worm that utilizes its own SMTP engine to propagate. The W32/Sober.X worm began propagating on November 15, 2005 and will attempt to update itself on or around January 5, 2006. Systems that have already been compromised by the W32/Sober.X worm are expected to receive this update. Once the update is received, the W32/Sober.X worm may execute code that reduces the security protection of vulnerable systems. US-CERT strongly recommends that users and administrators implement the following general protection measures:
Reports of IRS Phishing Emails added November 30, 2005 US-CERT has received reports of a phishing email scam that attempts to convince the user that it is from the Internal Revenue Service (IRS) by using a spoofed "From" address of "tax-refunds@irs.gov". Upon clicking on the link provided in the email, the user is taken to a fraudulent site that looks like a legitimate U.S. government site. The user is then asked to provide personal information, such as their social security, credit card and bank pin numbers. Users are encouraged to take the following measures to protect themselves from this type of phishing attack:
For additional information on ways to avoid phishing email attacks, US-CERT recommends that all users reference the following: Exploit for Vulnerability in Microsoft Internet Explorer window() object added November 21, 2005 | updated November 30, 2005 US-CERT is aware of a vulnerability in the way Microsoft Internet Explorer handles requests to the window() object. If exploited, the vulnerability could allow a remote attacker to execute arbitrary code with the privileges of the user. Additionally, the attacker could also cause IE (or the program using the WebBrowser control) to crash. According to Microsoft, malicious software is targeting this vulnerability. We have confirmed that the proof-of-concept code is successful on Windows 2000 and Windows XP systems that are fully patched as of November 30, 2005. More information about this vulnerability can be found in the following US-CERT Vulnerability Note:
Until a patch is available to address this vulnerability, US-CERT strongly encourages Windows users to disable Active Scripting. Additionally, Microsoft has updated its Security Advisory about this issue and is continuing to investigate the problem. Vulnerability in Cisco PIX added November 23, 2005 | updated November 28, 2005 US-CERT is aware of a publicly-reported vulnerability in the way Cisco PIX firewalls process legitimate TCP connection attempts. A remote attacker may be able to send spoofed, malformed TCP packets with incorrect checksum values through affected PIX firewalls. As a result, legitimate network traffic to the destination may be blocked until the invalid PIX connection-attempt entry times out (around two minutes by default). Public exploit code for this reported vulnerability may be useful for automating a sustained attack. More information about the reported vulnerability can be found in the following US-CERT Vulnerability Note:
Until a patch or more information becomes available, US-CERT recommends that system administrators who may be affected consider reconfiguring certain connection timers on Cisco PIX systems. More workaround information is also available in the solution section of VU#853540. W32/Sober Revisited added November 22, 2005 | updated November 22, 2005 US-CERT is aware of several new variants of the W32/Sober virus that propagate via email. As with many viruses, these variants rely on social engineering to propagate. Specifically, the user must click on a link or open an attached file. A recent variant sends messages that appear to be from the CIA or FBI, while a German version appears to be coming from the Bundeskriminalamt (BKA), the German Federal police service. US-CERT encourages users to review the appropriate alert below:
These new variants of the W32/Sober virus identified above share common characteristics listed below. Once infected, the malicious code may:
Although each variant has different functionality, the list below contains a subset of the common characteristics found in previous variants. Once a system is infected, the malicious code may:
US-CERT strongly encourages users to install anti-virus software, and keep its virus signature files up-to-date. Additionally, US-CERT strongly encourages users not to follow unknown links, even if sent by a known and trusted source. You may also wish to visit the US-CERT Computer Virus Resources. First 4 Internet XCP (Sony DRM) Vulnerabilities added November 15, 2005 | updated November 18, 2005 US-CERT is aware of several vulnerabilities regarding the XCP Digital Rights Management (DRM) software by First 4 Internet, which is distributed by some Sony BMG audio CDs. The XCP copy protection software uses "rootkit" technology to hide certain files from the user. This technique can pose a security threat, as malware can take advantage of the ability to hide files. We are aware of malware that is currently using this technique to hide. One of the uninstallation options provided by Sony also introduces vulnerabilities to a system. Upon submitting a request to uninstall the DRM software, the user will receive via email a link to a Sony BMG web page. This page will attempt to install an ActiveX control when it is displayed in Internet Explorer. This ActiveX control is marked "Safe for scripting," which means that any web page can utilize the control and its methods. Some of the methods provided by this control are dangerous, as they may allow an attacker to download and execute arbitrary code. More information about this vulnerability can be found in the following US-CERT Vulnerability Note:
US-CERT recommends the following ways to help prevent the installation of this type of rootkit:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||
Information For
Sign Up
Reporting
DHS Threat Advisory
The threat level in the airline sector is High or Orange. Read more
Get Adobe Reader