August 04, 2008 - Current Activity

CA ARCserve Backup for Laptops and Desktops Server vulnerability

US-CERT is aware of a vulnerability that affects CA ARCserve Backup for Laptops and Desktops. This vulnerability may allow an attacker to execute arbitrary code or cause a denial-of-service condition on the server.

More information regarding this vulnerability can be found in the CA Security Advisory "Security Notice for CA ARCserve Backup for Laptops and Desktops Server LGServer" document.

US-CERT recommends that users upgrade to the latest versions to help mitigate the security risks.

Internet System Consortium releases BIND -P2 patches

The Internet System Consortium has released updates for BIND to address performance and stability issues.

US-CERT recommends that administrators of this product apply the respective patches for BIND 9.5.0-P2, BIND 9.4.2-P2 and BIND 9.3.5-P2 or check with their software vendor for updated versions.

Apple Releases Security Update 2008-005

Apple has released Security Update 2008-005 to address multiple vulnerabilities that affect a number of applications. These vulnerabilities may allow an attacker to conduct DNS cache poisoning attacks, execute arbitrary code, cause a denial-of-service condition, or access the affected system with elevated privileges. Please note that this update addresses recent issues with weaknesses in common DNS implementations; see Vulnerability Note VU#800113 for additional information.

US-CERT encourages users to review Apple Article HT2647 and apply any necessary updates as soon as possible to help mitigate the risks.

Airline E-ticket Email Attack

US-CERT is aware of public reports indicating that a new email attack is circulating. This attack uses email messages that appear to be from legitimate airlines and contain information about a bogus e-ticket. These email messages instruct the user to open the attachment to obtain the e-ticket. If a user opens this attachment, a file may be executed to infect the user's system with malicious code.

Reports, including a posting by Sophos, indicate that these messages have the following characteristics. Please note that these attributes may change at any time.

• The subject line "E-Ticket#XXXXXXXXXX"
• An attachment named "eTicket#XXXX.zip"

• Install anti-virus software, and keep its virus signature file up to date.
• Do not open attachments in unsolicited email messages.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

AVG Releases Update

AVG has released version 8.0.156 to address multiple issues. Some of these issues could allow an attacker to cause a crash, resulting in a denial-of-service condition. This version also reduces the amount of incidental traffic generated by the program when searching on particular websites.

US-CERT encourages users to review the AVG Program update and apply any necessary updates to help mitigate the risks.

New Storm Worm Activity Spreading

US-CERT is aware of public reports of a new Storm Worm Campaign. The latest campaign is centered around messages related to the Federal Bureau of Investigation and Facebook. This Trojan horse virus is spread via an unsolicited email message that contains a link to a malicious website. This website contains a link, that when clicked, may run the executable file "fbi_facebook.exe" to infect the user's system with malicious code.

Reports, including a posting by Sophos, indicate the following email subject lines are being used. Please note that subject lines can change at any time.

• F.B.I. may strike Facebook
• F.B.I. watching us
• The FBI's plan to "profile" Facebook
• The FBI has a new way of tracking Facebook
• F.B.I. are spying on your Facebook profiles
• F.B.I. busts alleged Facebook
• Get Facebook's F.B.I. Files
• Facebook's F.B.I. ties
• F.B.I. watching you

• Install anti-virus software, and keep its virus signature files up-to-date.
• Do not follow unsolicited web links received in email messages.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

Oracle Releases Security Advisory for WebLogic Plug-in Vulnerability

Oracle has released a Security Advisory to address a vulnerability in the WebLogic plug-in for Apache. Exploitation of this vulnerability may allow a remote, unauthenticated attacker to compromise the confidentiality or integrity of WebLogic Server applications or cause a denial-of-service condition. The advisory indicates that exploit code for this vulnerability is publicly available.

US-CERT encourages users to review the Oracle Security Advisory and implement the workarounds listed in the document to help mitigate the risks. At this time, a patch or update is not available.

US-CERT will provide additional information as it becomes available.

RealPlayer Releases Update

RealNetworks has released an update to address multiple vulnerabilities in RealPlayer. These vulnerabilities may allow an attacker to execute arbitrary code or obtain sensitive information. RealNetworks identifies the vulnerabilities as the following:

• RealPlayer ActiveX controls property heap memory corruption.
• Local resource reference vulnerability in RealPlayer.
• RealPlayer SWF file heap-based buffer overflow.
• RealPlayer ActiveX import method buffer overflow.

U.S. Customs and Border Protection Email Attack

US-CERT is aware of public reports of an attack circulating via bogus email messages that claim to be from "US Customs Service." The messages may contain the subject line "Parcel requires declaration" and indicate that a parcel has been received addressed to the recipient of the email. These messages may also encourage users to open an attachment to the message that may contain malicious code.

US-CERT encourages users to do the following to help mitigate the risks:

• Review the alert posted by the U.S. Customs and Border Protection regarding this issue.
• Do not open attachments contained in unsolicited email messages.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.
• Install anti-virus software and keep virus signature files up to date.

DNS Cache Poisoning Public Exploit Code Available

US-CERT is aware of publicly available exploit code for a cache poisoning vulnerability in common DNS implementations. Exploitation of this vulnerability may allow an attacker to cause a nameserver's clients to contact the incorrect, and possibly malicious hosts for particular services. As a result, web traffic, email and other important network data could be redirected to systems under the attacker's control.

US-CERT strongly urges administrators to patch affected systems immediately. Please review the following US-CERT documents for further details:

• Current Activity - DNS Implementations Vulnerable to Cache Poisoning
• Current Activity - NAT/PAT Affects DNS Cache Poisoning Mitigation
• Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning
• Technical Cyber Security Alert TA08-190B - Multiple DNS implementations vulnerable to cache poisoning