Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-02-27 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Updated: Bagle C Virus. New Vulnerability in RealSecure and BlackIce Products, Solaris 8 and 9 passwd(1) bulletin, WinZip flaw, IE cross-frame scripting issue

Published: 2004-02-27
Last Updated: 2004-02-28 03:27:44 UTC
by Jim Clausing (Version: 1)
0 comment(s)
Bagle C

Just in: A new virus, appearently part of the Bagle family, was sighted.
The virus is not detected by common AV products at this point. It uses
.zip attachments. First sightings were reported around 5-6 PM EST (10-11pm UTC).


New Vulnerability in RealSecure and BlackIce Products

eEye Security released a bulletin last night with details concerning a serious vulnerability in RealSecure/BlackICE Server Message Block (SMB) Processing. Details are at


http://www.eeye.com/html/Research/Advisories/AD20040226.html

According to eEye, only one SMB packet is required to exploit this vulnerability. The issue is with the way that an SMB packet is processed, analyzed, and reassembled. It is during this phase that specially crafted data can be passed to an improperly checked heap-based buffer. Such a heap overwrite can lead to reliable remote code execution with this vulnerability. No known proof of concept or other public exploit is in current circulation, however systems running either of these products should be patched immediately.


Updates for these products are available from ISS at


http://www.iss.net/download/

Solaris 8 and 9 passwd(1) privilege escalation

Yesterday, Sun released a bulletin announcing a patch to a potential privilege escalation vulnerability in the passwd(1) program in certain versions of Solaris 8 and 9 (Solaris 7 is not vulnerable). Complete details are at


http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57454&zone_32=category%3Asecurity

Solaris admins should read the bulletin and patch as soon as practical.


WinZip MIME parsing buffer overflow

iDefense published a bulletin today describing a vulnerability in the popular WinZip utility including WinZip 9 beta and WinZip 8.1 SR-1, though not the WinZip 9 final release. It is believed that earlier versions are also likely to be vulnerable. This vulnerability is in the MIME parameter parsing routines of WinZip. One workaround involves disabling the extension handlers for certain vulnerable file types to prevent exploitation by double-clicking on archives. Unlike many of the recent worms where infection required opening a document within a .zip attachment, this one could be exploited simply by opening the archive to see what was inside. As always, users are urged to be extremely cautious in opening e-mail attachment. Note that exploitation is also possible via web links or peer-to-peer file sharing. More details can be found here


http://www.idefense.com/application/poi/display?id=76&type=vulnerabilities&flashstatus=false


IE cross-frame scripting exposure

iDefense also published a bulletin today describing a cross-frame scripting vulnerability in patched versions of Internet Explorer. While exploit requires a user to click on a link, when coupled with the vulnerability described in Microsoft's bulletin MS04-004, the user may not actually be aware that they are following a link to a malicious web site and may inadvertantly supply sensitive personal information to unintended parties. IE users should be sure to apply the patch described in MS04-004 and then should verify the address of the web site in the address bar before supplying personal information in web forms. Complete details can be found here


http://www.idefense.com/application/poi/display?id=77&type=vulnerabilities&flashstatus=false



---Jim Clausing

Keywords:
0 comment(s)
Diary Archives