Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: PnP Worm out; More on the current Veritas vuln; Microsoft Update and Win 2K3 w/o SP1; new gaim version SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
PnP Worm out; More on the current Veritas vuln; Microsoft Update and Win 2K3 w/o SP1; new gaim version

PnP Worm Out


Quick update: Several reports that the PNP (MS05-039) worm was released finally. We are just analyzing the code.

We remain at infocon of yellow, but fortunately, we haven't yet seen any worms exploiting the vulnerabilities covered by last Tuesday's Microsoft bulletins. If things stay quiet through Sunday, we'll likely move back to green on Monday, but we reiterate our warning from yesterday, there are enough exploits for these vulnerabilities known to be in the wild that we believe it is only a matter of hours or at most days until they are integrated into a worm.

More thoughts on the current Veritas Backup Exec vulnerability

One of our readers (thanx, Frank) pointed out that although the bulletins concerning the Veritas Backup Exec vulnerabilities only mentioned the possibility of READING data from a vulnerable server, the nature of the NDMP protocol makes it likely that it could be exploited to WRITE data to a server as well. Several people have been working on proof of concept code today, so it probably won't be long before working exploits are in the wild for this one, too. We are hearing reports of exploit attempts in the wild. Again, see yesterday's diary for our recommendations, for blocking port 10000. Also, thanx to Juha-Matti, for pointing out that this vulnerability also exists not just in Backup Exec, but also in NetBackup for NetWare, as well. See the for further details.

Microsoft Update and Win2K3 w/o SP1

Another of our readers, Wolf, brought this issue to our attention. Some admins have chosen not to install Windows 2003 Server SP1 until issues have been worked out. This has led to a problem that the admins may not be aware of. If you use Microsoft Update and choose the Express (recommended) option, it will NOT show the July or August updates, you have to choose Custom updates in order to see them. This could be very dangerous as it may leave the admins believing their servers are current on patches when in fact they are exposed.

new gaim version

Users of the popular gaim multi-protocol instant messenger client are urged to upgrade to 1.5.0 immediately, since this version fixes 3 security bugs. See for details.


Jim Clausing, jclausing_at_isc.sans.orgI will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS Tokyo Autumn 2021


423 Posts
ISC Handler
Aug 14th 2005

Sign Up for Free or Log In to start participating in the conversation!