Skip Repetitive Navigation

To Department of Information Resources home pageState of Texas
Department of Information Resources
Leadership for Texas Government Technology

Texas state flag and capitol building composite
 
DIR Home | Store | Document Library | Education & Training | DIR Overview | Site Map
 
 
IT Security
Emergency Alerts
IT Security Services
Monthly Incident Reports
Reading Room
Policies, Standards & Guidelines
Continuity & Contingency Planning
IT Security Training
IT Security Contacts
Related Resources
SecureTexas - the online security resource for Texas citizens
 

Emergency Alerts - Archive

Emergency alerts were added to the Web site only if there was a need to disseminate information to agencies and universities during a major negative event.

This page includes alerts posted before February 15, 2007. For the most current Emergency Alerts, see the Emergency Alerts page.

Security incidents shall be reported to the DIR within twenty-four hours if there is a substantial likelihood that such incidents could be propagated to other systems beyond the control of the agency. TAC 202.7 (f)(1).

Please call the emergency cell phone at 512-350-3282. The phone is answered 24 hours a day, 7 days a week.

Emergency Alerts 2005– 02/14/2007

 

February 14, 2007
MS-ISAC ADVISORY NUMBER: 2006-013 - UPDATED

MULTI-STATE INFORMATION SHARING AND ANALYSIS CENTER CYBER ADVISORY

Date(s) Issued

  • 7/17/2006
  • 8/8/2006 - Updated
  • 2/14/2007 - Updated

Subject

New Vulnerability in Microsoft PowerPoint Could Allow Remote Code Execution

Original Overview

A new vulnerability has been discovered in Microsoft Office PowerPoint that could allow a remote attacker to run and execute commands on the local system. This vulnerability can be exploited if a user opens a malicious PowerPoint file which has been specifically crafted to exploit this vulnerability.

August 8 Updated Information

Microsoft has released a new security bulletin (MS06-048) that supplies a patch to the Microsoft Office Library file 'mso.dll'.  In addition to the patch, a new vulnerability in Microsoft Office PowerPoint has been found and would allow a remote attacker to run and execute commands on the local system.

February 14, 2007 Updated Overview

Microsoft has released a new security bulletin (MS07-015) that replaces previous security bulletins and supplies a new patch to resolve two vulnerabilities in Microsoft Office that would allow a remote attacker to run and execute commands on the local system. Please see the systems affected and description sections below for additional details.

Original Systems Affected:

  • Microsoft PowerPoint 2003
  • Microsoft Office 2003
  • Microsoft PowerPoint 2003  SP1
  • Microsoft Office 2003  SP1
  • Microsoft PowerPoint 2003  SP2
  • Microsoft Office 2003  SP2

February 14 Updated Systems Affected:

  • Microsoft Office 2000 SP 3
  • Microsoft Access 2000
  • Microsoft Excel 2000
  • Microsoft FrontPage 2000
  • Microsoft Outlook 2000
  • Microsoft PowerPoint 2000
  • Microsoft Publisher 2000
  • Microsoft Word 2000
  • Microsoft Office XP SP3
  • Microsoft Access 2002
  • Microsoft Excel 2002
  • Microsoft FrontPage 2002
  • Microsoft Outlook 2002
  • Microsoft PowerPoint 2002
  • Microsoft Publisher 2002
  • Microsoft Visio 2002
  • Microsoft Word 2002
  • Microsoft Office 2003 SP2
  • Microsoft Access 2003
  • Microsoft Excel 2003
  • Microsoft Excel 2003 Viewer
  • Microsoft FrontPage 2003
  • Microsoft InfoPath 2003
  • Microsoft OneNote 2003
  • Microsoft Outlook 2003
  • Microsoft PowerPoint 2003
  • Microsoft Project 2003
  • Microsoft Publisher 2003
  • Microsoft Visio 2003
  • Microsoft Word 2003
  • Microsoft Excel 2003 Viewer
  • Microsoft Word 2003 Viewer
  • Microsoft Project 2000 Service Release 1
  • Microsoft Project 2002 SP1
  • Microsoft Visio 2002 SP2
  • Microsoft Office 2004 for Mac

Risk

Government:

  • Large and medium government entities: High
  • Small government entities: High
Businesses:
  • Large and medium business entities: High
  • Small business entities: High
Home users:
  • High

Original Description

A new vulnerability has been discovered in Microsoft Office PowerPoint that could allow a remote attacker to run and execute commands on the local system.  The vulnerability exists because of a flaw in the shared Microsoft Office Library file 'mso.dll'.  This vulnerability can be exploited if a user opens a malicious PowerPoint file which has been specifically crafted to exploit this vulnerability.  There are proof of concept PowerPoint files that exploit this vulnerability publicly available on the internet.

After successful exploitation, an attacker could take complete control of a vulnerable system, and perform actions such as install programs, view, change, and delete data, and create user accounts.

August 8 Updated Description

Microsoft has release a new vulnerability that could be exploited when a file containing a malformed record is parsed by PowerPoint.  Such a file could be found on a malicious website or be included as an e-mail attachment. 

February 14 Updated Description

Microsoft discovered the previous update was not effective in removing the vulnerability from an affected system. This update addresses the flaw in the Microsoft Office Library file 'mso.dll'.  At this time there is no known exploit code available for this PowerPoint vulnerability.

IIn addition, this bulletin  describes two new vulnerabilities which could be exploited when a file containing a malformed record is opened by Excel or Powerpoint. These files can be hosted on a malicious website or included in an email attachment.  Currently, there is a proof of concept Excel file for the Excel vulnerability publicly available on the Internet. We are not aware of any proof of concept code publicly available for the Powerpoint vulnerability.

Recommendations

We recommend the following actions be taken:

  • Apply all of the appropriate patches provided by the software vendor to vulnerable systems as soon as possible after appropriate testing.
  • Do not visit unknown or un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Do not open email attachments from un-trusted sources.
  • Ensure that all anti-virus software is up to date with the latest signatures.

References

Microsoft:
http://blogs.technet.com/msrc/archive/2006/07/14/441893.aspx

SecurityFocus:
http://www.securityfocus.com/bid/18993/

SANS:
http://www.incidents.org/diary.php?storyid=1484&isc=016c32f0ee8ed1d28ca2c0c67c298840

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3590

August 8 Updated References

Microsoft: 
http://www.microsoft.com/technet/security/bulletin/ms06-048.mspx

February 14 Updated References

Microsoft:
http://www.microsoft.com/technet/security/Bulletin/MS07-015.mspx

SecurityFocus:
http://www.securityfocus.com/bid/20325/references

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3877
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0671

February 14, 2007
MS-ISAC ADVISORY NUMBER: 2007-007

MULTI-STATE INFORMATION SHARING AND ANALYSIS CENTER CYBER ADVISORY

Subject

Multiple Remote Code Execution Vulnerabilities Exploitable through Internet Explorer

Overview

Three vulnerabilities have been found in Microsoft Internet Explorer that would allow an attacker to obtain complete control of the affected system. These vulnerabilities can be exploited if a user visits a malicious web site or a legitimate web site that may contain advertisements that have had malicious code inserted into them. Two of the three vulnerabilities have public exploit code available. Microsoft has released three security bulletins addressing each of the vulnerabilities. We are including the three security bulletins in one advisory since they share common exploit mechanisms, workarounds, risk potential; and to emphasize that they should all be applied together to effectively protect users.

Systems Affected

  • Microsoft Windows 2000 Service Pack 4
  • Microsoft Windows XP Service Pack 2
  • Microsoft Windows XP Professional x64 Edition
  • Microsoft Windows Server 2003
  • Microsoft Windows Server 2003 for Itanium-based systems
  • Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
  • Microsoft Windows Server 2003 x64 Edition
  • Microsoft Data Access Components 2.5 Service Pack 3 on Microsoft Windows 2000 Service Pack 4
  • Microsoft Data Access Components 2.8 Service Pack 1 on Microsoft Windows XP Service Pack 2
  • Microsoft Data Access Components 2.8 on Microsoft Windows Server 2003
  • Microsoft Data Access Components 2.8 on Microsoft Windows Server 2003 for Itanium-based Systems
  • Microsoft Data Access Components 2.7 Service Pack 1 when installed on Microsoft Windows 2000 Service Pack 4
  • Microsoft Data Access Components 2.8 when installed on Microsoft Windows 2000 Service Pack 4
  • Microsoft Data Access Components 2.8 Service Pack 1 when installed on Microsoft Windows 2000 Service Pack 4
  • Microsoft Internet Explorer 5.01 Service Pack 4 on Windows 2000 Service Pack 4
  • Microsoft Internet Explorer 6 Service Pack 1 when installed on Windows 2000 Service Pack 4
  • Microsoft Internet Explorer 6 for Windows XP Service Pack 2
  • Microsoft Internet Explorer 6 for Windows XP Professional x64 Edition
  • Microsoft Internet Explorer 6 for Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
  • Microsoft Internet Explorer 6 for Windows Server 2003 for Itanium-based Systems and Windows Server 2003 with SP1 for Itanium-based Systems
  • Microsoft Internet Explorer 6 for Windows Server 2003 x64 Edition
  • Windows Internet Explorer 7 for Windows XP Service Pack 2
  • Windows Internet Explorer 7 for Windows XP Professional x64 Edition
  • Windows Internet Explorer 7 for Windows Server 2003 Service Pack 1
  • Windows Internet Explorer 7 for Windows Server 2003 with SP1 for Itanium-based Systems
  • Windows Internet Explorer 7 for Windows Server 2003 x64 Edition

Risk

Government:

  • Large and medium government entities: High
  • Small government entities: High
Businesses:
  • Large and medium business entities: High
  • Small business entities: High
Home users:
  • High

Description

Three new vulnerabilities have been found to be exploitable through Microsoft Internet Explorer that would allow arbitrary code execution on Microsoft systems. 

The first vulnerability (MS07-008) is due to a flaw in the HTML Help ActiveX control. Exploitation of this vulnerability could occur if a user visits a Web site that contains malicious content, and could lead to the execution of arbitrary code. The code would be executed with the privileges of the user that is running Internet Explorer.

The second vulnerability  (MS07-009) exists in the ADODB.Connection ActiveX control that is included in Internet Explorer as part of Microsoft Data Access Components (MDAC). A Web site that hosts malicious code can pass unexpected data to the aforementioned ActiveX control which could cause Internet Explorer to fail in a way that would allow code execution. 

The third vulnerability (MS07-016) exists Internet Explorer in the way the browser instantiates certain COM objects as ActiveX controls. If a malicious COM object is read by Internet Explorer, it may corrupt the system state in a way that an attacker could execute arbitrary code. This COM object could be placed on either a Web site that hosts user-posted content or on a site contains malicious content.

Note:  By default, Server 2003 runs Internet Explorer in a restricted mode that sets the security level to high. This prevents users from going to sites that have not been added to the trusted zone. Internet Explorer 7, by default, does not include COM Objects in the allow-list for ActiveX controls. However, if the user had upgraded from a previous version of Internet Explorer that had allowed these COM Objects, the COM Objects will still be allowed in Internet Explorer 7. In this case the user would have to disable the COM Objects for their ActiveX controls.

An attacker who successfully exploited a system with any of the three vulnerabilities mentioned could take complete control of an affected system. If the user running Internet Explorer is logged in with administrator privileges, the attacker could then install programs, view, change, or delete data, or create new accounts with full privileges.

Recommendations

We recommend the following actions be taken:

  • Apply the appropriate patches provided by Microsoft to vulnerable systems as soon as possible after appropriate testing.
  • Do not visit unknown or un-trusted Web sites or follow links provided by unknown or un-trusted sources.
  • Configure Internet Explorer to prompt before running ActiveX Controls or disable ActiveX controls in the Internet Zone.

References

HTML Help ActiveX Control Vulnerability

Microsoft:

SecurityFocus:

US-CERT:

CVE:

February 6, 2007
Daylight Saving Time

MULTI-STATE INFORMATION SHARING AND ANALYSIS CENTER  --  CYBER INFORMATION BULLETIN

This information bulletin discusses the changes in the federal law regarding Daylight Saving Time. The purpose of this bulletin is to inform the community of possible issues and to provide recommendations to minimize problems.

Bulletin

The Energy Policy Act of 2005 amends the Uniform Time Act of 1966 by changing the start and end dates of daylight savings time in the year 2007. Originally the clocks would be set ahead one hour on the first Sunday of April and reversed on the last Sunday of October. The new amendment changes this such that the time is set ahead one hour on the second Sunday of March and reversed on the first Sunday of November. This change could lead to complications of time stamped data services such as databases, mail servers, NTP servers, firewalls, switches, backup and storage systems, printers, pbx systems, fax machines, voice mail systems, interactive voice response (IVR) systems, automated call distributor (ACD) systems, copiers, cell phones and PDA devices.  Additionally, it should be noted that there are possible issues that may arise for client/server computer systems such as authentication services as well as other technology services that rely on time stamped information. 

There could also be complications in applications that use time stamped data.  We are aware of patches for the Sun Java Runtime Environment (JRE); these should be applied and any other applications or application environments should be checked to make sure that they will correctly handle the new daylight savings time rules.

Windows 2000 has passed the end of Mainstream Support and will not be receiving an update without Extended Hotfix Support.  Windows XP SP 1 is no longer supported and will not be receiving an update for this issue.  Patches are available for Windows XP SP2, Windows Server 2003, and Windows Server SP1.  Please confirm with your vendors the needed steps to assure that device times are kept accurate.

Recommendations

  • Identify all time dependent applications.
  • Update and apply all appropriate patches to applicable systems after appropriate testing.
  • Ensure that your users are aware of the change and pay particular attention to calendar entries during the new daylight saving time periods.
  • Validate that all critical systems have the correct time after each rotation of DST to mitigate any possible issues on those hosts.

References
 
Cisco:
http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00807ca437.shtml

Oracle:
http://blogs.oracle.com/schan/2006/11/29#a988

Microsoft:
http://www.microsoft.com/windows/timezone/dst2007.mspx

Sun Solaris:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102775-1

Sun Java:
http://java.sun.com/developer/technicalArticles/Intl/USDST/

IBM:
http://www.ibm.com/support/alerts/us/en/daylightsavingstimealert.html

Novell:
http://www.novell.com/support/search.do?cmd=displayKC&sliceId=SAL_Public&externalId=3397648

Apple:
http://docs.info.apple.com/article.html?artnum=303411

RedHat:
http://rhn.redhat.com/errata/RHEA-2005-656.html

Juniper:
http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&record_id=02520301412e75010ed2ca5414006fc5

MySQL:
http://dev.mysql.com/doc/refman/5.0/en/time-zone-support.html

United States Code (Energy Policy Act of 2005):
http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=109_cong_public_laws&docid=f:publ058.109

Incidents.org:
http://www.incidents.org/diary.html?storyid=2142&dshield=2174350af985659f79babe046f9d6238

Symantec:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2007011911191539?Open&src=w

January 25, 2007
MS-ISAC Advisory - Multiple Vulnerabilities in Cisco IOS -
MS-ISAC ADVISORY NUMBER: 2007-004
Risk: High
Importance: High

MULTI-STATE INFORMATION SHARING AND ANALYSIS CENTER CYBER ADVISORY

Subject

Multiple Vulnerabilities in Cisco IOS

Overview

Multiple vulnerabilities have been found in several versions of Cisco network devices including their switches and routers which could allow an attacker to cause a Denial of Service or execute commands by sending specially-formatted network traffic to an affected device.

At this time, there are no known successful compromises or public attack tools for these vulnerabilities. In addition, it is important to note that Cisco PIX firewalls are not affected.

Systems Affected

  • Cisco IOS software versions 9.x, 10.x, 11.x and 12.x

  • Cisco IOS XR software versions 2.0.X, 3.0.X, and 3.2.X.

Risk

Government:

  • Large and medium government entities: High

  • Small government entities: High

Businesses:

  • Large and medium business entities: High

  • Small business entities: High

Home users:

  • Not applicable

Description

The first vulnerability exists in the Cisco IOS listener. An attacker can exploit this vulnerability by sending a specially crafted malicious TCP packet to a Cisco device running an affected IOS. Traffic passing through the Cisco device to another host does not pose a risk. If the attack is successful, it may result in a denial of service condition by causing memory leaks, potentially causing memory exhaustion over time. This vulnerability only affects devices currently running the Internet Protocol version 4 (IPv4). An attacker is not required to complete a full 3-way TCP handshake to carry out this attack.

The second vulnerability exists in IOS's failure to properly process specially-crafted IP options data in certain type of IPv4 packets. Specifically, Internet Control Message Protocol (ICMP) packet, Protocol Independent Multicast version 2 (PIMv2) packet, Pragmatic General Multicast (PGM) packet, or URL Rendezvous Directory (URD) packets can be used to exploit this vulnerability. An attacker who exploits this vulnerability may be able to cause a Denial of Service or execute code on a vulnerable device.

Cisco also announced a vulnerability that can be exploited by malformed IPv6 packets. An attacker can exploit this vulnerability by sending specifically crafted IPv6 Type 0 Routing headers, which are used for source routing. As IPv6 is not enabled by default in Cisco IOS and IPv6 is not widely deployed in most businesses and government organizations, we are considering this vulnerability to be a lower risk than the other two at this time.

At this time, there are no known successful compromises or attack tools for these vulnerabilities.
CVE: CVE numbers have not yet been assigned to these vulnerabilities.

Recommendations

We recommend that all of the following actions be taken:

  • Consider upgrading to a version of IOS that is not affected by these vulnerabilities.

  • Software upgrades can be obtained from Cisco for free by all affected customers.If applying the patches is not an option at this time, consider implementing the workarounds described in the Cisco advisories.

References

Cisco

SecurityFocus

US-CERT

SANS - Internet Storm Center

January 5, 2007
Adobe Acrobat Reader Plugin is Prone to Cross-Site Scripting Attacks
Source: Multi-State Information Sharing and Analysis Center Cyber Advisory
MS-ISAC ADVISORY NUMBER: 2007-001

Overview

A vulnerability has been found in multiple versions of the Adobe Acrobat Reader Plugin, which allows users to view Portable Document Format (PDF) files via a web browser such as Internet Explorer or Firefox. The Adobe Acrobat Reader installs the plugin by default. Please note that only the Adobe Acrobat Reader Plugin is vulnerable to this attack. This vulnerability can be exploited if an attacker can convince a user to click on a maliciously crafted link (URL) to open a PDF document. The vulnerability does not exist in the PDF document but in the parameters passed to the plugin. An attacker may be able to use this vulnerability to steal sensitive information from a user’s computer or force the user’s computer to visit arbitrary Web sites.

Systems Affected

  • Adobe Acrobat Reader 6.0.1
  • Adobe Acrobat Reader 6.0.2
  • Adobe Acrobat Reader 6.0.3
  • Adobe Acrobat Reader 6.0.4
  • Adobe Acrobat Reader 7.0.0
  • Adobe Acrobat Reader 7.0.1
  • Adobe Acrobat Reader 7.0.2
  • Adobe Acrobat Reader 7.0.3
  • Adobe Acrobat Reader 7.0.4
  • Adobe Acrobat Reader 7.0.5
  • Adobe Acrobat Reader 7.0.6
  • Adobe Acrobat Reader 7.0.
  • Adobe Acrobat Standard, Professional and Elements 7.0.8 and earlier
  • Adobe Acrobat 3D

Risk

Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home Users: High

Description

Adobe Reader Plugin is prone to a cross-site scripting (XSS) vulnerability because it fails to properly sanitize user input. Cross-site scripting is a vulnerability found in Web applications that unintentionally allows for code injection into the Web pages being viewed by other users. Attackers can inject JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application and force this code to execute on a user’s machine. The results of a successful XSS attacks include the execution code on a user’s computer, forcing the user’s computer to visit arbitrary Web sites, and theft of cookie data. Stealing cookie data may permit the attacker to impersonate the user and hijack Web applications that use cookies for session management.

The Adobe Reader plugin has a feature called “Open Parameters” that may be used through a URI to specify certain parameters when viewing a PDF. These parameters are not properly sanitized for malicious content. An attacker can craft malicious URI parameters to allow for the execution of arbitrary JavaScript in vulnerable web browsers in the context of a site hosting a PDF file. As a result, an attacker might be able to use the PDF vulnerability to steal cookie based authentication credentials or exploit other client-side vulnerabilities.

Based on information provided by Adobe and other vendors, Adobe’s Acrobat Reader version 8.0.0, and Internet Explorer running Windows XP SP 2 with Acrobat Reader 5.0 or higher are not affected by this vulnerability. We have tested these configurations and confirmed this information.

Proof of concept code has been made available to the public.

Recommendations

We recommend the following actions be taken:

  • Upgrade Adobe Reader to version 8.0.0 as soon as possible. The latest version can be found at: http://www.adobe.com/products/reader/
  • Do not visit unknown or un-trusted Web sites, or follow links provided by unknown or un-trusted email messages, Web sites, and other sources.
  • Only browse the Internet as a non-privileged user (one without administrative privilege) to diminish the effects of a successful attack.
  • Consider configuring Web browsers so they do not use this plugin to open PDF files.
  • Consider configuring Web browsers to disable the execution of JavaScript and other active content. Please note that this may break the functionality of some Web sites and applications.

References

December 12, 2006
Vulnerability in Windows Media Format Could Allow Remote Code Execution - High
Source: Multi-State Information Sharing and Analysis Center Cyber Advisory
MS-ISAC ADVISORY NUMBER: 2006-019
(923689)

Overview

Two new vulnerabilities were found in components of Windows, which provide audio and video data for media applications such as Windows Media Player. If properly exploited, an attacker would be able to gain same user rights as the person logged into that system.

Systems Affected

Microsoft Windows Media Format 7.1 through 9.5 Series Runtime on the following operating system versions:

  • Microsoft Windows 2000 Service Pack 4
  • Microsoft Windows XP Service Pack 2
  • Microsoft Windows XP Professional x64 Edition
  • Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
  • Microsoft Windows Server 2003 x64 Edition
  • Microsoft Windows Media Format 9.5 Series Runtime x64 Edition on the following operating system versions:
    • Microsoft Windows XP Professional x64 Edition
    • Microsoft Windows Server 2003 x64 Edition
    • Microsoft Windows Media Player 6.4
    • Microsoft Windows 2000 Service Pack 4
    • Microsoft Windows XP Service Pack 2
    • Microsoft Windows XP Professional x64 Edition
    • Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
    • Microsoft Windows Server 2003 x64 Edition

Risk

Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home Users: High

Description

Two new vulnerabilities have been discovered in the Windows Media Format Runtime. The first vulnerability involves the way that Advances System Format (ASF) is processed due to a buffer overrun condition in the Runtime. This can be exploited though either a compromised streaming media server, a user uploaded content server (i.e. YouTube) or a malicious ASF email attachment. Upon successful exploitation the attacker could take control of the affected system at the privilege level of the user.

The second vulnerability involves the handling of Uniform Resource Locators (URL's) in Advanced Stream Redirector (ASX) file by the
previously mentioned Runtime. This can be exploited through a compromised or malicious Web Server or an email with a specially crafted ASX attachment. If exploited, the attacker would have control of the host at the privilege of the current user.

Note that there are no reports that these vulnerabilities are being exploited at this time.

Recommendations

We recommend the following actions be taken:

  • Apply the appropriate patch to vulnerable systems as soon as possible, after appropriate testing. The patch is available at
    http://www.microsoft.com/technet/security/bulletin/ms06-078.mspx.
  • Filter all incoming Windows Media Format content at email gateways and proxy servers, if possible, until patches have been applied to all vulnerable systems.
  • Only use a Web Browser as a non-privileged user (one without administrative privilege) to diminish the effects of a successful attack.
  • Do not visit unknown or un-trusted websites or follow links provided by unknown or un-trusted sources.

References

CVE:

Security Focus:

Washington Post:

October 17, 2006
New Oracle Quarterly Critical Patches Issued October 17, 2006

Critical patches were just released by Oracle as part of its quarterly patch release program. According to Oracle, the following products are affected:

  • Oracle Database 10g Release 2, versions 10.2.0.1, 10.2.0.2
  • Oracle Database 10g Release 1, versions version 10.1.0.3, 10.1.0.4, 10.1.0.5
  • Oracle9i Database Release 2, versions 9.2.0.6, 9.2.0.7
  • Oracle8i Database Release 3, version 8.1.7.4
  • Oracle Application Express (formerly called HTML DB), versions 1.5 - 2.0
  • Oracle Application Server 10g Release 3, version 10.1.3.0.0
  • Oracle Application Server 10g Release 2, versions 10.1.2.0.0 - 10.1.2.0.2, 10.1.2.1.0
  • Oracle Application Server 10g Release 1 (9.0.4), versions 9.0.4.1, 9.0.4.2, 9.0.4.3
  • Oracle Collaboration Suite 10g Release 1, version 10.1.2.0
  • Oracle9i Collaboration Suite Release 2, version 9.0.4.2
  • Oracle E-Business Suite Release 11i, versions 11.5.7 - 11.5.10 CU2
  • Oracle E-Business Suite Release 11.0
  • Oracle Pharmaceutical Applications versions 4.5.0 - 4.5.1
  • Oracle PeopleSoft Enterprise PeopleTools versions 8.22, 8.46, 8.47, 8.48
  • Oracle PeopleSoft Enterprise Portal Solutions, Enterprise Portal, versions 8.8, 8.9
  • JD Edwards EnterpriseOne Tools versions 8.95, 8.96
  • JD Edwards OneWorld Tools SP23
  • Oracle Developer Suite, versions 6i, 9.0.4.1, 9.0.4.2, 9.0.4.3, 10.1.2.0.2, 10.1.2.2
  • Oracle9i Database Release 1, version 9.0.1.4
  • Oracle9i Database Release 1, versions 9.0.1.5, 9.0.1.5 FIPS
  • Oracle9i Application Server Release 2, versions 9.2.0.5, 9.0.2.3, 9.0.3.1
  • Oracle9i Application Server Release 1, version 1.0.2.2

Additional information can be obtained by visiting:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2006.html

October 10, 2006
Microsoft Security Bulletin Summary for October, 2006

May 9, 2006
Source: Multi-State Information Sharing and Analysis Center Cyber Advisory
MS-ISAC ADVISORY NUMBER: 2006-09
Subject: Vulnerability in Microsoft Exchange Server

Overview

On May 9, 2006, Microsoft reported that a vulnerability exists in several versions of Microsoft Exchange Server. An attacker can send a specially-crafted calendar message which when processed by the Exchange server will allow the attacker to take complete control of the vulnerable system.

Systems Affected

  • Microsoft Exchange Server 2000 Service Pack 3
  • Microsoft Exchange Server 2003 Service Pack 1
  • Microsoft Exchange Server 2003 Service Pack 2

Risk

Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: Not Applicable

Description

Microsoft Exchange Server 2000 SP3 and Exchange Server 2003 are reported to be vulnerable to a remote code execution attack. The vulnerability stems from the way the Exchange Server processes certain properties in meeting requests. The two properties are iCal and vCal. Virtual Calendar (vCAL) and Internet Calendar (iCAL) are MIME content types used by Microsoft Exchange Server and email clients when sending and exchanging information related to calendars and scheduling. These properties of an email meeting request are usually present in a file called meeting.ics.

An attacker can send a malicious message request or an email with a malicious meeting request (meeting.ics) attached. Once the Exchange Server processes the meeting request, the attacker can take complete control of the server. User interaction is not required and there are no mitigating factors provided by Microsoft for this vulnerability.

Blocking meeting.ics attachments is not a recommended workaround. If blocked, legitimate meeting requests will not be received at all.

Please Note: AT&T Internet Protect has determined that when installing this update, it will affect user mailbox permissions by revoking Send As' permission in Exchange which has an impact on third party products such as Blackberry Enterprise Server for Microsoft Exchange. Once applied, users on the Blackberry Enterprise Server will not be able to send email from a Blackberry or Blackberry-enabled device.

Recommendations

We recommend the following actions be taken:

References

May 9, 2006
Multiple Vulnerabilities in the Macromedia Flash Player from Adobe
Source: MS-ISAC ADVISORY NUMBER: 2006-010

Overview

Multiple vulnerabilities exist in Macromedia Flash Player from Adobe that could allow a remote attacker to obtain complete control of an affected system. These vulnerabilities can be exploited if a user visits a malicious web page which contains a specially crafted Flash Animation
(SWF) file. Currently there are no known publicly available exploits for these vulnerabilities although proof of concept code does exist.

Systems Affected

  • Macromedia Flash Player from Adobe version 6 or earlier

Risk

Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

Description

Adobe has identified multiple vulnerabilities in the Macromedia Flash Player. These vulnerabilities were addressed in the Adobe Security Bulletin APSB06-03. Microsoft has also addressed these vulnerabilities in Microsoft Security Bulletin MS06-020, because this application comes pre-installed on several versions of the Microsoft Windows Operating System.

These vulnerabilities exist because of the way that Macromedia Flash Player from Adobe processes Flash Animation (SWF) files. These vulnerabilities allow a remote attacker to run arbitrary code on the affected system in the context of the current user. If the user has administrative rights, this would allow the attacker to obtain complete control of the affected system.

These vulnerabilities can be exploited if a user visits a malicious website or opens an HTML document attached to an email which is specifically crafted to exploit these vulnerabilities. Currently there are no known publicly available exploits for these vulnerabilities although proof of concept code does exist.

Recommendations

We recommend the following actions be taken:

  • Apply all of the appropriate patches provided by Adobe to vulnerable systems as soon as possible after appropriate testing.
    Patches can be found at Adobe's Web Site
  • Only browse the Internet as a non-privileged user (one without administrative privilege) to diminish the effects of a successful attack.
  • Do not open email attachments from un-trusted sources.
  • Do not visit unknown or un-trusted websites or follow links provided by unknown or untrusted sources.
  • Set email client software to show emails in plain text.
  • Ensure that all anti-virus software is up to date with the latest signatures.

References

December 13, 2005
Anticipated Sober virus attack on Jan 5, 2006

Texas state entities should take appropriate actions regarding anticipated Sober virus attack on Jan 5, 2006. It is recommended that the following information be distributed to your IT Staff.

Link to the complete article published by ZDNet Australia providing new information regarding Sober.
Sober code cracked
Munir Kotadia, ZDNet Australia
December 09, 2005

In summary, AntiVirus vendors have discovered that Sober randomizes the web sites that infected systems use to get updates. It is based on date and they've found that for January 5, 2006 it will use the following URLs:

AV vendors are suggesting blocking those domains however that may not be 100% effective. If you see attempts to connect to those domains it may be an indicator of an infected system.

Please call the DIR IT Security Division at 512-475-4780 if you have any questions or concerns.

November 14, 2005
Vulnerabilities Affecting Multiple Cisco and Juniper Devices
Source: Multi-State Information Sharing and Analysis Center Cyber Advisory
MS-ISAC Advisory Number: 2005-019

Overview

Multiple vulnerabilities were found in the exchange of encryption keys on some Cisco and Juniper devices. These vulnerabilities may result in a Denial of Service (DoS). The messages are most commonly used in Virtual Private Networks (VPNs). VPNs are commonly used for employees who use laptops to access their office network or between business partner networks.

In many cases these devices are exposed directly to the Internet, therefore this issue should be addressed as soon as possible.

Systems Affected

  • Cisco IOS versions based on 12.2SXD, 12.3T, 12.4 and 12.4T
  • Cisco PIX Firewall versions up to but not including 6.3(5)
  • Cisco PIX Firewall/ASA versions up to but not including
    7.0.1.4
  • Cisco Firewall Services Module (FWSM) versions up to but not
    including 2.3(3)
  • Cisco VPN 3000 Series Concentrators versions up to but not
    including 4.1(7) H and 4.7(2) B
  • Cisco MDS Series SanOS versions up to but not including 2.1(2)
  • Oracle Databases
  • Juniper Networks E-series Router
  • Juniper Networks J-series Services Router J2300
  • Juniper Networks J-series Services Router J4300
  • Juniper Networks J-series Services Router J6300
  • Juniper Networks M-series Router M10
  • Juniper Networks M-series Router M160
  • Juniper Networks M-series Router M20
  • Juniper Networks M-series Router M40
  • Juniper Networks M-series Router M40e
  • Juniper Networks M-series Router M5
  • Juniper Networks T-series Router T320

Risk

  • Large and medium government entities: Medium
  • Small government entities: Medium
  • Businesses:
    • Large and medium business entities: Medium
    • Small business entities: Medium
  • Home users: N/A

Description

Multiple vulnerabilities were found in the processing of Internet Key Exchange (IKE) messages on Cisco and Juniper devices. IKE messages are most commonly used to negotiate Virtual Private Networks (VPNs). These vulnerabilities can be triggered by a remote attacker sending malformed IKE traffic to a vulnerable device. Successful attacks will result in devices restarting and if exploited repeatedly, will lead to a Denial of Service condition. On Juniper devices, it may be possible that a successful attack could allow for remote code execution; however this has not been verified. These vulnerabilities were discovered by the University of Oulu Secure Programming Group. Tools used to verify the vulnerability are publicly available for download.

Recommendations

  • MS- ISAC recommends the following actions be taken: For Site to Site VPN it may be possible to restrict the devices that can send IKE traffic to your IPSec devices by employing Access Control Lists (ACLs) as well as anti-spoofing measures. In the case of Client to Site VPN, this may not be a valid option due to the unpredictable IP addresses of traveling clients.
  • Upgrade your affected Cisco devices after appropriate testing
    starting with your most exposed devices.
  • There is no update available for Juniper E series devices.
    Fixes for the J, M and T series were issued in July. Check the Juniper
    web site for updates.

References

September 13, 2005
US-CERT (United States Computer Emergency Readiness Team) Current Activity

The US-CERT Current Activity Web page is a regularly updated summary of the most frequent, high-impact types of security incidents currently being reported to the US-CERT.

September 1, 2005
Fraudulent Websites for Hurricane Katrina Victims
Source: Multi-State Information Sharing and Analysis Center (MS-ISAC)

The MS-ISAC has received information indicating that Internet domain names are being created that could be used to lure unwary users into visiting potentially malicious web sites.

Relief and charity efforts for the victims of Hurricane Katrina began immediately after the hurricane devastated the Gulf Coast area. Shortly thereafter, web sites began to appear which were designed to defraud unsuspecting users. Some of the activities include soliciting donations for seemingly charitable purposes, attempting to collect personal information through phishing scams and also spreading malware to unsuspecting users. Over the past few days, domain names that redirect users to malicious web sites have appeared online, in addition to email scams requesting donations for those impacted by the hurricane. While some of these sites and messages may be legitimate, many are not.

In addition to fraudulent web sites, opportunists may use this event as a vehicle for other types of online attacks. For example, email messages that claim to contain attachments with photos, video, or other information about Hurricane Katrina may actually contain viruses, worms, or other malware.

Recommendations

We recommend that staff be advised to:

  • Validate the relief fund or charity through a known reliable entity. Please refer to the FEMA link below for a list of reputable disaster relief resources for Hurricane Katrina.
  • When a message containing a request for donations for these victims appears, do not respond unless you are certain it is a valid message.
  • Avoid visiting untrusted web sites.
  • Avoid opening email messages and attachments that claim to contain video, photos, or other information relating to relief solicitation for Hurricane Katrina.
  • Follow standard best practices for email and web browsing security.

References

August 12, 2005
New Vulnerability in Microsoft Plug and Play
Source: The Multi-State Information Sharing & Analysis Center Cyber Advisory

Overview

A critical vulnerability exists in the Microsoft Plug and Play (PnP) service which allows an attacker to remotely execute arbitrary code on an affected system. The Plug and Play (PnP) service is used to simplify the installation of new hardware on most Windows-based operating systems. If an attacker successfully exploits this vulnerability, it will give the attacker complete control over the affected system. Exploit code was not publicly available at the time of our original advisory.

An exploit for this vulnerability has been made available to the public and CSCIC has successfully tested it against a vulnerable host running Microsoft Windows 2000. This significantly increases the potential for this vulnerability to be actively exploited very soon so this patch should be tested and applied immediately if you are using Windows 2000. Microsoft Windows XP and Windows Server 2003, although vulnerable to this issue, require valid authentication credentials in order to be exploited therefore patching XP and 2003 systems is important but not as urgent.

Systems Affected

  • Microsoft Windows 2000 Service Pack 4
  • Microsoft Windows XP Service Pack 1 and Service Pack 2
  • Microsoft Windows Server 2003 Service Pack 1

Risk

  • Government:
    • Large and medium government entities: High
    • Small government entities: High
  • Businesses:
    • Large and medium business entities: High
    • Small business entities: High
    • Home users: High

Description

A new vulnerability was discovered in Microsoft Plug and Play (PnP), which could be exploited by remote attackers to execute arbitrary commands. The Plug and Play (PnP) service is used to simplify the installation of new hardware on most Windows-based operating systems. On Windows 2000, successful exploitation of this vulnerability allows a remote and unauthenticated attacker to execute arbitrary code on a vulnerable system. Attacks targeting Windows XP Service Pack 1 will require valid logon credentials, and attacks targeting Windows XP Service Pack 2 or Windows 2003 Server will require both valid login credentials, and the ability to log on locally (i.e. physical access).

After successful exploitation, an attacker could take control of a vulnerable system, and perform actions such as install programs, view, change, and delete data, and create user accounts. Currently there is no workarounds for this vulnerability provided by Microsoft. The only resolution for this vulnerability is to apply the patch provide by Microsoft to all systems.

CSCIC recommends the following actions be taken:

  • Apply the appropriate patch to vulnerable systems as soon as possible after appropriate testing. The patch is available at Microsoft
  • Block untrusted incoming traffic from the Internet at your network perimeter.
  • Block TCP ports 139 and 445 at the Firewall.

References

Please call the security division at 512-350-3282 If you have any issues or concerns.

August 10, 2005
New Microsoft Security Bulletins
Source: The Multi-State Information Sharing & Analysis Center

Microsoft released six patches to correct several security vulnerabilities. Three of the vulnerabilities are ranked "Critical" by Microsoft, and can result in remote code execution.

One of these vulnerabilities (MS05-038) affects Internet Explorer and could allow an attacker to take complete control of an affected system, if not patched. Please be aware that exploit code for this vulnerability has already been released to the public; an unpatched system can be completely compromised simply by visiting a malicious web page (or viewing a malicious HTML formatted email). Please ensure that your system is patched, or use an alternate browser (anything other than IE) until you're able to patch.

August 1, 2005
Cisco IOS

A presentation at the 2005 Black Hat Conference demonstrated proof-of-concept exploit code that targets a previously undisclosed attack vector affecting the Cisco IOS. Specifically, there exists the possibility to create a Denial of Service (DOS) attack or execute arbitrary code via a specially crafted IPv6 packet. However, according to Cisco, only devices configured to handle IPv6 traffic are vulnerable to this flaw. Any logical or physical interface that handles the crafted packet is vulnerable to the flaw. In addition, the attacker must send the crafted packet on the local network segment. Packets sent one or more hops away from the device will not affect the vulnerable device in a negative manner.

This issue affects all Cisco devices running any unfixed version of Cisco IOS code that supports, and is configured for, IPv6. However, a system which supports IPv6, if not specifically configured for IPv6, is not affected. For further guidance, please consult the Cisco advisory.

Impact

Successful exploitation may result in the execution of arbitrary code that allows an attacker to enter “enable” mode or crash the router.

Recommendations

Please update your Cisco IOS to ensure your systems are protected from this new exploit. Please visit www.cisco.com/security/ or contact Cisco directly through your support channels.

Systems Affected

All Cisco IOS versions prior to April, 2005.

US-CERT CONTACT INFORMATION FOR FEDERAL AGENCIES
For Reporting Incidents:
Email: soc@us-cert.gov
Voice: 1-888-282-0870

The US-CERT has produced a Vulnerability Note and Technical Alert

July 21, 2005
Virus/Worm Activity Warning

A large agency has just reported wide-spread virus and worm activity across multiple subnets. One of the worms has been identified as an sdbot.worm variant (http://vil.nai.com/vil/content/v_100454.htm). One of the viruses has been identified as a spybot variant (http://vil.nai.com/vil/content/v_100282.htm). Please note that brute force password guessing has been observed as a part of the malware behavior; account lockouts due to a series of incorrect logins can be a symptom of infection.

At the time of this writing, there are still unidentified worms/viruses on this agency's network. This activity HAS spread between agencies. Please ensure that your anti-virus definitions are up to date, and that you monitor your network for abnormal activity.

If you see any malicious activity on your network that you think may be related to this outbreak, please contact the DIR Security Lab at 512-475-4780.

July 12, 2005
New Microsoft Security Bulletins
Source: The Multi-State Information Sharing & Analysis Center

The following three new Security Bulletins (3 Critical) were just
released by Microsoft and one was updated and reissued (moderate).

We are reviewing MS05-035 through MS05-037 and will issue advisories as appropriate.

*(MS05-035) - Vulnerability in Microsoft Word Could Allow Remote
Code Execution (903672) - Critical
http://www.microsoft.com/technet/security/bulletin/MS05-035.mspx

*(MS05-036) - Vulnerability in Microsoft Color Management Module
Could Allow Remote Code Execution (901214) - Critical
http://www.microsoft.com/technet/security/bulletin/MS05-036.mspx

*(MS05-037) - Vulnerability in Jview Profiler Could Allow Remote
Code Execution (903235) - Critical
http://www.microsoft.com/technet/security/bulletin/MS05-037.mspx

*(MS05-033) - Vulnerability in Telnet Client Could Allow
Information Disclosure (896428) - Moderate (Reissued)
http://www.microsoft.com/technet/security/Bulletin/MS05-033.mspx

In addition, Microsoft released one NON-SECURITY High-Priority Update or Microsoft Office Update for (KB895658). At the time of this release, we were not able to identify the link to this update.

June 27, 2005
Exploits for at least one of the vulnerabilities in Veritas Backup Exec software
MS-ISAC Advisory Number: 2005-008

Overview

Veritas Backup Exec is network-based enterprise backup software for Novell Netware and Microsoft Windows. Last week vulnerabilities were reported in some versions of this product that can allow a remote attacker to launch a Denial of Service (DoS) against or execute arbitrary code on systems running this software. Users of affected

software packages are urged to employ the recommendations noted below to protect their systems from attacks targeting this vulnerability. At that time, there were no known exploits or any active scanning for the vulnerabilities, therefore no advisory was warranted.

However this week exploits for at least one of the vulnerabilities have been made public and Internet sites have reported active scanning for some of the vulnerabilities. Normally Veritas Backup Exec is not exposed to external networks but these vulnerabilities could be exploited by a worm such as one of the recent Spybot variants which takes advantage of an earlier Veritas vulnerability
(See http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.)

Systems Affected

  • Veritas Backup Exec 9.0
  • Veritas Backup Exec 9.1
  • Veritas Backup Exec 10.0
  • Veritas NetBackup 4.5
  • Veritas NetBackup 5.0
  • Veritas NetBackup 5.1

Risk

Government:

  • Large and medium government entities: Medium
  • Small government entities: Medium

Businesses:

  • Large and medium business entities: Medium
  • Small business entities: Medium

Home users: Not Applicable

Description

  • VERITAS Backup Exec/NetBackup Request Packet Denial Of Service Vulnerability (BID 14019)
  • This vulnerability can lead to a Denial of Service if maliciously crafted packets are sent to this service. However, this vulnerable service can not currently be utilized for execution of malicious code. Attackers are not required to authenticate in order to exploit this vulnerability.
  • VERITAS Backup Exec Server Remote Registry Access Vulnerability (BID 14020)
  • This vulnerability allows possible RPC interaction on port 6106/TCP with the ability to make calls to executables that can modify registry entries on the vulnerable host. This vulnerability may also be used for privilege escalation and allow unlimited access to the vulnerable host.
  • VERITAS Backup Exec Remote Agent Null Pointer Dereference Denial Of Service Vulnerability (BID 14021)
  • This vulnerability can result in a Denial of Service if specially-crafted packets with an incorrect "Error Status" value are sent to an affected host. This will then cause the Agent to crash. However, this vulnerability cannot currently be utilized for execution of malicious code.
  • VERITAS Backup Exec Remote Agent for Windows Servers Authentication Buffer Overflow Vulnerability (BID 14022)
  • This vulnerability can lead to code execution using the LocalSystem credentials when the authentication password string is too long. This agent listens for these authentication requests on port 10000/TCP. On 6/27/05 an exploit was released as part of the Metasploit Project. There have been reports of increased activity on port 10000/TCP which has been attributed to reconnaissance scanning and the Metasploit exploit. If Veritas Backup Exec is listening on ports 6101/TCP and 0000/TCP, successful exploitation will cause the service on port 10000/TCP to crash but the service on 6101/TCP will remain in a listening state. Port 10000/TCP is the listening port responsible for accepting connections from the backup server.
  • VERITAS Backup Exec Admin Plus Pack Option Remote Heap Overflow Vulnerability (BID 14023)
  • This vulnerability can be exploited when communication exists on port 3527/TCP on the vulnerable host, which is used by the Backup Exec Server Message Queue. This can result in unauthorized remote access and execution of malicious code.
  • VERITAS Backup Exec Web Administration Console Remote Buffer Overflow Vulnerability (BID 4025)
  • This buffer overflow vulnerability can be exploited by using a remote request with long string data, memory addresses, and instructions for the executable. Once this issue has been exploited whatever instructions given by the attacker may be executed.
  • VERITAS Backup Exec Remote Agent For Windows Servers Privilege Escalation Vulnerability (BID 14026)
  • This remote vulnerability, when exploited, could allow System-level access on the vulnerable host.

Recommendations

MS-ISAC recommends the following actions be taken:

References

Veritas

Security Focus

SANS Internet Storm Center

Please call the IT Security Division at 512-475-4780 if you have any questions or need further assistance.

May 17, 2005
SPAM messages in German
Source: Multi-State Information Sharing and Analysis Center
MS ISAC ADVISORY NUMBER: 2005-007

Overview:
A new variant of the W32.Sober is responsible for a substantial increase in spam over the past few days. This variant can randomly generate several different e-mail messages, either in English or German depending on the version of Windows running on infected computers. The content of the messages contains or points to political statements and in some instance may refer to the bombings by the allies during World War II.

Several states have reported receiving a large number of e-mails from outside their networks as a result of the virus. In some cases the volume of e-mail has caused response issues with e-mail systems.

Systems affected:

  • Microsoft Windows 2000/95/98/ME/NT/XP

Risk:

Government:

  • Large and medium government entities: Medium
  • Small government entities: Medium

Businesses:

  • Large and medium business entities: Medium
  • Small business entities: Medium
  • Home users: Medium

Description:

This variant is similar to previous Sober worms. It appears to produce e-mail addresses from various files on the system and then sends out e-mail messages with the following characteristics:

  • MS-ISAC has observed Spoofed To addresses
  • Spoofed From address
  • A Subject line that may be in either English or German and is selected from a predetermined list.
  • Body text that may be in either English or German and is selected from a predetermined list. The body of the message may contain a URL.

Recommendations:

Although this particular variant does not have any associated attachments, MS ISAC recommends the following general actions be taken:

  • Configure e-mail gateway to block .bat, .cmd, .com, .exe, .pif, .scr, or .zip extension. Although zip files are utilized for normal business, consider blocking or quarantining zip files temporarily.
  • Proper egress firewall filtering should allow outbound SMTP (port 25) from legitimate e-mail servers and block all other outbound attempts. (Failed outbound attempts to this port from non e-mail server hosts could be a sign of infection.)
  • Update your anti-virus software signatures on all desktops, laptops and servers as soon as possible.
  • Apply filters (e.g. Subject Line filters) to e-mail servers.
  • Remind staff of the dangers of opening suspicious and unsolicited e-mails.
  • Remind staff not to follow links (URL's) or open attachments contained in SPAM or other suspicious e-mail notes since they may lead to malicious sites resulting in downloading additional viruses, worms and Trojans.

References:

April 30, 2005
Oracle Critical Patch Update - April 2005

Oracle released a Critical Patch Update in April that addresses more than seventy vulnerabilities in different Oracle products and components. The Critical Patch Update provides information about which components are affected, what access and authorization are required, and how data confidentiality, integrity, and availability may be impacted.

The impacts of these vulnerabilities include unauthenticated, remote code execution, information disclosure, and denial of service.

More information can be found on Oracle's site at:
Critical Patch Updates April 2005

Oracle XDB FTP Services Buffer Overflow Vulnerability is being exploited in the wild.

Overview:
On August 18, 2003 Oracle reported a vulnerability affecting a component of Oracle9i Database Server. On March 18, 2005, code to exploit this vulnerability was publicly released on the Internet. On March 30th, CSCIC received information that, beginning March 19th, Internet activity
targeting this vulnerability commenced. A remote attacker could exploit the vulnerability and cause a Denial of Service attack against the server and/or a have the ability to capture an active user(s) session which could potentially compromise data.

Systems Affected:

  • Oracle9i Enterprise Edition 9.2 .0.1
  • Oracle9i Personal Edition 9.2 .0.1
  • Oracle9i Standard Edition 9.2 .0.1