Date: Mon, 8 Sep 2003 14:52:03 -0400
From: CERT Advisory <[email protected]>
To: [email protected]Subject: CERT Summary CS-2003-03
-----BEGIN PGP SIGNED MESSAGE-----
CERT Summary CS-2003-03
September 8, 2003
Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT
Summary to draw attention to the types of attacks reported to our
incident response team, as well as other noteworthy incident and
vulnerability information. The summary includes pointers to sources of
information for dealing with the problems.
Past CERT summaries are available from:
CERT Summaries
http://www.cert.org/summaries/
______________________________________________________________________
Recent Activity
Since the last regularly scheduled CERT summary, issued in June 2003
(CS-2003-02), we have seen a large volume of reports related to a mass
mailing worm, referred to as W32/Sobig.F, and have issued advisories
on the exploitation of vulnerabilities in Microsoft's RPC
implementation. The culmination of the RPC vulnerabilities resulted in
the W32/Blaster Worm, which affected many Microsoft users. We have
also reported on a vulnerability in the Cisco IOS interface as well as
on multiple vulnerabilities in Microsoft Windows libraries and
Internet Explorer.
For more current information on activity being reported to the
CERT/CC, please visit the CERT/CC Current Activity page. The Current
Activity page is a regularly updated summary of the most frequent,
high-impact types of security incidents and vulnerabilities being
reported to the CERT/CC. The information on the Current Activity page
is reviewed and updated as reporting trends change.
CERT/CC Current Activity
http://www.cert.org/current/current_activity.html
1. W32/Sobig.F Worm
On August 18, the CERT/CC began receiving a large volume of
reports of a mass mailing worm, referred to as W32/Sobig.F,
spreading on the Internet. The W32/Sobig.F worm is an e-mail borne
malicious program with a specially crafted attachment that has a
.pif extension. The W32/Sobig.F worm requires a user to execute
the attachment either manually or by using an e-mail client that
will open the attachment automatically. The CERT/CC has released
an Incident Note on the W32/Sobig.F worm.
CERT Incident Note IN-2003-03
W32/Sobig.F Worm
http://www.cert.org/incident_notes/IN-2003-03.html
2. Exploitation of Vulnerabilities in Microsoft RPC Interface
In late July, the CERT/CC began receiving reports of widespread
scanning and exploitation of two recently discovered
vulnerabilities in Microsoft Remote Procedure Call (RPC)
Interface. The CERT/CC released an advisory and a Vulnerability
Note which described these vulnerabilities approximately two weeks
prior to the reports of exploitation.
CERT Advisory CA-2003-19
Exploitation of Vulnerabilities in Microsoft RPC
Interface
http://www.cert.org/advisories/CA-2003-19.html
CERT Advisory CA-2003-16
Buffer Overflow in Microsoft RPC
http://www.cert.org/advisories/CA-2003-16.html
Vulnerability Note VU#568148
Microsoft Windows RPC vulnerable to buffer overflow
http://www.kb.cert.org/vuls/id/568148
a. W32/Blaster Worm
Shortly after we released multiple documents describing Microsoft
RPC vulnerabilities, we began receiving reports of widespread
activity related to a new piece of malicious code known as
W32/Blaster. The W32/Blaster worm exploits a vulnerability in the
Microsoft DCOM RPC interface. On August 11, the CERT/CC released
an advisory on W32/Blaster. We also released step-by-step recovery
tips for W32/Blaster.
CERT Advisory CA-2003-20
W32/Blaster Worm
http://www.cert.org/advisories/CA-2003-20.html
W32/Blaster Recovery tips
http://www.cert.org/tech_tips/w32_blaster.html
b. W32/Welchia
Additionally, a worm was reported that attempted to exploit the
same vulnerability as W32/Blaster. This worm, known alternately as
'W32/Welchia', 'W32/Nachi', or 'WORM_MS_BLAST.D', has been
reported to kill and remove the msblast.exe artifact left behind
by W32/Blaster, perform ICMP scanning to identify systems to
target for exploitation, apply the patch from Microsoft (described
in MS03-026), and reboot the system. The greatest impact of this
worm appears to be the potential for denial-of-service conditions
within an organization due to high levels of ICMP traffic.
3. Cisco IOS Interface Blocked by IPv4 Packet
On July 16, the CERT/CC reported on a vulnerability in many versions
of Cisco IOS that could allow an intruder to execute a
denial-of-service attack against a vulnerable device. We also released
a companion Vulnerability Note on the same topic.
CERT Advisory CA-2003-15
Cisco IOS Interface Blocked by IPv4 Packet
http://www.cert.org/advisories/CA-2003-15.html
Vulnerability Note VU#411332
Cisco IOS Interface Blocked by IPv4 Packet
http://www.kb.cert.org/vuls/id/411332
Two days later we released an advisory which provided information
about the availability of a public exploit for the Cisco IOS
vulnerability.
CERT Advisory CA-2003-17
Exploit available for the Cisco IOS Interface Blocked
Vulnerabilities
http://www.cert.org/advisories/CA-2003-17.html
4. Vulnerabilities in Microsoft Windows Libraries and Internet Explorer
During this quarter, there were a number of vulnerabilities reported
in Microsoft Windows Libraries and within Internet Explorer. Below is
a summary of those vulnerabilities.
a. Buffer Overflow in Microsoft Windows HTML Conversion Library
A buffer overflow vulnerability exists in a shared HTML conversion
library included in Microsoft Windows. An attacker could exploit
this vulnerability to execute arbitrary code or cause a denial of
service. On July 14, the CERT/CC issued an advisory describing
this vulnerability.
CERT Advisory CA-2003-14
Buffer Overflow in Microsoft Windows HTML Conversion
Library
http://www.cert.org/advisories/CA-2003-14.html
Vulnerability Note VU#823260
Microsoft Windows HTML conversion library vulnerable
to buffer overflow
http://www.kb.cert.org/vuls/id/823260
b. Integer Overflows in Microsoft Windows DirectX MIDI Library
A set of integer overflows exists in a DirectX library included in
Microsoft Windows. An attacker could exploit these vulnerabilities
to execute arbitrary code or to cause a denial of service. On July
25, the CERT/CC issued an advisory describing these
vulnerabilities.
CERT Advisory CA-2003-18
Integer Overflows in Microsoft Windows DirectX MIDI
Library
http://www.cert.org/advisories/CA-2003-18.html
Vulnerability Note VU#561284
Microsoft Windows DirectX MIDI library does not
adequately validate Text or Copyright parameters in MIDI
files
http://www.kb.cert.org/vuls/id/561284
Vulnerability Note VU#265232
Microsoft Windows DirectX MIDI library does not
adequately validate MThd track values in MIDI files
http://www.kb.cert.org/vuls/id/265232
c. Multiple Vulnerabilities in Microsoft Internet Explorer
Microsoft Internet Explorer (IE) contains multiple
vulnerabilities, the most serious of which could allow a remote
attacker to execute arbitrary code with the privileges of the user
running Internet Explorer. On August 26, the CERT/CC issued an
advisory describing these vulnerabilities.
CERT Advisory CA-2003-22
Multiple Vulnerabilities in Microsoft Internet Explorer
http://www.cert.org/advisories/CA-2003-22.html
Vulnerability Note VU#205148
Microsoft Internet Explorer does not properly evaluate
Content-Type and Content-Disposition headers
http://www.kb.cert.org/vuls/id/205148
Vulnerability Note VU#865940
Microsoft Internet Explorer does not properly evaluate
"application/hta" MIME type referenced by DATA attribute
of OBJECT element
http://www.kb.cert.org/vuls/id/865940
Vulnerability Note VU#548964
Microsoft Windows BR549.DLL ActiveX control contains
vulnerability
http://www.kb.cert.org/vuls/id/548964
Vulnerability Note VU#813208
Internet Explorer does not properly render an input type
tag
http://www.kb.cert.org/vuls/id/813208
Vulnerability Note VU#334928
Microsoft Internet Explorer contains buffer overflow in
Type attribute of OBJECT element on double-byte character
set systems
http://www.kb.cert.org/vuls/id/334928
5. Malicious Code Propagation and Antivirus Software Updates
Recent reports to the CERT/CC have highlighted that the speed at which
viruses are spreading is increasing and that users who were
compromised may have been under the incorrect impression that merely
having antivirus software installed was enough to protect them from
all malicious code attacks. On July 14, the CERT/CC issued an Incident
Note describing this trend.
CERT Incident Note IN-2003-01
Malicious Code Propagation and Antivirus Software Updates
http://www.cert.org/incident_notes/IN-2003-01.html
______________________________________________________________________
New CERT Coordination Center (CERT/CC) PGP Key
On September 5, the CERT/CC issued a new PGP key, which should be used
when sending sensitive information to the CERT/CC.
CERT/CC PGP Public Key
https://www.cert.org/pgp/cert_pgp_key.asc
Sending Sensitive Information to the CERT/CC
https://www.cert.org/contact_cert/encryptmail.html
______________________________________________________________________
What's New and Updated
Since the last CERT Summary, we have published new and updated
* Advisories
http://www.cert.org/advisories/
* Vulnerability Notes
http://www.kb.cert.org/vuls
* CERT/CC Statistics
http://www.cert.org/stats/cert_stats.html
* Congressional Testimony
http://www.cert.org/congressional_testimony
* Incident Handling Certification
http://www.cert.org/certification/
* Training Schedule
http:/www.cert.org/training/
______________________________________________________________________
This document is available from:
http://www.cert.org/summaries/CS-2003-03.html
______________________________________________________________________
CERT/CC Contact Information
Email: [email protected]
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and bulletins,
send email to [email protected]. Please include in the body of your
message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
______________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright ╘2003 Carnegie Mellon University.
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBP1zEHzpmH2w9K/0VAQEqXAP9FHdMZvoEMC4aLxZzP+e52RhSh6p9rzZ2
W+p3aBh6VOsf1mqpDnlJSZy2kydOLzTwklMm4ESxeSER81TfdbKUIgr7pfzNANn8
4DhrXxUZwcc1+5TWY6/LejrrCjZ2OpK9UxkjDSJKMEcrLqIhaEUL3Vr24iTvNliR
JKkslK9BDGk=
=w9dI
-----END PGP SIGNATURE-----