This is the CERT quarterly summary which focuses on the types of attacks reported to their incident response team, as well as other noteworthy incident and vulnerability information. This quarter CERT focuses on the input validation vulnerability in rpc.statd, multiple vulnerabilities in FTP daemons, ActiveX control vulnerabilities, exploitation of hidden file extensions, the Outlook and Outlook Express cache bypass vulnerability, chat clients and network security
4bf51de8888d1e0758c6a87a82f98451db5052c4790df7688c13d096dc65859a
CERT Summary CS-2000-03
Aug 25, 2000
Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT
Summary to draw attention to the types of attacks reported to our
incident response team, as well as other noteworthy incident and
vulnerability information. The summary includes pointers to sources of
information for dealing with the problems.
Past CERT summaries are available from
http://www.cert.org/summaries/
______________________________________________________________________
Recent Activity
Since the last regularly scheduled CERT summary, issued in May
(CS-2000-02), we have published information on a vulnerability in
rpc.statd on Linux systems, several ActiveX controls, vulnerabilities
in Outlook and Outlook Express, security considerations for using chat
software, hidden file extensions, and vulnerabilities in many FTP
daemons.
1. Input Validation Vulnerability in rpc.statd
We have begun receiving multiple daily reports of sites being
root compromised via a recently discovered vulnerability in
rpc.statd. These issues are described in CERT Advisory
CA-2000-17
CERT Advisory CA-2000-17, Input Validation Problem in rpc.statd
http://www.cert.org/advisories/CA-2000-17.html
We have received a number of reports that indicate that intruders
are performing widespread scanning for this vulnerability and
using toolkits to automate the compromise of vulnerable machines.
2. Multiple Vulnerabilities in FTP daemons
The CERT/CC continues to receive regular reports of intruders
probing for and exploiting vulnerabilities in many FTP server
implementations. Sites are strongly encouraged to follow the
advice contained in CA-2000-13 to protect systems running FTP
servers.
CERT Advisory CA-2000-13, Two Input Validation Problems In FTPD
http://www.cert.org/advisories/CA-2000-13.html
Additionally, we receive daily reports from sites indicating that
intruders are scanning large network blocks for vulnerable FTP
servers.
3. ActiveX Control Vulnerabilities
Exploitations of a vulnerability in the Scriptlet.Typelib
ActiveX control are discussed in CERT Incident Note
IN-2000-06. This vulnerability allows local files to be created
or modified, and is used in viruses such as Bubbleboy and kak.
CERT Incident Note IN-2000-06, Exploitation of
"Scriptlet.Typelib" ActiveX Control
http://www.cert.org/incident_notes/IN-2000-06.html
Additionally, information about a serious vulnerability in the
HHCtrl ActiveX control was published in CERT Advisory CA-2000-12.
This vulnerability could allow remote intruders to execute
arbitrary code.
CERT Advisory CA-2000-12, HHCtrl ActiveX Control Allows Local
Files to be Executed
http://www.cert.org/advisories/CA-2000-12.html
4. Exploitation of Hidden File extensions
Attackers have used a number of malicious programs to exploit
the default behavior of Windows operating systems to hide file
extensions from the user. This behavior can be used to trick
users into executing malicious code by making a file appear to
be something it is not.
CERT Incident Note IN-2000-07, Exploitation of Hidden File
Extensions
http://www.cert.org/incident_notes/IN-2000-07.html
5. Outlook and Outlook Express Cache Bypass Vulnerability
A vulnerability in Microsoft Outlook and Outlook Express that
can allow a remote attacker to read certain types of files on
the user's machine is detailed in CERT Advisory CA-2000-14.
CERT Advisory CA-2000-14, Microsoft Outlook and Outlook
Express Cache Bypass Vulnerability
http://www.cert.org/advisories/CA-2000-14.html
6. Chat Clients and Network Security
CERT Incident Note IN-2000-08 outlines the security issues
inherent in the use of chat client software. We have published
this information in response to inquiries about the risks this
type of software poses to an organization.
CERT Incident Note IN-2000-08, Chat Clients and Network
Security
http://www.cert.org/incident_notes/IN-2000-08.html
______________________________________________________________________
Expiration of CERT PGP keys
On September 30, 2000, the operational CERT PGP keys will expire.
Sites using these keys should be prepared to update their keyrings.
More information about the CERT PGP keys can be found at:
http://www.cert.org/contact_cert/encryptmail.html
The new PGP keys will also be available at this location when they are
created.
______________________________________________________________________
"CERT/CC Channel"
The CERT Coordination Center publishes an XML RSS 0.91 format file
containing headlines about recently published CERT Advisories,
Incident Notes, Vulnerability Notes, and Summaries. Using this RSS
channel, Internet sites can automate creation of web site pointers to
the latest computer security information from the CERT/CC.
More information about the CERT/CC RSS channel can be found at
http://www.cert.org/channels/
______________________________________________________________________
"CERT/CC Current Activity" Web Page
The CERT/CC Current Activity web page is a regularly updated summary
of the most frequent, high-impact types of security incidents and
vulnerabilities currently being reported to the CERT/CC. It is
available from
http://www.cert.org/current/current_activity.html
The information on the Current Activity page is reviewed and updated
as reporting trends change.
______________________________________________________________________
What's New and Updated
Since the last CERT summary, we have published new and updated
* Advisories
* Incident notes
* Vulnerability notes
* Tech tips/FAQs, including one on how the FBI investigates computer
crimes
* CERT/CC statistics
* Infosec Outlook newsletter
* Security improvement modules
* Security improvement implementations
There are descriptions of these documents and links to them on our
"What's New" web page at
http://www.cert.org/nav/whatsnew.html
______________________________________________________________________
This document is available from:
http://www.cert.org/summaries/CS-2000-03.html
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
http://www.cert.org/
To be added to our mailing list for advisories and bulletins, send
email to cert-advisory-request@cert.org and include SUBSCRIBE
your-email-address in the subject of your message.
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright 2000 Carnegie Mellon University.
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQA/AwUBOaa9+1r9kb5qlZHQEQJ4sQCfbjYqxPZ4aYJqe+DN+tc1BWEY314AnRc7
9i1lvivd8i34P0W6Q/gGCiM3
=fbC6
-----END PGP SIGNATURE-----