CERT Summary CS-2000-03 Aug 25, 2000 Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT Summary to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems. Past CERT summaries are available from http://www.cert.org/summaries/ ______________________________________________________________________ Recent Activity Since the last regularly scheduled CERT summary, issued in May (CS-2000-02), we have published information on a vulnerability in rpc.statd on Linux systems, several ActiveX controls, vulnerabilities in Outlook and Outlook Express, security considerations for using chat software, hidden file extensions, and vulnerabilities in many FTP daemons. 1. Input Validation Vulnerability in rpc.statd We have begun receiving multiple daily reports of sites being root compromised via a recently discovered vulnerability in rpc.statd. These issues are described in CERT Advisory CA-2000-17 CERT Advisory CA-2000-17, Input Validation Problem in rpc.statd http://www.cert.org/advisories/CA-2000-17.html We have received a number of reports that indicate that intruders are performing widespread scanning for this vulnerability and using toolkits to automate the compromise of vulnerable machines. 2. Multiple Vulnerabilities in FTP daemons The CERT/CC continues to receive regular reports of intruders probing for and exploiting vulnerabilities in many FTP server implementations. Sites are strongly encouraged to follow the advice contained in CA-2000-13 to protect systems running FTP servers. CERT Advisory CA-2000-13, Two Input Validation Problems In FTPD http://www.cert.org/advisories/CA-2000-13.html Additionally, we receive daily reports from sites indicating that intruders are scanning large network blocks for vulnerable FTP servers. 3. ActiveX Control Vulnerabilities Exploitations of a vulnerability in the Scriptlet.Typelib ActiveX control are discussed in CERT Incident Note IN-2000-06. This vulnerability allows local files to be created or modified, and is used in viruses such as Bubbleboy and kak. CERT Incident Note IN-2000-06, Exploitation of "Scriptlet.Typelib" ActiveX Control http://www.cert.org/incident_notes/IN-2000-06.html Additionally, information about a serious vulnerability in the HHCtrl ActiveX control was published in CERT Advisory CA-2000-12. This vulnerability could allow remote intruders to execute arbitrary code. CERT Advisory CA-2000-12, HHCtrl ActiveX Control Allows Local Files to be Executed http://www.cert.org/advisories/CA-2000-12.html 4. Exploitation of Hidden File extensions Attackers have used a number of malicious programs to exploit the default behavior of Windows operating systems to hide file extensions from the user. This behavior can be used to trick users into executing malicious code by making a file appear to be something it is not. CERT Incident Note IN-2000-07, Exploitation of Hidden File Extensions http://www.cert.org/incident_notes/IN-2000-07.html 5. Outlook and Outlook Express Cache Bypass Vulnerability A vulnerability in Microsoft Outlook and Outlook Express that can allow a remote attacker to read certain types of files on the user's machine is detailed in CERT Advisory CA-2000-14. CERT Advisory CA-2000-14, Microsoft Outlook and Outlook Express Cache Bypass Vulnerability http://www.cert.org/advisories/CA-2000-14.html 6. Chat Clients and Network Security CERT Incident Note IN-2000-08 outlines the security issues inherent in the use of chat client software. We have published this information in response to inquiries about the risks this type of software poses to an organization. CERT Incident Note IN-2000-08, Chat Clients and Network Security http://www.cert.org/incident_notes/IN-2000-08.html ______________________________________________________________________ Expiration of CERT PGP keys On September 30, 2000, the operational CERT PGP keys will expire. Sites using these keys should be prepared to update their keyrings. More information about the CERT PGP keys can be found at: http://www.cert.org/contact_cert/encryptmail.html The new PGP keys will also be available at this location when they are created. ______________________________________________________________________ "CERT/CC Channel" The CERT Coordination Center publishes an XML RSS 0.91 format file containing headlines about recently published CERT Advisories, Incident Notes, Vulnerability Notes, and Summaries. Using this RSS channel, Internet sites can automate creation of web site pointers to the latest computer security information from the CERT/CC. More information about the CERT/CC RSS channel can be found at http://www.cert.org/channels/ ______________________________________________________________________ "CERT/CC Current Activity" Web Page The CERT/CC Current Activity web page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities currently being reported to the CERT/CC. It is available from http://www.cert.org/current/current_activity.html The information on the Current Activity page is reviewed and updated as reporting trends change. ______________________________________________________________________ What's New and Updated Since the last CERT summary, we have published new and updated * Advisories * Incident notes * Vulnerability notes * Tech tips/FAQs, including one on how the FBI investigates computer crimes * CERT/CC statistics * Infosec Outlook newsletter * Security improvement modules * Security improvement implementations There are descriptions of these documents and links to them on our "What's New" web page at http://www.cert.org/nav/whatsnew.html ______________________________________________________________________ This document is available from: http://www.cert.org/summaries/CS-2000-03.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message. * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2000 Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBOaa9+1r9kb5qlZHQEQJ4sQCfbjYqxPZ4aYJqe+DN+tc1BWEY314AnRc7 9i1lvivd8i34P0W6Q/gGCiM3 =fbC6 -----END PGP SIGNATURE-----