-----BEGIN PGP SIGNED MESSAGE----- CERT Summary CS-2003-04 November 24, 2003 Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT Summary to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems. Past CERT summaries are available from: CERT Summaries http://www.cert.org/summaries/ ______________________________________________________________________ Recent Activity Since the last regularly scheduled CERT summary, issued in September 2003 (CS-2003-03), we have documented vulnerabilities in the Microsoft Windows Workstation Service, RPCSS Service, and Exchange. We have also documented vulnerabilities in various SSL/TLS implementations, a buffer overflow in Sendmail, and a buffer management error in OpenSSH. We have received reports of W32/Swen.A, W32/Mimail variants, and exploitation of an Internet Explorer vulnerability reported in August of 2003. For more current information on activity being reported to the CERT/CC, please visit the CERT/CC Current Activity page. The Current Activity page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities being reported to the CERT/CC. The information on the Current Activity page is reviewed and updated as reporting trends change. CERT/CC Current Activity http://www.cert.org/current/current_activity.html 1. W32/Mimail Variants The CERT/CC has received reports of several new variants of the 'Mimail' worm. The most recent variant of the worm (W32/Mimail.J) arrives as an email message alleging to be from the Paypal financial service. The message requests that the recipient 'verify' their account information to prevent the suspension of their Paypal account. Attached to the email is an executable file which captures this information (if entered), and sends it to a number of email addresses. Current Activity - November 19, 2003 http://www.cert.org/current/archive/2003/11/19/archive.html#mimaili 2. Buffer Overflow in Windows Workstation Service A buffer overflow vulnerability exists in Microsoft's Windows Workstation Service (WKSSVC.DLL) allowing an attacker to execute arbitrary code or cause a denial-of-service condition. CERT Advisory CA-2003-28 Buffer Overflow in Windows Workstation Service http://www.cert.org/advisories/CA-2003-28.html Vulnerability Note VU#567620 Microsoft Windows Workstation service vulnerable to buffer overflow when sent specially crafted network message http://www.kb.cert.org/vuls/id/567620 3. Multiple Vulnerabilities in Microsoft Windows and Exchange Multiple vulnerabilities exist in Microsoft Windows and Microsoft Exchange, the most serious of which could allow remote attackers to execute arbitrary code. CERT Advisory CA-2003-27 Multiple Vulnerabilities in Microsoft Windows and Exchange http://www.cert.org/advisories/CA-2003-27.html Vulnerability Note VU#575892 Buffer overflow in Microsoft Windows Messenger Service http://www.kb.cert.org/vuls/id/575892 Vulnerability Note VU#422156 Microsoft Exchange Server fails to properly handle specially crafted SMTP extended verb requests http://www.kb.cert.org/vuls/id/422156 Vulnerability Note VU#467036 Microsoft Windows Help and support Center contains buffer overflow in code used to handle HCP protocol http://www.kb.cert.org/vuls/id/467036 Vulnerability Note VU#989932 Microsoft Windows contains buffer overflow in Local Troubleshooter ActiveX control (Tshoot.ocx) http://www.kb.cert.org/vuls/id/989932 Vulnerability Note VU#838572 Microsoft Windows Authenticode mechanism installs ActiveX controls without prompting user http://www.kb.cert.org/vuls/id/838572 Vulnerability Note VU#435444 Microsoft Outlook Web Access (OWA) contains cross-site scripting vulnerability in the "Compose New Message" form http://www.kb.cert.org/vuls/id/435444 Vulnerability Note VU#967668 Microsoft Windows ListBox and ComboBox controls vulnerable to buffer overflow when supplied crafted Windows message http://www.kb.cert.org/vuls/id/967668 4. Multiple Vulnerabilities in SSL/TLS Implementations Multiple vulnerabilities exist in the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols allowing an attacker to execute arbitrary code or cause a denial-of-service condition. CERT Advisory CA-2003-26 Multiple Vulnerabilities in SSL/TLS Implementations http://www.cert.org/advisories/CA-2003-26.html Vulnerability Note VU#935264 OpenSSL ASN.1 parser insecure memory deallocation http://www.kb.cert.org/vuls/id/935264 Vulnerability Note VU#255484 OpenSSL contains integer overflow handling ASN.1 tags (1) http://www.kb.cert.org/vuls/id/255484 Vulnerability Note VU#380864 OpenSSL contains integer overflow handling ASN.1 tags (2) http://www.kb.cert.org/vuls/id/380864 Vulnerability Note VU#686224 OpenSSL does not securely handle invalid public key when configured to ignore errors http://www.kb.cert.org/vuls/id/686224 Vulnerability Note VU#732952 OpenSSL accepts unsolicited client certificate messages http://www.kb.cert.org/vuls/id/732952 Vulnerability Note VU#104280 Multiple vulnerabilities in SSL/TLS implementations http://www.kb.cert.org/vuls/id/104280 Vulnerability Note VU#412478 OpenSSL 0.9.6k does not properly handle ASN.1 sequences http://www.kb.cert.org/vuls/id/412478 5. Exploitation of Internet Explorer Vulnerability The CERT/CC received a number of reports indicating that attackers were actively exploiting the Microsoft Internet Explorer vulnerability described in VU#865940. These attacks include the installation of tools for launching distributed denial-of-service (DDoS) attacks, providing generic proxy services, reading sensitive information from the Windows registry, and using a victim system's modem to dial pay-per-minute services. The vulnerability described in VU#865940 exists due to an interaction between IE's MIME type processing and the way it handles HTML application (HTA) files embedded in OBJECT tags. CERT Advisory IN-2003-04 Exploitation of Internet Explorer Vulnerability http://www.cert.org/incident_notes/IN-2003-04.html Vulnerability Note VU#865940 Microsoft Internet Explorer does not properly evaluate "application/hta" MIME type referenced by DATA attribute of OBJECT element http://www.kb.cert.org/vuls/id/865940 6. W32/Swen.A Worm On September 19, the CERT/CC began receiving a large volume of reports of a mass mailing worm, referred to as W32/Swen.A, spreading on the Internet. Similar to W32/Gibe.B in function, this worm arrives as an attachment claiming to be a Microsoft Internet Explorer Update or a delivery failure notice from qmail. The W32/Swen.A worm requires a user to execute the attachment either manually or by using an email client that will open the attachment automatically. Upon opening the attachment, the worm attempts to mail itself to all email addresses it finds on the system. The CERT/CC updated the current activity page to contain further information on this worm. Current Activity - September 19, 2003 http://www.cert.org/current/archive/2003/09/19/archive.html#swena 7. Buffer Overflow in Sendmail Sendmail, a widely deployed mail transfer agent (MTA), contains a vulnerability that could allow an attacker to execute arbitrary code with the privileges of the sendmail daemon, typically root. CERT Advisory CA-2003-25 Buffer Overflow in Sendmail http://www.cert.org/advisories/CA-2003-25.html Vulnerability Note VU#784980 Sendmail prescan() buffer overflow vulnerability http://www.kb.cert.org/vuls/id/784980 8. Buffer Management Vulnerability in OpenSSH A remotely exploitable vulnerability exists in a buffer management function in versions of OpenSSH prior to 3.7.1. This vulnerability could enable an attacker to cause a denial-of-service condition. CERT Advisory CA-2003-24 Buffer Management Vulnerability in OpenSSH http://www.cert.org/advisories/CA-2003-24.html Vulnerability Note VU#333628 OpenSSH contains buffer management errors http://www.kb.cert.org/vuls/id/333628 9. RPCSS Vulnerabilities in Microsoft Windows On September 10, the CERT/CC reported on three vulnerabilities that affect numerous versions of Microsoft Windows, two of which are remotely exploitable buffer overflows that may an allow an attacker to execute code with system privileges. CERT Advisory CA-2003-23 RPCSS Vulnerabilities in Microsoft Windows http://www.cert.org/advisories/CA-2003-23.html Vulnerability Note VU#483492 Microsoft Windows RPCSS Service contains heap overflow in DCOM activation routines http://www.kb.cert.org/vuls/id/483492 Vulnerability Note VU#254236 Microsoft Windows RPCSS Service contains heap overflow in DCOM request filename handling http://www.kb.cert.org/vuls/id/254236 Vulnerability Note VU#326746 Microsoft Windows RPC service vulnerable to denial of service http://www.kb.cert.org/vuls/id/326746 ______________________________________________________________________ New CERT Coordination Center (CERT/CC) PGP Key On October 15, the CERT/CC issued a new PGP key, which should be used when sending sensitive information to the CERT/CC. CERT/CC PGP Public Key https://www.cert.org/pgp/cert_pgp_key.asc Sending Sensitive Information to the CERT/CC https://www.cert.org/contact_cert/encryptmail.html ______________________________________________________________________ What's New and Updated Since the last CERT Summary, we have published new and updated * Advisories http://www.cert.org/advisories/ * Vulnerability Notes http://www.kb.cert.org/vuls * CERT/CC Statistics http://www.cert.org/stats/cert_stats.html * Congressional Testimony http://www.cert.org/congressional_testimony * Training Schedule http://www.cert.org/training/ * CSIRT Development http://www.cert.org/csirts/ ______________________________________________________________________ This document is available from: http://www.cert.org/summaries/CS-2003-04.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. ______________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright ©2003 Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBP8JVOZZ2NNT/dVAVAQGL9wP+I18NJBUBuv7b0pam5La7E7qOQFMn5n78 7i0gBX/dKgaY5siM6jBYYwCbbA7Y0/Jwtby2zHp1s8RHZY5/3JEzElfv4TLlR8rT rb8gJDbpan2JWA6xH9IzqZaSrxrXpNypwU2wWxR2osmbYl8FdV0rD3ZYXJjyi+nU UENALuNdthA= =DD60 -----END PGP SIGNATURE-----