|
|
| Internet Explorer | Symantec | Phishing Exploit Attempted at UO | Sober Worm | Dubious Domain Names | Veritas NetBackup Flaw |
Two highly critical new vulnerabilities emerged at the end of December:
1. IE 5.5 and 6.x. Secunia is reporting a vulnerability in Internet Explorer 5.5 and 6.x that allows arbitrary code to be executed on a vulnerable browser if the user is tricked into visiting a malicious website (as may occur when clicking a malicious link masquerading as an e-card link, for example). For details, see http://secunia.com/advisories/15546/
Users are advised to use Firefox instead of IE; if you must use IE, be sure to keep your patches up-to-date.
2. Symantec Antivirus products. FrSIRT has released a critical vulnerability warning for Symantec Antivirus products relating to how certain malformed RAR files are handled. This vulnerability could allow attackers unauthorized control of data and related privileges and could even cause further network compromise. Symantec users are likely vulnerable regardless of whether they choose to open or read an infected email.
SANS is now reporting that Symantec has released updated definitions that block the malformed RARs that are at the core of this exploit:
If you are still running Symantec Antivirus products, immediately update your antivirus definitions or migrate to McAfee. For details on the vulnerability, see
At the end of December an extremely critical vulnerability was discovered
in the handling of Window Metafiles (.wmf files). It can be exploited to execute
arbitrary code, and exploits are triggered automatically when an ususpecting
user visits a malicious website using Internet Explorer (see http://secunia.com/advisories/18255/
). You may download the patch from
http://www.microsoft.com/downloads/details.aspx?FamilyID=0c1b4c96-57ae-499e-b89b-215b7bb4d8e9&DisplayLang=en
This IE vulnerability is yet another flaw that could allow an attacker to take control of an affected system. For details, see Microsoft's December 2005 Security Bulletin Summary at http://www.microsoft.com/technet/security/bulletin/ms05-dec.mspx Or, if you just want to make sure you get patched, run Microsoft Update (or Windows Update) from the Start menu or visit Microsoft Update at http://update.microsoft.com/microsoftupdate/
Note to UO Windows users who use Blackboard with IE: Because of the high number of security vulnerabilities that recur in Internet Explorer, we recommend you switch to the latest Firefox web browser if at all possible. If you continue to use IE with Blackboard, be aware that it requires JavaScript active scripting. If you disable active scripting in IE as a security measure, or set the IE browser security preference to "high," Blackboard won't work. To ensure that your browser is configured properly, go to http://libweb.uoregon.edu/cet/blackboard/plugin/#browser
The first week of December, Network Services security engineers reported seeing a phishing attempt to send emails from "security.uoregon.edu". These bogus emails asked users to "confirm their email" or have their accounts suspended. Fortunately the phishers did no harm, as the messages were delivered in the middle of the night and the clickable link they contained was dead by 6 a.m.
Please remember to be suspicious of links that come in email or instant messaging. The best security practice is to not click on any link that comes to you via email, even if it appears to be from a person or organization that you know. Phishing ploys have become so sophisticated that it is virtually impossible to tell a counterfeit site from a real one.
On December 2 email traffic slowed virtually to a halt between Comcast account holders and users of Microsoft-based Hotmail, thanks to a variant of the Sober worm. The Sober worm first appeared in 2003 and infects Windows PCs, causing the infected machines to repeatedly send spam emails that negatively impact network performance. For details, see the Sober-Y article on page 16 of this issue, and ZDnet's report at http://news.zdnet.co.uk/internet/security/0,39020375,39240173,00.htm
The U.S. Government Accountability Office (GAO) recently reported that millions
of Internet domain names have been registered with false or incomplete information,
possibly in an attempt to hide the owners' identities or to prevent the
public from contacting them. For details, see
http://www.networkworld.com/cgi-bin/mailto/x.cgi?pagetosend=/export/home/httpd/htdocs/news/2005/120905-domain-names.html
Last October, a serious security hole was discovered in all versions of NetBackup that could allow attackers to execute arbitrary code with root/SYSTEM privileges.You'll find more details on this vulnerability, including a maintenance pack to fix it, at http://seer.support.veritas.com/docs/281107.htm