CERT-In:Indian Computer Emergency Response Team

CERT-In Monthly Security Bulletin July 06

High Vulnerabilities

Title of Vulnerability

Discovery/Publish Date

CERT-In References & Patch Information

Microsoft Hyperlink Object Library HLINK.DLL Buffer
Overflow Vulnerability

Title of Vulnerability

Discovery/Publish Date

CERT-In References & Patch Information

Denial of Service vulnerabilities in Sun
Solaris

Title of Vulnerability

Discovery/Publish Date

CERT-In References & Patch Information

Title of Vulnerability

Discovery/Publish Date

CERT-In References & Patch Information

Title of Vulnerability

Discovery/Publish Date

CERT-In References & Patch Information

Medium Vulnerabilities

Title of Vulnerability

Discovery/Publish Date

CERT-In References & Patch Information

Microsoft Internet Explorer File share handling
vulnerability

Microsoft Internet Explorer Outer HTML Redirection
Handling Information Disclosure Vulnerability

Title of Vulnerability

Discovery/Publish Date

CERT-In References & Patch Information

Linux Kernel Netfilter Remote Denial of Service
Vulnerability

Title of Vulnerability

Discovery/Publish Date

CERT-In References & Patch Information

MySQL Server Date Format Denial of Service
Vulnerability

Title of Vulnerability

Discovery/Publish Date

CERT-In References & Patch Information

Cisco Secure ACS for UNIX Cross-Site Scripting
Vulnerability

Cisco Secure ACS Weak Session Management
Vulnerability

Malicious Code Threats

Title of Malicious Code

It is a mass
mailing worm
requires
Microsoft .Net Framework to
execute itself.
It also
propagates
through file sharing
network (P2P
Network).

WORM_NETSAD.B[Trend Micro]

It is a mass
mailing worm
sends e-mail
containing
messages
regarding
World Cup.

It is a
polymorphic
virus that uses
the Entry Point Obscuring
(EPO)
technique to
infect .IDC
script files
that are
associated with
the Interactive
Disassembler
Pro (IDA)
application.

W32/Gattman.A[Sophos],
W32/Gatt[McAfee],
W32.Gatt[Symantec]

It is a back
door Trojan
horse that
allows a
compromised
computer to be
used as a
covert proxy
and uses
advanced
rootkit
techniques to
hide any files
and registry
subkeys it
creates.

Spam-Mailbot.c[McAfee]

Trojan
MDROPPER.AS
arrives as an
e-mail
attachment to
spammed e-
mail
messages. It is
exploiting
Microsoft
Powerpoint
mso.dll
Vulnerability.

This is a
ActionScript-
based worm that spreads
through
MySpace.com
user accounts.
It spreads each time a
MySpace user
visits an
infected user-
profile page.

JS/SpaceFlash-
A[Sophos],
JS/SpaceFlash[McAfee]

This is a Trojan
that opens a
back door on
the
compromised
computer and
allows a
remote
attacker to
have
unauthorized
access. It also
logs
keystrokes,
steals
passwords, and
drops rootkits
that run in safe
mode.

Backdoor.Haxdoor.I,
BKDR_HAXDOOR.GP
[Trend Micro]

Firnavo.Exploit
is a proof-of-
concept Trojan
that exploits
the Mozilla
Firefox
Javascript
Navigator
Object Remote
Code
Execution
Vulnerability.

Top 10 Spam Producing ISPs (Source: www.spamhaus.org)

Top Spam generating IPs (in July )

verizonbusiness.com

interbusiness.it

Home \|\| Feedback \|\| FAQ \|\| Site map

CERT-In Monthly Security Bulletin July 06
High Vulnerabilities
Microsoft		Title of Vulnerability		Discovery/Publish Date	CERT-In References & Patch Information
Microsoft Windows		Microsoft Hyperlink Object Library HLINK.DLL Buffer Overflow Vulnerability		July 01,2006	CIVN-2006-57
Microsoft Excel		Microsoft Excel Style Handling and Repair Client-Side Buffer Overflow Vulnerability		July 12,2006	CIVN-2006-61
Microsoft Word		Microsoft Word unchecked boundary condition vulnerability		July 10, 2006	CIVN-2006-62
Microsoft .NET		Microsoft .NET Framework Application Folder Information Disclosure Vulnerability		July 12,2006	CIVN-2006-63
Microsoft Windows		Microsoft Windows Heap Overflow and Information Disclosure Vulnerabilities		July 12, 2006	CIVN-2006-65
Microsoft Windows		Microsoft Windows Buffer Overrun in DHCP Client Service Vulnerability		July 12, 2006	CIVN-2006-66
Microsoft Excel		Microsoft Microsoft Excel Could Allow Remote Code Execution Vulnerability		July 12, 2006	CIVN-2006-67
Microsoft Office		Microsoft Office Parsing Vulnerability		July 12, 2006	CIVN-2006-68
Microsoft Office		Microsoft Office Property Vulnerability		July 12, 2006	CIVN-2006-69
Microsoft Office		Microsoft Office Malformed String Parsing Vulnerability		July 12, 2006	CIVN-2006-70
Microsoft Office		Vulnerabilities in Microsoft Office Filters Could Allow Remote Code Execution		July 12, 2006	CIVN-2006-71
Microsoft PowerPoint		Microsoft PowerPoint mso.dll vulnerability		July 28, 2006	CIVN-2006-73
Unix		Title of Vulnerability		Discovery/Publish Date	CERT-In References & Patch Information
Sun Solaris		Denial of Service vulnerabilities in Sun Solaris		July 18,2006	CIAD-2006-21
Redhat Security Update		Redhat Security Update Fixes Mozilla Seamonkey Multiple Code Execution Vulnerabilities		July 28,2006	CVE-2006-3677
libwmf		Libwmf "meta.c" and "player.c" Scripts WMF File Handling Integer Overflow Vulnerability		July 03,2006	CVE-2006-3376
Database		Title of Vulnerability		Discovery/Publish Date	CERT-In References & Patch Information
Oracle Database		Multiple Vulnerabilities in Oracle Database and Other Products		July 20, 2006	CIAD-2006-22
Network		Title of Vulnerability		Discovery/Publish Date	CERT-In References & Patch Information
Cisco		Vulnerabilities in Cisco unified call Manager		July 14, 2006	CIAD-2006-20
Cisco		Cisco Security Monitoring Analysis and Response System Command Execution Vulnerabilities		July 19, 2006	CVE-2006-3732
Others		Title of Vulnerability		Discovery/Publish Date	CERT-In References & Patch Information
Mozilla Products		Multiple Vulnerabilities in Mozilla Products		July 28, 2006	CIAD-2006-23

Medium Vulnerabilities
Microsoft		Title of Vulnerability		Discovery/Publish Date	CERT-In References & Patch Information
Internet explorer		Microsoft Internet Explorer File share handling vulnerability		July 01,2006	CIVN-2006-55
Internet explorer		Microsoft Internet Explorer Outer HTML Redirection Handling Information Disclosure Vulnerability		July 01,2006	CIVN-2006-56
IIS		Microsoft Internet Information Services ASP Code Buffer Overflow Vulnerability		July 12,2006	CIVN-2006-64
Unix		Title of Vulnerability		Discovery/Publish Date	CERT-In References & Patch Information
Linux Kernel		Linux Kernel Netfilter Remote Denial of Service Vulnerability		July 10 , 2006	CIVN-2006-60
Linux Kernel		Linux Kernel CD-ROM Driver "dvd_read_bca()" Local Buffer Overflow Vulnerability		July 05 , 2006	CVE-2006-2935
Linux Kernel		Linux Kernel "sys_prctl()" Local Privilege Escalation and Denial of Service Vulnerability		July 07 , 2006	CVE-2006-2451
Linux Kernel		Linux Kernel "proc/base.c" Userspace Interaction Local Privilege Escalation Vulnerability		July 15 , 2006	CVE-2006-3626
phpMyAdmin		Cross-site scripting (XSS) vulnerability in phpMyAdmin		July 06, 2006	CVE-2006-3388
Database		Title of Vulnerability		Discovery/Publish Date	CERT-In References & Patch Information
MySQL		MySQL Server Date Format Denial of Service Vulnerability		July 22, 2006	CIVN-2006-72
Network		Title of Vulnerability		Discovery/Publish Date	CERT-In References & Patch Information
Cisco		Cisco Secure ACS for UNIX Cross-Site Scripting Vulnerability		July 03 ,2006	CIVN-2006-58
Cisco		Cisco Secure ACS Weak Session Management Vulnerability		July 03 ,2006	CIVN-2006-59

Malicious Code Threats
Title of Malicious Code	Type	Overview	Aliases	Discovery Date	References
W32.Amirecivel.F@mm	worm	It is a mass mailing worm requires Microsoft .Net Framework to execute itself. It also propagates through file sharing network (P2P Network).	WORM_NETSAD.B[Trend Micro]	July 2, 2006	http://www.symantec.com/enterprise/security_response /writeup.jsp?docid=2006-070311-4105-99&tabid=1
W32.Sixem.C@mm	worm	It is a mass mailing worm sends e-mail containing messages regarding World Cup.	No Aliase	July 2, 2006	http://www.symantec.com/enterprise/security_response /writeup.jsp?docid=2006-070313-0911-99&tabid=2
Gattman.A	Virus	It is a polymorphic virus that uses the Entry Point Obscuring (EPO) technique to infect .IDC script files that are associated with the Interactive Disassembler Pro (IDA) application.	W32/Gattman.A[Sophos], W32/Gatt[McAfee], W32.Gatt[Symantec]	July 2, 2006.	http://www.f-secure.com/v-descs/gattman_a.shtml
Backdoor.Rustock.B	Trojan	It is a back door Trojan horse that allows a compromised computer to be used as a covert proxy and uses advanced rootkit techniques to hide any files and registry subkeys it creates.	Spam-Mailbot.c[McAfee]	July 5, 2006	http://www.symantec.com/enterprise/security_ response /writeup.jsp?docid=2006-070513-1305 -99&tabid=1
TROJ_MDROPPER.AS	Trojan	Trojan MDROPPER.AS arrives as an e-mail attachment to spammed e- mail messages. It is exploiting Microsoft Powerpoint mso.dll Vulnerability.	No Aliase	Jul 14, 2006	http://www.trendmicro.com/vinfo/virusencyclo /default5 .asp?VName=TROJ%5FMDROPPER %2EAS
ACTS.Spaceflash	worm	This is a ActionScript- based worm that spreads through MySpace.com user accounts. It spreads each time a MySpace user visits an infected user- profile page.	JS/SpaceFlash- A[Sophos], JS/SpaceFlash[McAfee]	July 18, 2006	http://www.symantec.com/enterprise/ security_response /writeup.jsp?doc docid= 2006-071811-3819-99
Backdoor.Haxdoor.O	Trojan	This is a Trojan that opens a back door on the compromised computer and allows a remote attacker to have unauthorized access. It also logs keystrokes, steals passwords, and drops rootkits that run in safe mode.	Backdoor.Haxdoor.I, BKDR_HAXDOOR.GP [Trend Micro]	July 23, 2006	http://www.symantec.com/enterprise/security_ response/writeup.jsp?docid=2006-072413-3859- 99&tabid=1
Firnavo.Exploit	Trojan	Firnavo.Exploit is a proof-of- concept Trojan that exploits the Mozilla Firefox Javascript Navigator Object Remote Code Execution Vulnerability.	No Aliase	July 30, 2006	http://www.symantec.com/enterprise/security_ response/writeup.jsp?docid=2006-073012-3805 -99&tabid=2

Top 10 Spam Producing ISPs (Source: www.spamhaus.org)
Rank			Network		Top Spam generating IPs (in July )	Location
1			verizonbusiness.com		65.218.255.2	US
					65.182.129.2	US
					63.80.26.20	US
					204.92.143.1	CA
					65.246.160.128	US
					65.244.116.112	US

2			cncgroup-hl		61.138.0.1	CN
					202.97.192.1	CN
					221.212.0.1	CN
					221.208.0.1	CN
					218.8.0.1	CN
					61.158.0.1	CN
					221.206.84.114	CN
					221.206.0.1	CN
					221.206.5.38	CN
					221.206.84.115	CN

3			sbc.com		71.153.59.25	US
					71.156.118.1	US
					71.156.67.2	US

4			interbusiness.it		82.55.254.1	IT
					82.89.72.73	IT
					85.37.16.0	IT
					82.91.97.75	IT
					82.60.69.254	IT
					80.18.31.237	IT
					82.57.133.163	IT
					82.60.5.86	IT
					81.116.217.98	IT
					82.56.76.8	IT
					82.58.188.129	IT
					87.30.191.197	IT
					88.42.202.108	IT
					195.223.82.18	IT

5			hinet.net		168.95.5.32	TW
					59.124.163.145	TW
					211.21.206.26	TW
					60.248.85.221	TW
					220.132.245.197	TW

6			xo.com		66.236.248.160	US
					67.91.171.100	US
					216.149.215.5	US

7			ttnet.net.tr		85.100.115.116	CN
					85.105.110.87	CN
					81.215.13.230	CN
					81.214.190.42	CN
					81.214.124.154	CN
					85.104.109.74	CN
					81.214.188.176	CN
					81.213.153.43	CN
					212.174.153.2	CN
					81.214.189.20	CN
					85.105.122.63	CN
					85.105.48.116	CN

8			comcast.net		24.147.113.17	US
					24.60.137.24	US
					71.199.133.51	US
					71.197.78.34	US
					67.190.173.2	US
					24.61.138.111	US

9			rtcomm.ru		81.177.22.216	RU
					81.177.37.68	RU
					217.107.217.57	RU
					81.177.14.24	RU
					217.107.217.177	RU

10			tpnet.pl		83.17.86.218	PL
					80.53.83.160	PL
					83.15.55.251	PL
					80.55.126.194	PL
					80.55.59.202	PL
					83.17.144.58	PL
					83.5.32.81	PL
Top