April 01, 2009 - Current Activity

Conficker Worm Targets Microsoft Windows Systems

US-CERT is aware of public reports indicating a widespread infection of the Conficker/Downadup worm, which can infect a Microsoft Windows system from a thumb drive, a network share, or directly across a corporate network, if the network servers are not patched with the MS08-067 patch from Microsoft.

Home users can apply a simple test for the presence of a Conficker/Downadup infection on their home computers. The presence of a Conficker/Downadup infection may be detected if a user is unable to surf to their security solution website or if they are unable to connect to the websites, by downloading detection/removal tools available free from those sites:

http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm&inid=us_ghp_link_conficker_worm
http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx
http://www.mcafee.com

If a user is unable to reach any of these websites, it may indicate a Conficker/Downadup infection. The most recent variant of Conficker/Downadup interferes with queries for these sites, preventing a user from visiting them. If a Conficker/Downadup infection is suspected, the system or computer should be removed from the network or unplugged from the Internet - in the case for home users.

Instructions, support and more information on how to manually remove a Conficker/Downadup infection from a system have been published by major security vendors. Please see below for a few of those sites. Each of these vendors offers free tools that can verify the presence of a Conficker/Downadup infection and remove the worm:

Symantec:

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99

Microsoft:

http://support.microsoft.com/kb/962007

http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx

Microsoft PC Safety hotline at 1-866-PCSAFETY, for assistance.

US-CERT encourages users to prevent a Conficker/Downadup infection by ensuring all systems have the MS08-067 patch (see http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx), disabling AutoRun functionality (see http://www.us-cert.gov/cas/techalerts/TA09-020A.html), and maintaining up-to-date anti-virus software.

Mozilla Foundation Releases Firefox 3.0.8

Mozilla Foundation has released Firefox 3.0.8 to address two vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition. The Mozilla Foundation Security Advisories also indicate that one of these vulnerabilities also affects SeaMonkey.

US-CERT encourages users and administrators to review the following Mozilla Foundation Security Advisories and update to Firefox 3.0.8 to help mitigate the risks:

• Mozilla Foundation Security Advisory 2009-12
• Mozilla Foundation Security Advisory 2009-13

Sun Releases Updates for Java SE

Sun has released updates for Java SE to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or operate with escalated privileges.

US-CERT encourages users to review the Sun Java SE 6 Update Release Notes and upgrade to Java SE version 1.6.0_13 to help mitigate the risks.

OpenSSL Releases Security Advisory

OpenSSL has released a security advisory to address multiple vulnerabilities. These vulnerabilities may allow an attacker to cause a denial-of-service condition or bypass security restrictions in affected applications.

US-CERT encourages users and administrators to review the OpenSSL security advisory. Because OpenSSL is widely redistributed, users should check for updates from their operating system vendors and vendors of other products using OpenSSL. Users of OpenSSL from the original source distribution should upgrade to OpenSSL 0.9.8k.

Cisco Releases Multiple Security Advisories for IOS Vulnerabilities

Cisco has released multiple security advisories to address vulnerabilities in IOS Software. These vulnerabilities may allow an attacker to cause a denial-of-service condition, interfere with network traffic, or operate with escalated privileges.

US-CERT encourages users and administrators to review the following Cisco security advisories and apply any necessary workarounds or updates to help mitigate the risks.

• cisco-sa-20090325-udp : Cisco IOS Software Multiple Features Crafted UDP Packet Vulnerability
• cisco-sa-20090325-tcp : Cisco IOS Software Multiple Features Crafted TCP Sequence Vulnerability
• cisco-sa-20090325-ip : Cisco IOS Software Multiple Features IP Sockets Vulnerability
• cisco-sa-20090325-webvpn : Cisco IOS Software WebVPN and SSLVPN Vulnerabilities
• cisco-sa-20090325-mobileip : Cisco IOS Software Mobile IP and Mobile IPv6 Vulnerabilities
• cisco-sa-20090325-scp : Cisco IOS Software Secure Copy Privilege Escalation Vulnerability
• cisco-sa-20090325-sip : Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability
• cisco-sa-20090325-ctcp : Cisco IOS cTCP Denial of Service Vulnerability

Sun Releases Alert for Java System Identity Manager Vulnerabilities

Sun Microsystems has released an alert to address multiple vulnerabilities in the Java System Identity Manager. These vulnerabilities may allow an attacker to execute arbitrary commands, conduct cross-site scripting attacks, modify configuration settings, or obtain sensitive information.

US-CERT encourages users and administrators to review Sun Alert 253567 and apply any necessary patches.

Adobe Releases Security Bulletin

Adobe has released security bulletin APSB09-04 to address multiple vulnerabilities, one of which is the JBIG2 vulnerability originally addressed in security advisory APSA09-01 and security bulletin APSB09-03. These vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.

US-CERT encourages users to review Adobe security bulletin APSB09-04 and apply any necessary updates. Additional information regarding the JBIG2 vulnerability can be found in the Vulnerability Notes Database.

Autonomy KeyView SDK Vulnerability

US-CERT is aware of reports of a vulnerability that affects the Autonomy KeyView SDK wp6sr.dll library. This library is used by certain products, including Lotus Notes and Symantec, to support the handling of Word Perfect documents. By convincing a user to open a specially crafted Word Perfect document with an application using the affected Autonomy KeyView SDK library, a remote attacker may be able to execute arbitrary code.

US-CERT encourages users and administrators to do the following to help mitigate the risks:

• IBM Lotus Notes users should review the IBM Flash Alert and implement the listed fixes or workarounds.
• Symantec users should review Symantec Security Advisory SYM09-004 and implement the listed fixes or workarounds.
• Registered Autonomy Users should review the related Autonomy alert (login required).

Waledac Trojan Horse Spam Campaign Circulating

US-CERT is aware of public reports of malicious code circulating via spam email messages related to bogus terror attacks in the recipient's local area. These messages use subject lines implying that a fatal bomb attack has occurred near the recipient and contain a link to "breaking news." Users who click on the link will be taken to a site posing as a Reuters news article that contains a bogus news story about the fatal bomb attack. The systems serving the bogus news story check a visiting user's IP address to obtain a geographical location to insert a nearby placename into the bogus article. The articles also contain links to video content, claiming that the latest Flash Player is required to view the video. If users attempt to update or install the Flash Player from the link provided in the article, their systems may become infected with malicious code.

US-CERT encourages users and administrators to take the following preventative measures to help mitigate the security risks:

• Install antivirus software, and keep the virus signatures up to date.
• Do not follow unsolicited links and do not open unsolicited email messages.
• Use caution when visiting untrusted websites.
• Use caution when downloading and installing applications.
• Obtain software applications and updates directly from the vendor's website.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

Adobe Releases Security Updates for Reader 9 and Acrobat 9

Adobe has released Reader 9.1 and Acrobat 9.1 to address a vulnerability. This vulnerability is due to a buffer overflow condition that exists in the way Adobe Acrobat Reader handles JBIG2 streams. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code or cause a denial-of-service condition. Adobe has indicated that it is aware of reports of active exploitation.

US-CERT encourages users to review Adobe security bulletin APSB09-03 and update to Adobe Reader 9.1 and Acrobat 9.1. Additional information regarding this vulnerability is available in the Vulnerability Notes Database.