New worms exploit Windows PnP flaw

NETWORK WORLD NEWSLETTER: JASON MESERVE'S VIRUS AND BUG PATCH
ALERT
08/18/05
Today's focus: New worms exploit Windows PnP flaw

Dear security.world@gmail.com,

In this issue:

* Patches from Apple, Cisco, Novell, others
* Beware Windows 2000 worms
* McAfee readies home Wi-Fi security tool
* Links related to Virus and Bug Patch Alert
* Featured reader resource
_______________________________________________________________
This newsletter is sponsored by Nokia
Empower Your Mobile Enterprise

Nokia believes that business mobility will fundamentally change
the way work gets done-and for the better. To allow the entire
organization to get the most from this paradigm shift in
productivity, Nokia Enterprise Solutions focuses on delivering
increased efficiency through enhanced mobility. Learn more by
downloading this white paper today!
http://www.fattail.com/redir/redirect.asp?CID=110490
_______________________________________________________________
MOBILE MANAGEMENT

Should companies strictly control employee use of mobile
devices? Employees are finding more ingenious ways to use mobile
devices to stay connected, access important data and communicate
more effectively. But there are increased security risks. This
NW Face Off gives you both sides of the debate. Click here:
http://www.fattail.com/redir/redirect.asp?CID=110098
_______________________________________________________________

Today's focus: New worms exploit Windows PnP flaw

By Jason Meserve

Today's bug patches and security alerts:

Apple releases major bug fix update

A new update for most newer versions of the Mac OS X operating
system is available from Apple. The new update fixes flaws in
Apache 2, AppKit, Bluetooth, CoreFoundation, CUPS, Directory
Services, HItoolbox, Kerberos, loginwindow, Mail, MySQL,
OpenSSL, ping, QuartzComposerScreenSaver, Safari,
SecurityInterface, servermgrd, servermgr_ipfilter, SquirrelMail,
traceroute, WebKit, Weblog Server, X11, and zlib. For more, go
to:
<http://docs.info.apple.com/article.html?artnum=302163>

Related CERT advisory:
<http://www.us-cert.gov/cas/techalerts/TA05-229A.html>
**********

Cisco patches Clean Access Unauthenticated API Access

According to an advisory from Cisco, "Cisco Clean Access (CCA)
is a software solution that can automatically detect, isolate,
and clean infected or vulnerable devices that attempt to access
your network. CCA includes as part of the architecture an API.
Lack of authentication while invoking API methods can allow an
attacker to bypass security posture checking, change the
assigned role for a user, disconnect users and can also lead to
information disclosure on configured users." For more, go to:
<http://www.networkworld.com/nlvirusbug5459>
**********

Novell fixes GroupWise Password Caching flaw

Versions 5.x and 6.x of the Novell GroupWise client may cache
username and password information in memory while running.
According to Novell, a "hostile" administrator with rights to
the affected machine could create a memory dump to find the
username/password information for any logged in user. For more,
go to:
<http://support.novell.com/servlet/tidfinder/10098073>
**********

HP issues fix for HP-UX Ignite-UX Remote Unauthorized Access
flaw

According to an advisory from HP, "A potential security
vulnerability has been identified with HP-UX running Ignite-UX,
where unsafe file permissions could be remotely exploited to
allow an unauthorized user to access and alter Ignite-UX client
data on the Ignite-UX server." For more, go to:
<http://www.securityfocus.com/archive/1/408273/30/0/threaded>

Original Corsaire advisory:
<http://www.corsaire.com/advisories/c041123-002.txt>
**********

Symantec patches Veritas bug

Symantec has released software that fixes critical
vulnerabilities in the company's Veritas Backup Exec and Veritas
NetBackup software. IDG News Service, 08/15/05.
<http://www.networkworld.com/news/2005/081505-symantec-bug.html>

Symantec advisory:
<http://www.networkworld.com/go2/0815bug2c.html>
**********

SuSE, Fedora release updates for Apache, Apache 2

A number of vulnerabilities, ranging from "information
smuggling" to buffer overflows, have been found in the code of
the popular Apache Web server. SuSE, Fedora and Apple (above)
have release updates. For more, go to:

SuSE:
<http://www.networkworld.com/go2/0815bug2b.html>

Fedora:
<http://www.networkworld.com/go2/0815bug2a.html>
**********

Gentoo, Mandriva patch gaim

A new update for Gaim, an open source instant messaging client,
fixes a potential denial-of-service vulnerability. For more, go
to:

Gentoo:
<http://security.gentoo.org/glsa/glsa-200508-06.xml>

Mandriva:
<http://www.mandriva.com/security/advisories?name=MDKSA-2005:139>
**********

Gentoo patches Xpdf, Kpdf, and GPdf

A bug in the xpdf, kpdf and gpdf PDF document view applications
could cause all system resources to be consumed, resulting in a
denial of service. For more, go to:
<http://security.gentoo.org/glsa/glsa-200508-08.xml>
**********

Today's roundup of virus alerts:

CA: Windows 2000 worms now affecting 250,000

Malicious software that takes advantage of a recently disclosed
vulnerability in Microsoft's Windows operating system has spread
rapidly and has now infected more than 250,000 systems,
primarily Windows 2000 systems being run in corporate
environments, according to security vendor Computer Associates.
IDG News Service, 08/17/05.
<http://www.networkworld.com/news/2005/081705-ca-worms.html>

Experts see new variants of Windows 2000 worm

Security vendors have reported several new variants of the worm
infecting PCs running Microsoft's Windows 2000 operating system.
Groups of virus writers are competing to cause the most damage,
according to one security company, although the worm appears
less severe than some first feared. IDG News Service, 08/17/05
<http://www.networkworld.com/news/2005/081705-worms.html>

Windows worm beginning to spread

A variety of worms that exploit a Windows vulnerability
disclosed last week are hitting many systems worldwide,
reportedly including some at cable network CNN, and could reach
critical mass in the next several hours, according to anti-virus
vendor Trend Micro. IDG News Service, 08/17/05.
<http://www.networkworld.com/news/2005/081705-windows-worm.html>

W32/Zotob-C -- An Zotob variant that exploits the Windows 2000
PnP vulnerability, among others, as it spreads through e-mail.
The infected message uses a number of different text attributes,
but most look like a friend sending a photo. It installs itself
as "per.exe". (Sophos)

W32/Zotob-F -- Another Zotob variant. This one drops
"wintbpx.exe" on the infected machine and allows backdoor access
through an IRC channel. (Sophos)

W32/Tilebot-F -- This new Tilebot variant can also take
advantage of the new Windows 2000 PnP vulnerability. It spreads
through network shares, dropping a randomly named file in the
Windows System folder. The virus does try to limit access to
certain system tools, such as Task Manager. (Sophos)

W32/Tilebot-I -- A Tilebot variant designed to exploit the
Windows PnP and other common buffer overflow vulnerabilities in
Windows. It drops "rdriv.sys" on the target host and can
communicate with a remote server via HTTP. (Sophos)

W32/Tilebot-J -- Yet another Tilebot variant that exploits the
Windows PnP flaw. It allows backdoor access via IRC after
installing itself in the Windows folder as "netinfo.exe".
(Sophos)

W32/Tilebot-Z -- This Tilebot variant that spreads through
network shares - though it does not exploit the PnP flaw. It too
disables certain security applications and attempts to download
code from specific remote sites. When running on the machine, it
tries to hide itself as a Windows Sound driver service. (Sophos)

W32/Tpbot-A -- A new bot that tries to exploit the Windows PnP
and LSASS flaws as it spreads by network share. It drops
"wintbp.exe" and allows backdoor access via IRC. (Sophos)

W32/Forbot-FI -- A Forbot variant that spreads through network
shares, installing "winlogons.exe" in the Windows system folder
and allowing backdoor access via IRC. It can be used to execute
commands, create a proxy server and steal password information.
(Sophos)

W32/Antix-A -- A new MSN Messenger worm that spreads through a
message that tries to get the target user to download a new
Messenger update by following a link. What is downloaded is
"kernel32.exe", which can disable security related programs and
be used to download additional malware. (Sophos)

W32/Rbot-ALA -- An Rbot variant that creates a backdoor on the
infected machine by connecting to a preconfigured IRC server. It
can turn the infected host into a proxy server. It drops
"winmon.sys". (Sophos)

W32/Rbot-ALI -- This Rbot variant can turn the infected host
into a zombie, allowing it do participate in DoS attacks, steal
information and act as a Web, FTP or proxy server. It drops
"windir32.exe" in the Windows System directory. (Sophos)
**********

From the interesting reading department:

McAfee readies home Wi-Fi security tool

All home Wi-Fi gear comes with the bricks and mortar to put up
at least a basic security wall against intruders and
eavesdroppers, but McAfee wants to sell consumers a better
trowel for building it. IDG News Service, 08/15/05.
<http://www.networkworld.com/news/2005/081505-mcafee-wi-fi.html>

The top 5: Today's most-read stories

1. Windows worm beginning to spread
<http://www.networkworld.com/nlvirusbug5460>

2. Cisco to juice 6500 switch
<http://www.networkworld.com/nlvirusbug5461>

3. Help Desk: Sniffing on a switch
<http://www.networkworld.com/nlvirusbug5462>

4. Zotob worm exploits Windows 2000 Plug and Play
<http://www.networkworld.com/nlvirusbug5463>

5. Google goes berserk
<http://www.networkworld.com/nlvirusbug5464>

Today's most-forwarded story:

Cisco to juice 6500 switch
<http://www.networkworld.com/nlvirusbug5465>
_______________________________________________________________
To contact: Jason Meserve

Jason Meserve is the Multimedia Editor at Network World and
writes about streaming media, search engines and IP Multicast.
Jason can be reached at <mailto:jmeserve@nww.com>. Check out his
Multimedia Exchange weblog at:
<http://www.networkworld.com/weblogs/multimedia/>

Check out our weekly Network World Radio program at:
<http://www.networkworld.com/radio/>
_______________________________________________________________
This newsletter is sponsored by Nokia
Empower Your Mobile Enterprise

Nokia believes that business mobility will fundamentally change
the way work gets done-and for the better. To allow the entire
organization to get the most from this paradigm shift in
productivity, Nokia Enterprise Solutions focuses on delivering
increased efficiency through enhanced mobility. Learn more by
downloading this white paper today!
http://www.fattail.com/redir/redirect.asp?CID=110489
_______________________________________________________________
ARCHIVE LINKS

Virus and Bug Patch Alert archive:
http://www.networkworld.com/newsletters/bug/index.html

Breaking security news, updated daily
http://www.networkworld.com/topics/security.html
_______________________________________________________________
FEATURED READER RESOURCE
WIRELESS LANS BUYER'S GUIDE: THE GOODS ON 185 PRODUCTS

We've compiled the largest buyer's guide ever on wireless LAN
equipment. Whether you're looking for an access point, PC Card
or trying to decide between 802.11a, b or g, take a look at the
information that vendors have provided us. We've got the goods
on 185 products. Click here for more:
<http://www.networkworld.com/bg/wlan/index.jsp>
_______________________________________________________________
May We Send You a Free Print Subscription?
You've got the technology snapshot of your choice delivered
at your fingertips each day. Now, extend your knowledge by
receiving 51 FREE issues to our print publication. Apply
today at http://www.subscribenw.com/nl2

International subscribers click here:
http://nww1.com/go/circ_promo.html
_______________________________________________________________
SUBSCRIPTION SERVICES

To subscribe or unsubscribe to any Network World e-mail
newsletters, go to:
<http://www.nwwsubscribe.com/Changes.aspx>

To change your e-mail address, go to:
<http://www.nwwsubscribe.com/ChangeMail.aspx>

Subscription questions? Contact Customer Service by replying to
this message.

This message was sent to: security.world@gmail.com
Please use this address when modifying your subscription.
_______________________________________________________________

Have editorial comments? Write Jeff Caruso, Newsletter Editor,
at: <mailto:jcaruso@nww.com>

Inquiries to: NL Customer Service, Network World, Inc., 118
Turnpike Road, Southborough, MA 01772

For advertising information, write Kevin Normandeau, V.P. of
Online Development, at: <mailto:sponsorships@nwfusion.com>

Copyright Network World, Inc., 2005