Symantec AntiVirus Scan Engine has serious bug

JASON MESERVE VIRUS AND BUG PATCH ALERT
10/10/05
Today's focus: Symantec AntiVirus Scan Engine has serious bug

In this issue:

* Patches from HP, Mandriva, Gentoo, others
* Beware new Bagle variant that spreads through network shares
and peer-to-peer networks
* U.K. hackers jailed over TK worm, and other intersting reading
* Featured reader resource
_______________________________________________________________
This newsletter is sponsored by Arbor Networks

Network Perimeter defense has become an industry in of itself.
But what if the danger to your network lurks from within - a
disgruntled employee, misuse of a VPN, 3rd party access,
employee access for personal reasons? In the following report,
Internal Intrusion Prevention, read about this threat and
providing multidimensional protection.
http://www.fattail.com/redir/redirect.asp?CID=117244
_______________________________________________________________
INCREASING DEMAND FOR IT SKILLS

Is the outlook good if you're looking for a change in employer
or to be employed? According to a recent survey, CIOs are
planning to hire the greatest percentage of staffers since 2002
this fourth quarter of 2005. But what skills are in demand? And
where should you look for a job? Click here for more:
http://www.fattail.com/redir/redirect.asp?CID=117159
_______________________________________________________________

Today's focus: Symantec AntiVirus Scan Engine has serious bug

By Jason Meserve

Today's bug patches and security alerts:

Symantec AntiVirus Scan Engine has serious bug

Users of the Symantec 's AntiVirus Scan Engine are being advised
to upgrade their software, thanks to a critical security bug in
the product. The flaw could theoretically allow an attacker to
take control of an affected system, according to Symantec. IDG
News Service, 10/06/05.

<http://www.networkworld.com/news/2005/100605-symantec-scan.html>

Symantec advisory:
<http://www.networkworld.com/nl8401>
**********

HP patches Tru64's TCP/IP stack

According to an alert from HP, "Several potential security
vulnerabilities have been identified in the HP Tru64 UNIX TCP/IP
including ICMP, and Initial Sequence Number generation (ISNs).
These exploits could result in a remote denial of service from
network throughput reduction for TCP connections, the reset of
TCP connections, or TCP spoofing." Get a patch here:
<http://www.itrc.hp.com/service/patch/mainPage>

HP patches Apache authorization flaw

Apache Web servers running on the HP-UX operating system may be
vulnerable to a remotely exploitable flaw that allows attackers
to bypass certain access control lists. The updated version of
Apache can be downloaded from:
<http://www.networkworld.com/go2/1010bug1a.html>
**********

Sun Directory Server flaw

NGSSoftware is reporting that there is a high-risk vulnerability
in the Sun Directory Server. The company is not releasing the
details for three months to allow time for systems to be
patched. Users should download Sun Directory Server 5.2 (patch
4) from:
<http://sunsolve.sun.com/>

NGSSoftware advisory:
<http://www.securityfocus.com/archive/1/412650/30/30/threaded>

**********

Mandriva, Ubuntu patch texinfo

A function in Texinfo, a documentation system, creates temporary
files in a non-secure manner. An attacker could exploit this to
run arbitrary files on the affected machine. For more, go to:

Mandriva:
<http://www.networkworld.com/nl8402>

Ubuntu:
<http://www.networkworld.com/go2/1010bug1b.html>
**********

Gentoo releases Helix Player update

Multiple vulnerabilities have been found in RealNetworks Helix
Player. The most serious of the flaws could be exploited to run
malicious code on the affected machine. For more, go to:
<http://security.gentoo.org/glsa/glsa-200510-07.xml>

Gentoo releases patch for Ruby

Ruby, a scripting language, does not properly enforce the "safe
level" mechanism, allowing attackers to gain elevated privileges
and potentially run arbitrary code on the affected machine. For
more, go to:
<http://security.gentoo.org/glsa/glsa-200510-05.xml>
**********

Debain issues fix for mason

A flaw in the initialization script for mason, a packet
filtering firewall for Linux, causes the application not to load
on system start, meaning the system is left unprotected. For
more, go to:
<http://www.debian.org/security/2005/dsa-845>

Debian patches cpio

A race condition in the way cpio outputs files could be
exploited to change the permissions of arbitrary files on the
affected machine. For more, go to:
<http://www.debian.org/security/2005/dsa-846>
**********

Debian, Gentoo patches dia

A flaw in the way the dia application handles SVG files could be
exploited by an attacker to run malicious code on the affected
machine. For more, go to:

Debian:
<http://www.debian.org/security/2005/dsa-847>

Gentoo:
<http://security.gentoo.org/glsa/glsa-200510-06.xml>
**********

Today's roundup of virus alerts:

W32/Bagle-AN -- A new Bagle variant that spreads through network
shares and peer-to-peer networks, installing itself as
"winhost.exe" in the Windows System folder. It also spreads
through e-mail with text that tries to get the target user to
read an attachment. (Sophos)

W32/Sober-P -- A new Sober mass mailing worm variant. It uses to
messages, one with "KlassenFoto.zip" as its attachment, the
other with "pword_change.zip". It drops "vbbfgdtd.exe" in the
root directory and can be used to harvest e-mail addresses from
the infected machine. (Sophos, Panda Software)

W32/Sober-L -- Another Sober worm variant. This one installs
itself as "smss.exe" in a subdirectory of the Windows folder.
When a machine is first infected, notepad opens with the text
"Mail-Text: Unzip failed". (Sophos)

W32/Kassbot-H -- A backdoor worm that can receive commands via
an IRC or HTTP connection. It spreads through network shares and
drops "spools.exe" in the Windows System directory. It monitors
Internet connections, looking for passwords to steal and limits
access to security Web sites by modifying the Windows HOSTS
file. (Sophos)

Troj/GrayBrd-AC -- A Windows worm that spreads through network
shares, dropping "RavExt\winlogo.exe" in the Windows System
folder. It communicates with remote sites via HTTP. (Sophos)

W32/Mytob-ES -- A new variant of the Mytob e-mail worm. This one
drops "scrigz.exe" in the Windows System folder after spreading
through a message that looks like an account or password
warning. In addition to allowing backdoor access via IRC, it
also disables access to security related Web sites by modifying
the Windows HOSTS file. (Sophos)

W32/Mytob-ET -- Another Mytob variant. Similar to Mytob-ES
above, except this one drops "hpmanager.exe" in the Windows
System folder. (Sophos)

W32/Mytob-EU -- Yet another Mytob e-mail worm variant. This one
is very similar to Mytob-ES in the way it acts. (Sophos)

W32/Mytob-EV -- The fourth Mytob variant that acts similar to
the previous three. This one drops "msmanager.exe" in the
Windows System folder. (Sophos)

Troj/Sisery-A -- A "nuisance" program that makes all sorts of
changes to various Windows' settings, including removing the log
off option, off setting the desktop wall paper and disabling the
context menu. (Sophos)

W32/Tilebot-AA -- This Tilebot variant exploits a number of
known Windows vulnerabilities as it spreads through network
shares. It drops "yimsgr.exe" in the Windows folder and creates
the service "AOL Instant Messenger". It attempts to remove
network shares from the infected PC. (Sophos)

W32/Tilebot-X -- Another Tilebot variant that exploits known
Windows flaws to infect a machine. This one drops "smrss.exe"
and "rofl.sys" in the Windows System folder. (Sophos)

Troj/Bifrose-EO -- A backdoor Trojan that drops "SVCH0ST.exe" in
the Windows system folder. No word on what kind of damage it can
cause. (Sophos)

Trojan.PSPBrick -- A virus that targets the Sony Playstation
Portable. It looks like a hack that allows users to play
non-Sony approved games on the device. It supposedly deteles
files on the infected device. No reports of it being in the wild
yet. (Symantec)

Troj/Banker-FU -- An Internet banking Trojan that targets
certain bank websites looking for passwords. It drops
"AntiVirus.exe" in the Windows System folder. (Sophos)
**********

From the interesting reading department:

U.K. hackers jailed over TK worm

Two British men who pleaded guilty to charges they helped create
the "TK worm" were sentenced to prison Friday in Newcastle Crown
Court. The worm infected thousands of computers, including two
owned by the U.S. Department of Defense. IDG News Service,
10/10/05.
<http://www.networkworld.com/nl8403>

Bank of America notifying customers after laptop theft

Users of the Bank of America's Visa Buxx prepaid debit cards are
being warned that they may have had sensitive information
compromised following the theft of an unencrypted laptop
computer. IDG News Service, 10/07/05.
<http://www.networkworld.com/nl8404>

Hackers fiercer than ever, FBI says

As head of the ever-expanding FBI computer intrusion squad,
Trent Teyema has heard all the stereotypes of who hackers are,
but he knows that people who call themselves that today are a
long way from their counterparts of even just a few years ago.
PC World, 10/07/05.

<http://www.networkworld.com/news/2005/10005-hackers-fbi.html?nl>

_______________________________________________________________
To contact: Jason Meserve

Jason Meserve is the Multimedia Editor at Network World and
writes about streaming media, search engines and IP Multicast.
Jason can be reached at <mailto:jmeserve@nww.com>. Check out his
Multimedia Exchange weblog at:
<http://www.networkworld.com/weblogs/multimedia/>

Check out our weekly Network World Radio program at:
<http://www.networkworld.com/radio/>
_______________________________________________________________
This newsletter is sponsored by Arbor Networks

Network Perimeter defense has become an industry in of itself.
But what if the danger to your network lurks from within - a
disgruntled employee, misuse of a VPN, 3rd party access,
employee access for personal reasons? In the following report,
Internal Intrusion Prevention, read about this threat and
providing multidimensional protection.
http://www.fattail.com/redir/redirect.asp?CID=117243
_______________________________________________________________
FEATURED READER RESOURCE

IT PROS SHARE THEIR TALES OF MAKING ITIL WORK

Running an enterprise network is challenging. IT organizational
change can be even more so if managers don't balance efforts
proportionally across people, process and technology.
Implementing best practices frameworks such as Information
Technology Infrastructure Library (ITIL) can help, but they
introduce their own set of challenges. Click here for more:

<http://www.networkworld.com/news/2005/092205-itil.html>
_______________________________________________________________
May We Send You a Free Print Subscription?
You've got the technology snapshot of your choice delivered
at your fingertips each day. Now, extend your knowledge by
receiving 51 FREE issues to our print publication. Apply
today at <http://www.subscribenw.com/nl2>

International subscribers click here:
<http://nww1.com/go/circ_promo.html>
_______________________________________________________________
SUBSCRIPTION SERVICES

To subscribe or unsubscribe to any Network World e-mail
newsletters, go to:
<http://www.nwwsubscribe.com/Changes.aspx>

To change your e-mail address, go to:
<http://www.nwwsubscribe.com/ChangeMail.aspx>

Subscription questions? Contact Customer Service by replying to
this message.

This message was sent to: security.world@gmail.com
Please use this address when modifying your subscription.
_______________________________________________________________

Have editorial comments? Write Jeff Caruso, Newsletter Editor,
at: <mailto:jcaruso@nww.com>

Inquiries to: NL Customer Service, Network World, Inc., 118
Turnpike Road, Southborough, MA 01772

For advertising information, write Kevin Normandeau, V.P. of
Online Development, at: <mailto:sponsorships@nwfusion.com>

Copyright Network World, Inc., 2005