US-CERT Current Activity
The US-CERT Current Activity web page is a regularly updated summary
of the most frequent, high-impact types of security incidents currently being reported to the US-CERT.
Last reviewed: October 14, 2004 16:30:56 EDT
Exploit for Microsoft GDI+ JPEG Parser
added September 29
US-CERT is aware of exploitation of a JPEG parsing vulnerability in the Microsoft GDI+ library. By convincing a victim to view a specially crafted JPEG image with a program that uses the GDI+ library, an attacker could execute arbitrary code with the privileges of the victim. Affected programs include Microsoft Internet Explorer, Office, Outlook, Outlook Express, and Windows Explorer. An attacker could exploit this vulnerability to install malicious code which might permit access to your computer.
More information about the vulnerability is available in VU#297462.
Microsoft has released patches for this vulnerability in Microsoft Security Bulletin MS04-028. Microsoft also suggests reading email in plain text mode to reduce the risk associated with the HTML email attack vector. Note that this workaround will prevent HTML formatted email messages from displaying properly.
W32/Bagle Revisited
added July 16 | updated August
10
Seven months since the W32/Bagle mass-mailing virus first appeared on the
Internet, US-CERT continues to see new variants appearing and many
variants (new and old) continuing to spread. Many variants of
W32/Beagle are known to open a backdoor on an infected system which
can lead to further exploitation by remote attackers.
The most recent variant is W32/Bagle.AO (discovered on August 9th). This variant arrives as an email message with the following characteristics:
- Spoofed From address
- Blank Subject line
- Body text containing "new price"
- Attachment containing .ZIP file extension
US-CERT strongly encourages users to install and maintain anti-virus
software and exercise caution when handling attachments. Anti-virus
software may not be able to scan password protected archive files so
users must use discretion when opening archive files and should scan
files once extracted from an archive.
You may also wish to visit the US-CERT's
computer virus resources page.
W32/MyDoom Revisited
added July 26 | updated July 27
Six months since the W32/MyDoom mass-mailing virus first appeared on the
Internet, US-CERT continues to see new variants appearing and many
variants (new and old) continuing to spread. Many variants of
W32/MyDoom are known to open a backdoor and use its own SMTP engine to spread
through email.
US-CERT strongly encourages users to install and maintain anti-virus
software and exercise caution when handling attachments. Anti-virus
software may not be able to scan password protected archive files so
users must use discretion when opening archive files and should scan
files once extracted from an archive.
Please see US-CERT's
Cyber Security Alert SA04-208A for more information.
You may also wish to visit the US-CERT's
computer virus resources page.
W32/Sasser
added May 1 | updated June 24
US-CERT continues to receive reports of a worm known as
"W32/Sasser". This worm attempts to exploit a buffer overflow
vulnerability in the Windows Local Security Authority Service Server
(LSASS). The vulnerability allows a remote attacker to execute
arbitrary code with SYSTEM privileges. More information on this
vulnerability is available in Vulnerability Note VU#753212 and
Microsoft Security Bulletin MS04-011.
The worm has been reported to propagate by scanning random IP
addresses on port 445/tcp to identify vulnerable systems. When a
vulnerable system is found, the worm will exploit the LSASS
vulnerability, create a remote shell on port 9996/tcp, and start an
FTP server on port 5554/tcp. The victim system will then connect back
to the attacking system on port 5554/tcp to retrieve a copy of the
worm. Systems infected by this worm may notice significant performance
degradation.
US-CERT strongly encourages users to install anti-virus software, and
keep its virus signature files up-to-date.
You may also wish to visit the US-CERT computer virus resources
page.
Exploitation of Outlook Express MHTML cross-domain scripting vulnerability
added April 7 | updated April 21
US-CERT is aware of exploitation of a cross-domain scripting
vulnerability in the Outlook Express MIME Encapsulation of Aggregate
HTML Documents (MHTML) protocol handler. The MHTML protocol handler
is installed as part of Outlook Express and uses Internet Explorer
(IE) to access mhtml: URLs. Microsoft
Windows systems install Outlook Express, IE, and the vulnerable MHTML
handler by default.
By convincing a victim to view an HTML document (web page, HTML
email), an attacker could execute arbitrary code with the privileges
of the user running IE and possibly read or modify content in another
web site.
More information about the vulnerability is available in TA04-099A
and VU#323070.
This vulnerability appears to be exploited by the Ibiza trojan,
W32/Bugbear.E, and various web sites that host malicious URLs and
related malware. Exploits also may be identified as
BloodHound.Exploit.6. Attackers may distribute malicious URLs in
unsolicited email, instant messages, chat rooms, or web forums.
Attackers may also distribute exploits in HTML email messages.
This vulnerability is remedied by the patches described in Microsoft
Security Bulletin MS04-013.
For additional protection against these types of attacks, do not click
on unsolicited links and maintain updated anti-virus
software.
Please see US-CERT Incident Note IN-2004-02
for more information.
US-CERT strongly encourages users to install and maintain
anti-virus software. We also encourage users to exercise discretion
when opening any email attachment.
You may also wish to visit the US-CERT's computer virus resources
page.