<
 
 
 
 
×
>
hide
You are viewing a Web site, archived on 01:21:53 Oct 15, 2004. It is now a Federal record managed by the National Archives and Records Administration.
External links, forms, and search boxes may not function within this collection.
US-CERT

US-CERT Current Activity

The US-CERT Current Activity web page is a regularly updated summary of the most frequent, high-impact types of security incidents currently being reported to the US-CERT.

Last reviewed: October 14, 2004 16:30:56 EDT

new Exploit for Microsoft GDI+ JPEG Parser
  W32/Bagle Revisited
  W32/MyDoom Revisited
  W32/Sasser
  Exploitation of Outlook Express MHTML cross-domain scripting vulnerability



Exploit for Microsoft GDI+ JPEG Parser
added September 29

US-CERT is aware of exploitation of a JPEG parsing vulnerability in the Microsoft GDI+ library. By convincing a victim to view a specially crafted JPEG image with a program that uses the GDI+ library, an attacker could execute arbitrary code with the privileges of the victim. Affected programs include Microsoft Internet Explorer, Office, Outlook, Outlook Express, and Windows Explorer. An attacker could exploit this vulnerability to install malicious code which might permit access to your computer.

More information about the vulnerability is available in VU#297462.

Microsoft has released patches for this vulnerability in Microsoft Security Bulletin MS04-028. Microsoft also suggests reading email in plain text mode to reduce the risk associated with the HTML email attack vector. Note that this workaround will prevent HTML formatted email messages from displaying properly.


W32/Bagle Revisited
added July 16 | updated August 10

Seven months since the W32/Bagle mass-mailing virus first appeared on the Internet, US-CERT continues to see new variants appearing and many variants (new and old) continuing to spread. Many variants of W32/Beagle are known to open a backdoor on an infected system which can lead to further exploitation by remote attackers.

The most recent variant is W32/Bagle.AO (discovered on August 9th). This variant arrives as an email message with the following characteristics:

  • Spoofed From address
  • Blank Subject line
  • Body text containing "new price"
  • Attachment containing .ZIP file extension

US-CERT strongly encourages users to install and maintain anti-virus software and exercise caution when handling attachments. Anti-virus software may not be able to scan password protected archive files so users must use discretion when opening archive files and should scan files once extracted from an archive.

You may also wish to visit the US-CERT's computer virus resources page.


W32/MyDoom Revisited
added July 26 | updated July 27

Six months since the W32/MyDoom mass-mailing virus first appeared on the Internet, US-CERT continues to see new variants appearing and many variants (new and old) continuing to spread. Many variants of W32/MyDoom are known to open a backdoor and use its own SMTP engine to spread through email.

US-CERT strongly encourages users to install and maintain anti-virus software and exercise caution when handling attachments. Anti-virus software may not be able to scan password protected archive files so users must use discretion when opening archive files and should scan files once extracted from an archive.

Please see US-CERT's Cyber Security Alert SA04-208A for more information.

You may also wish to visit the US-CERT's computer virus resources page.


W32/Sasser
added May 1 | updated June 24

US-CERT continues to receive reports of a worm known as "W32/Sasser". This worm attempts to exploit a buffer overflow vulnerability in the Windows Local Security Authority Service Server (LSASS). The vulnerability allows a remote attacker to execute arbitrary code with SYSTEM privileges. More information on this vulnerability is available in Vulnerability Note VU#753212 and Microsoft Security Bulletin MS04-011.

The worm has been reported to propagate by scanning random IP addresses on port 445/tcp to identify vulnerable systems. When a vulnerable system is found, the worm will exploit the LSASS vulnerability, create a remote shell on port 9996/tcp, and start an FTP server on port 5554/tcp. The victim system will then connect back to the attacking system on port 5554/tcp to retrieve a copy of the worm. Systems infected by this worm may notice significant performance degradation.

US-CERT strongly encourages users to install anti-virus software, and keep its virus signature files up-to-date.

You may also wish to visit the US-CERT computer virus resources page.


Exploitation of Outlook Express MHTML cross-domain scripting vulnerability
added April 7 | updated April 21

US-CERT is aware of exploitation of a cross-domain scripting vulnerability in the Outlook Express MIME Encapsulation of Aggregate HTML Documents (MHTML) protocol handler. The MHTML protocol handler is installed as part of Outlook Express and uses Internet Explorer (IE) to access mhtml: URLs. Microsoft Windows systems install Outlook Express, IE, and the vulnerable MHTML handler by default.

By convincing a victim to view an HTML document (web page, HTML email), an attacker could execute arbitrary code with the privileges of the user running IE and possibly read or modify content in another web site.

More information about the vulnerability is available in TA04-099A and VU#323070.

This vulnerability appears to be exploited by the Ibiza trojan, W32/Bugbear.E, and various web sites that host malicious URLs and related malware. Exploits also may be identified as BloodHound.Exploit.6. Attackers may distribute malicious URLs in unsolicited email, instant messages, chat rooms, or web forums. Attackers may also distribute exploits in HTML email messages.

This vulnerability is remedied by the patches described in Microsoft Security Bulletin MS04-013. For additional protection against these types of attacks, do not click on unsolicited links and maintain updated anti-virus software.

Please see US-CERT Incident Note IN-2004-02 for more information.

US-CERT strongly encourages users to install and maintain anti-virus software. We also encourage users to exercise discretion when opening any email attachment.

You may also wish to visit the US-CERT's computer virus resources page.

Additional Information

National Cyber Alert System

Technical Cyber Security Alerts
Cyber Security Alerts
Cyber Security Bulletins
Cyber Security Tips

General Tips
  • Apply vendor-supplied software patches in a timely manner
  • Disable features/services that are not explicitly required
  • Install anti-virus software and keep it up to date
  • Use caution when opening email attachments and following URLs


Copyright 2004 Carnegie Mellon University.

CERT® and CERT Coordination Center® are registered in the U.S. Patent and Trademark office.

Last updated June 17, 2004