« Return to Thread: Advisory #224 - ClamAV, Multiple News
Advisory #224 - ClamAV, Multiple News
by Sunnet Beskerming Alert mailing list
::
Rate this Message:
Sûnnet Beskerming Alert List Advisory #224
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info@... to resolve the
error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 ClamAV
- Remote Hacker Automatic Control
- Time Since Discovery - 2 Days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Microsoft DNS Problems Increasing
2.2 More Resources Not A Guarantee Against Infection
=====================================
1. SECURITY
1.1 ClamAV - Remote Hacker Automatic Control
-- Products Affected --
ClamAV 0.90.1 and earlier
-- Technical Description --
Scanning of malicious CAB (Microsoft's default Windows compressed
archive format) packed files can lead to a buffer overflow condition
which allows arbitrary code execution.
-- Description --
Scanning of CAB files with the ClamAV antivirus product can lead to
conditions where an attacker will be able to run software of their
choice on a vulnerable system.
-- Recommended Action --
Update to the latest version of ClamAV (0.90.2 or later), or avoid
scanning CAB files with ClamAV until the latest version can be
installed.
-- Source --
(Paid subscription required to access)
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 9 9 (Critical)
Corporate 9 9 (Critical)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 Microsoft DNS Problems Increasing
The recently disclosed vulnerability with the Microsoft DNS Server
product line (Advisory #63) has become worse over time. Since the
initial public disclosure, there has been at least one worm (Rinbot /
Nirbot) that has incorporated attack attempts against the DNS Server
weakness as part of its infection mechanism, and it has also been
discovered that an authenticated user may use other network ports to
attack the system (such as 445). It has also been disclosed that if
the name of the system is longer than 15 characters, local
configuration and administration of the server may not be
successful. If that is the case, Microsoft recommends that
administrators use the Fully Qualified Domain Name of the system
(FQDN) to apply and manage configuration changes.
Publicly available code to exploit the vulnerability has appeared
across several websites, including exploit code that specifically
targets alternate attack routes (port 445).
2.2 More Resources Not A Guarantee Against Infection
Ongoing reporting this month from Support Intelligence is
highlighting the problem of compromised systems in the networks of
Fortune 500 companies and government agencies and departments (such
as the Department of Defence). Their research has turned up spam
spewing zombie systems within corporate and defence networks,
including within major IT firms such as Oracle and HP. Firms which
control sensitive personal and financial information, such as
Insurance providers, also make up the list of companies with
compromised systems that are spamming the rest of the Internet.
The presence of these compromised systems within major corporate
networks raises questions about the effectiveness of the perimeter
network security at major companies and government agencies. If the
defences and internal system configurations are not enough to keep
their systems from joining botnets, then it would suggest that what
is in place is not an effective set of controls. With active zombies
on their networks, it also means that they are under the active
control of remote attackers, which effectively means that their
entire networks have been compromised (gaining complete control of an
internal system is the essential step towards achieving this).
=======================================
Sincerely,
Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info@... to resolve the
error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 ClamAV
- Remote Hacker Automatic Control
- Time Since Discovery - 2 Days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Microsoft DNS Problems Increasing
2.2 More Resources Not A Guarantee Against Infection
=====================================
1. SECURITY
1.1 ClamAV - Remote Hacker Automatic Control
-- Products Affected --
ClamAV 0.90.1 and earlier
-- Technical Description --
Scanning of malicious CAB (Microsoft's default Windows compressed
archive format) packed files can lead to a buffer overflow condition
which allows arbitrary code execution.
-- Description --
Scanning of CAB files with the ClamAV antivirus product can lead to
conditions where an attacker will be able to run software of their
choice on a vulnerable system.
-- Recommended Action --
Update to the latest version of ClamAV (0.90.2 or later), or avoid
scanning CAB files with ClamAV until the latest version can be
installed.
-- Source --
(Paid subscription required to access)
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 9 9 (Critical)
Corporate 9 9 (Critical)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 Microsoft DNS Problems Increasing
The recently disclosed vulnerability with the Microsoft DNS Server
product line (Advisory #63) has become worse over time. Since the
initial public disclosure, there has been at least one worm (Rinbot /
Nirbot) that has incorporated attack attempts against the DNS Server
weakness as part of its infection mechanism, and it has also been
discovered that an authenticated user may use other network ports to
attack the system (such as 445). It has also been disclosed that if
the name of the system is longer than 15 characters, local
configuration and administration of the server may not be
successful. If that is the case, Microsoft recommends that
administrators use the Fully Qualified Domain Name of the system
(FQDN) to apply and manage configuration changes.
Publicly available code to exploit the vulnerability has appeared
across several websites, including exploit code that specifically
targets alternate attack routes (port 445).
2.2 More Resources Not A Guarantee Against Infection
Ongoing reporting this month from Support Intelligence is
highlighting the problem of compromised systems in the networks of
Fortune 500 companies and government agencies and departments (such
as the Department of Defence). Their research has turned up spam
spewing zombie systems within corporate and defence networks,
including within major IT firms such as Oracle and HP. Firms which
control sensitive personal and financial information, such as
Insurance providers, also make up the list of companies with
compromised systems that are spamming the rest of the Internet.
The presence of these compromised systems within major corporate
networks raises questions about the effectiveness of the perimeter
network security at major companies and government agencies. If the
defences and internal system configurations are not enough to keep
their systems from joining botnets, then it would suggest that what
is in place is not an effective set of controls. With active zombies
on their networks, it also means that they are under the active
control of remote attackers, which effectively means that their
entire networks have been compromised (gaining complete control of an
internal system is the essential step towards achieving this).
=======================================
Sincerely,
Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com
« Return to Thread: Advisory #224 - ClamAV, Multiple News
| Free Forum Powered by Nabble | Forum Help |
