CERT Summary CS-2003-04

From: CERT Advisory (cert-advisory_at_cert.org)
Date: 11/24/03

Date: Mon, 24 Nov 2003 15:28:13 -0500
To: cert-advisory@cert.org


CERT Summary CS-2003-04

   November 24, 2003

   Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT
   Summary to draw attention to the types of attacks reported to our
   incident response team, as well as other noteworthy incident and
   vulnerability information. The summary includes pointers to sources of
   information for dealing with the problems.

   Past CERT summaries are available from:

          CERT Summaries

Recent Activity

   Since the last regularly scheduled CERT summary, issued in September
   2003 (CS-2003-03), we have documented vulnerabilities in the Microsoft
   Windows Workstation Service, RPCSS Service, and Exchange. We have also
   documented vulnerabilities in various SSL/TLS implementations, a
   buffer overflow in Sendmail, and a buffer management error in OpenSSH.
   We have received reports of W32/Swen.A, W32/Mimail variants, and
   exploitation of an Internet Explorer vulnerability reported in August
   of 2003.

   For more current information on activity being reported to the
   CERT/CC, please visit the CERT/CC Current Activity page. The Current
   Activity page is a regularly updated summary of the most frequent,
   high-impact types of security incidents and vulnerabilities being
   reported to the CERT/CC. The information on the Current Activity page
   is reviewed and updated as reporting trends change.

          CERT/CC Current Activity

    1. W32/Mimail Variants

       The CERT/CC has received reports of several new variants of the
       'Mimail' worm. The most recent variant of the worm (W32/Mimail.J)
       arrives as an email message alleging to be from the Paypal
       financial service. The message requests that the recipient
       'verify' their account information to prevent the suspension of
       their Paypal account. Attached to the email is an executable file
       which captures this information (if entered), and sends it to a
       number of email addresses.

                Current Activity - November 19, 2003

    2. Buffer Overflow in Windows Workstation Service

       A buffer overflow vulnerability exists in Microsoft's Windows
       Workstation Service (WKSSVC.DLL) allowing an attacker to execute
       arbitrary code or cause a denial-of-service condition.

                CERT Advisory CA-2003-28
                Buffer Overflow in Windows Workstation Service

                Vulnerability Note VU#567620
                Microsoft Windows Workstation service vulnerable to
                buffer overflow when sent specially crafted network

    3. Multiple Vulnerabilities in Microsoft Windows and Exchange

       Multiple vulnerabilities exist in Microsoft Windows and Microsoft
       Exchange, the most serious of which could allow remote attackers
       to execute arbitrary code.

                CERT Advisory CA-2003-27
                Multiple Vulnerabilities in Microsoft Windows and

                Vulnerability Note VU#575892
                Buffer overflow in Microsoft Windows Messenger Service

                Vulnerability Note VU#422156
                Microsoft Exchange Server fails to properly handle
                specially crafted SMTP extended verb requests

                Vulnerability Note VU#467036
                Microsoft Windows Help and support Center contains buffer
                overflow in code used to handle HCP protocol

                Vulnerability Note VU#989932
                Microsoft Windows contains buffer overflow in Local
                Troubleshooter ActiveX control (Tshoot.ocx)

                Vulnerability Note VU#838572
                Microsoft Windows Authenticode mechanism installs ActiveX
                controls without prompting user

                Vulnerability Note VU#435444
                Microsoft Outlook Web Access (OWA) contains cross-site
                scripting vulnerability in the "Compose New Message" form

                Vulnerability Note VU#967668
                Microsoft Windows ListBox and ComboBox controls vulnerable
                to buffer overflow when supplied crafted Windows message

    4. Multiple Vulnerabilities in SSL/TLS Implementations

       Multiple vulnerabilities exist in the Secure Sockets Layer (SSL)
       and Transport Layer Security (TLS) protocols allowing an attacker
       to execute arbitrary code or cause a denial-of-service condition.

                CERT Advisory CA-2003-26
                Multiple Vulnerabilities in SSL/TLS Implementations

                Vulnerability Note VU#935264
                OpenSSL ASN.1 parser insecure memory deallocation

                Vulnerability Note VU#255484
                OpenSSL contains integer overflow handling ASN.1 tags (1)

                Vulnerability Note VU#380864
                OpenSSL contains integer overflow handling ASN.1 tags (2)

                Vulnerability Note VU#686224
                OpenSSL does not securely handle invalid public key when
                configured to ignore errors

                Vulnerability Note VU#732952
                OpenSSL accepts unsolicited client certificate messages

                Vulnerability Note VU#104280
                Multiple vulnerabilities in SSL/TLS implementations

                Vulnerability Note VU#412478
                OpenSSL 0.9.6k does not properly handle ASN.1 sequences

    5. Exploitation of Internet Explorer Vulnerability

       The CERT/CC received a number of reports indicating that attackers
       were actively exploiting the Microsoft Internet Explorer
       vulnerability described in VU#865940. These attacks include the
       installation of tools for launching distributed denial-of-service
       (DDoS) attacks, providing generic proxy services, reading
       sensitive information from the Windows registry, and using a
       victim system's modem to dial pay-per-minute services. The
       vulnerability described in VU#865940 exists due to an interaction
       between IE's MIME type processing and the way it handles HTML
       application (HTA) files embedded in OBJECT tags.

                CERT Advisory IN-2003-04
                Exploitation of Internet Explorer Vulnerability

                Vulnerability Note VU#865940
                Microsoft Internet Explorer does not properly evaluate
                "application/hta" MIME type referenced by DATA attribute
                of OBJECT element

    6. W32/Swen.A Worm

       On September 19, the CERT/CC began receiving a large volume of
       reports of a mass mailing worm, referred to as W32/Swen.A,
       spreading on the Internet. Similar to W32/Gibe.B in function, this
       worm arrives as an attachment claiming to be a Microsoft Internet
       Explorer Update or a delivery failure notice from qmail. The
       W32/Swen.A worm requires a user to execute the attachment either
       manually or by using an email client that will open the attachment
       automatically. Upon opening the attachment, the worm attempts to
       mail itself to all email addresses it finds on the system. The
       CERT/CC updated the current activity page to contain further
       information on this worm.

                Current Activity - September 19, 2003

    7. Buffer Overflow in Sendmail

       Sendmail, a widely deployed mail transfer agent (MTA), contains a
       vulnerability that could allow an attacker to execute arbitrary
       code with the privileges of the sendmail daemon, typically root.

                CERT Advisory CA-2003-25
                Buffer Overflow in Sendmail

                Vulnerability Note VU#784980
                Sendmail prescan() buffer overflow vulnerability

    8. Buffer Management Vulnerability in OpenSSH

       A remotely exploitable vulnerability exists in a buffer management
       function in versions of OpenSSH prior to 3.7.1. This vulnerability
       could enable an attacker to cause a denial-of-service condition.

                CERT Advisory CA-2003-24
                Buffer Management Vulnerability in OpenSSH

                Vulnerability Note VU#333628
                OpenSSH contains buffer management errors

    9. RPCSS Vulnerabilities in Microsoft Windows

       On September 10, the CERT/CC reported on three vulnerabilities
       that affect numerous versions of Microsoft Windows, two of which
       are remotely exploitable buffer overflows that may an allow an
       attacker to execute code with system privileges.

                CERT Advisory CA-2003-23
                RPCSS Vulnerabilities in Microsoft Windows

                Vulnerability Note VU#483492
                Microsoft Windows RPCSS Service contains heap overflow in
                DCOM activation routines

                Vulnerability Note VU#254236
                Microsoft Windows RPCSS Service contains heap overflow in
                DCOM request filename handling

                Vulnerability Note VU#326746
                Microsoft Windows RPC service vulnerable to
                denial of service

New CERT Coordination Center (CERT/CC) PGP Key

   On October 15, the CERT/CC issued a new PGP key, which should be used
   when sending sensitive information to the CERT/CC.

          CERT/CC PGP Public Key

          Sending Sensitive Information to the CERT/CC

What's New and Updated

   Since the last CERT Summary, we have published new and updated
     * Advisories
     * Vulnerability Notes
     * CERT/CC Statistics
     * Congressional Testimony
     * Training Schedule
     * CSIRT Development

   This document is available from:

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890

   CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
   EDT(GMT-4) Monday through Friday; they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from

   If you prefer to use DES, please call the CERT hotline for more

Getting security information

   CERT publications and other security information are available from
   our web site

   To subscribe to the CERT mailing list for advisories and bulletins,
   send email to majordomo@cert.org. Please include in the body of your

   subscribe cert-advisory

   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.

   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2003 Carnegie Mellon University.

Version: PGP 6.5.8