Return-Path: <sentto-279987-4465-1013752316-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 14 Feb 2002 22:14:10 -0800 (PST)
Received: (qmail 16149 invoked by uid 510); 15 Feb 2002 05:52:14 -0000
Received: from n14.groups.yahoo.com (216.115.96.64) by all.net with SMTP; 15 Feb 2002 05:52:14 -0000
X-eGroups-Return: sentto-279987-4465-1013752316-fc=all.net@returns.groups.yahoo.com
Received: from [216.115.97.190] by n14.groups.yahoo.com with NNFMP; 15 Feb 2002 05:53:55 -0000
X-Sender: fc@red.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-8_0_2); 15 Feb 2002 05:51:55 -0000
Received: (qmail 94649 invoked from network); 15 Feb 2002 05:51:55 -0000
Received: from unknown (216.115.97.167) by m4.grp.snv.yahoo.com with QMQP; 15 Feb 2002 05:51:55 -0000
Received: from unknown (HELO red.all.net) (12.232.72.152) by mta1.grp.snv.yahoo.com with SMTP; 15 Feb 2002 05:51:23 -0000
Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g1F6BNQ08731 for iwar@onelist.com; Thu, 14 Feb 2002 22:11:23 -0800
Message-Id: <200202150611.g1F6BNQ08731@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL3]
From: Fred Cohen <fc@all.net>
X-Yahoo-Profile: fcallnet
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Thu, 14 Feb 2002 22:11:22 -0800 (PST)
Subject: [iwar] [fc:CyberNotes.Latest.Issue.2002-03]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
Welcome to the National Infrastructure Protection Center's (NIPC's)
latest issue of CyberNotes, a free publication of the Federal Bureau of
Investigation (FBI). CyberNotes is designed to support security and
information system professionals with timely information on cyber
vulnerabilities, exploit scripts, hacker trends, virus information, and
other critical infrastructure-related best practices. CyberNotes is
published every two weeks.
The attached file is in HTML format. An Adobe PDF version of this
document, along with archive issues, can be found on the NIPC web site
at http://www.nipc.gov. The latest version of
CyberNotes on the NIPC
website is usually 24-48 hours behind the e-mail distribution.
The NIPC welcomes your comments, suggestions, and contributions. Please
email any input or requests to be added to the distribution list to NIPC
through IPDigest@mitre.org.
You are encouraged to share this publication with colleagues in the
information security and infrastructure protection fields. If they wish
to be added to the mailing list, they should email a request to the
above address including their name, organization, and how they learned
about CyberNotes.
Sincerely,
CyberNotes List Administrator
Content-Type: text/html; charset=iso-8859-1; name="CyberNotes-2002-03.htm"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline; filename="CyberNotes-2002-03.htm"
</pre>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1252">
<META NAME="Generator" CONTENT="Microsoft Word 97">
<TITLE>Bugs, Holes & Patches</TITLE>
<META NAME="Template" CONTENT="C:\Program Files\Microsoft Office\Office\html.dot">
</HEAD>
<BODY LINK="#0000ff" VLINK="#800080">
<B><FONT FACE="Baskerville Old Face,Times New Roman" SIZE=5 COLOR="#000080"><P ALIGN="CENTER">National
Infrastructure Protection Center CyberNotes</P><DIR>
<DIR>
</FONT><I><FONT FACE="Baskerville Old Face,Times New Roman" SIZE=1 COLOR="#0000ff"><P>Issue
#2002-03									 February 11, 2002</P></DIR>
</DIR>
</B></I></FONT><FONT SIZE=1 COLOR="#ff0000"><P> </P>
</FONT><B><FONT SIZE=2><P>CyberNotes is published every two weeks by the National
Infrastructure Protection Center (NIPC). Its mission is to support security and information
system professionals with timely information on cyber vulnerabilities, malicious
scripts, information security trends, virus information, and other critical infrastructure-related
best practices. </P>
</B><P>You are encouraged to share this publication with colleagues in the information
and infrastructure protection field. Electronic copies are available on the NIPC
Web site at </FONT>http://www.nipc.gov<FONT
SIZE=2>.</P>
<P>Please direct any inquiries regarding this publication to the Editor-CyberNotes,
National Infrastructure Protection Center, FBI Building, Room 11719, 935 Pennsylvania
Avenue, NW, Washington, DC, 20535.</P>
</FONT><B><I><FONT FACE="Baskerville Old Face,Times New Roman" SIZE=5 COLOR="#0000ff"><P>Bugs,
Holes & Patches </P>
</B></I></FONT><FONT SIZE=2><P>The following table provides a summary of software
vulnerabilities identified between January 21 and February 7, 2002. The table provides
the vendor, operating system, software name, potential vulnerability/impact, identified
patches/workarounds/alerts, common name of the vulnerability, potential risk, and
an indication of whether attacks have utilized this vulnerability or an exploit script
is known to exist. Software versions are identified if known. <B>This information
is presented only as a summary; complete details are available from the source of
the patch/workaround/alert, indicated in the footnote or linked site. </B>Please
note that even if the method of attack has not been utilized or an exploit script
is not currently widely available on the Internet, a potential vulnerability has
been identified. <B>Updates to items appearing in previous issues of CyberNotes are
listed in bold. New information contained in the update will appear in italicized
colored text. </B>Where applicable, the table lists a "CVE number" (in red) which
corresponds to the Common Vulnerabilities and Exposures (CVE) list, a compilation
of standardized names for vulnerabilities and other information security exposures.</P></FONT>
<TABLE BORDER CELLSPACING=1 CELLPADDING=7 WIDTH=780>
<TR><TD WIDTH="9%" VALIGN="MIDDLE" BGCOLOR="#ffffff" HEIGHT=27>
<P ALIGN="CENTER"><A NAME="_Toc426442378"><B><FONT SIZE=1>Vendor</B></FONT></TD>
<TD WIDTH="9%" VALIGN="MIDDLE" BGCOLOR="#ffffff" HEIGHT=27>
<B><FONT SIZE=1><P ALIGN="CENTER">Operat-ing System</B></FONT></TD>
<TD WIDTH="10%" VALIGN="MIDDLE" BGCOLOR="#ffffff" HEIGHT=27>
<B><FONT SIZE=1><P ALIGN="CENTER">Software Name</B></FONT></TD>
<TD WIDTH="22%" VALIGN="MIDDLE" BGCOLOR="#ffffff" HEIGHT=27>
<B><FONT SIZE=1><P ALIGN="CENTER">Vulnerability/Impact</B></FONT></TD>
<TD WIDTH="18%" VALIGN="MIDDLE" BGCOLOR="#ffffff" HEIGHT=27>
<B><FONT SIZE=1><P ALIGN="CENTER">Patches/Work-arounds/Alerts</B></FONT></TD>
<TD WIDTH="12%" VALIGN="MIDDLE" BGCOLOR="#ffffff" HEIGHT=27>
<B><FONT SIZE=1><P ALIGN="CENTER">Common Name</B></FONT></TD>
<TD WIDTH="8%" VALIGN="MIDDLE" BGCOLOR="#ffffff" HEIGHT=27>
<B><FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Risk*</B></FONT></TD>
<TD WIDTH="12%" VALIGN="MIDDLE" BGCOLOR="#ffffff" HEIGHT=27>
<B><FONT SIZE=1><P ALIGN="CENTER">Attacks/ Scripts</B></FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>AHG</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Multiple</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>HTML search 1.0</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A vulnerability exists because user input is not properly sanitized
in the ‘search.cgi’ script, which could let a remote malicious user execute arbitrary
code.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">HTML ‘Search.CGI’ Arbitrary Command </FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<B><FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">High</B></FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. Vulnerability can be exploited
via a web browser.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Apache Group</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Multiple</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Apache 2.0.28 Beta</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A vulnerability exists in ‘php.exe,’ which could let a malicious
user obtain sensitive information.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">Apache ‘php.exe’ Path Disclosure</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Medium</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. Vulnerability can be exploited
via a web browser.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Caldera</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Unix</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>UnixWare 7.1.1</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A vulnerability exists in the library functions that are used to
manipulate message catalogs, which could let a malicious user obtain elevated privileges.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Patch available at: </FONT>ftp://stage.caldera.com/pub/security/unixware/CSSA-2002-SCO.3/erg711179.Z</TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">UnixWare Library Function</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Medium</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. There is no exploit code
required.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Castelle</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Multiple</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>FaxPress Software 6.3</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A vulnerability exists when a print job is submitted with an incorrect
password, which could let a malicious user obtain sensitive information.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">FaxPress Password Disclosure</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Medium</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. There is no exploit code
required.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Cisco Systems</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Unix</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>tac_plus F4.0.4 alpha</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A vulnerability exists because accounting files are created insecurely,
which could let a malicious user modify/remove accounting files.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">Tac_Plus Insecure Accounting File</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Medium</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. There is no exploit code
required.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Cisco Systems </FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Windows NT 4.0/2000</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Secure ACS for Windows NT 3.0.1</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A vulnerability exists because users in the NDS (Novell Directory
Services) database that have expired or disabled accounts may still authenticate
with the service.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Patch available at: </FONT>http://www.cisco.com/pcgi-bin/tablebuild.pl/cs-acs-win</TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">Secure ACS NDS Expired/ Disabled User Authent-ication</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Medium</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. There is no exploit code
required.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Compaq</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Unix</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Tru64 4.0d</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A Denial of Service vulnerability exists when a scan is received
across the network.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">Tru64 Scan Denial Of Service</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Low</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. This vulnerability can
be exploited with a scanning tool.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=227>
<FONT SIZE=1><P>Compaq</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=227>
<FONT SIZE=1><P>Unix</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=227>
<FONT SIZE=1><P>Tru64 4.0g PK3 (BL17), 4.0g, 4.0f PK7 (BL18), 4.0f PK6 (BL17), 4.0f,
4.0d PK9 (BL17), 4.0d, 5.0a PK3 (BL17), 5.0 PK4 (BL17), 5.0, 5.1a, 5.1 PK4 (BL18),
5.1 PK3 (BL17), 5.1</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=227>
<FONT SIZE=1><P>A race condition vulnerability exists in the Unix kernel, which
could let a malicious user obtain root access.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=227>
<FONT SIZE=1><P>Patch available at: </FONT>http://ftp1.support.compaq.com/public/unix/
<FONT SIZE=1>You must have installed Tru64 UNIX 4.0G and PK3 (BL17) before
applying the patch.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=227>
<FONT SIZE=1><P ALIGN="CENTER">Tru64 Kernel Race Condition</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=227>
<B><FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">High</B></FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=227>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Compaq</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Windows 98/ME/ 2000</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Intel PRO/ Wireless 2011B LAN USB Device Driver 1.5.16.0, 1.5.18.0</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A vulnerability exists because the WEP (Wired Equivalent Privacy)
Key is stored in plaintext, which could let an unprivileged malicious user obtain
sensitive information.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">Intel PRO/Wireless 2011B LAN USB Device Driver Plaintext
WEP</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Medium</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. There is no exploit code
required.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>DC Scripts</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Unix</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>DCForum 5.0, 6.0, 6.21, 2000 1.0</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A vulnerability exists because predictable passwords are generated,
which could let a remote malicious user obtain elevated privileges.</P>
<P> </P>
<P> </FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Upgrade available at: </FONT>http://www.dcscripts.com/FAQ/retrieve_password.txt</TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">DCForum Predictable Password </FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Medium</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. There is no exploit code
required.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>DeleGate</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Windows NT 4.0/2000,</P>
<P>Unix</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>DeleGate 7.7.0, 7.7.1, 7.8.0, 7.8.1</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Multiple buffer overflow vulnerabilities exist in various proxy
components, which could let a remote malicious user execute arbitrary code.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">DeleGate Multiple Buffer Overflow Vulnerabilities</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<B><FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">High</B></FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. There is no exploit code
required.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Eshare Communi-cations Incorpor-ated</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Windows NT 4.0/2000</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Eshare Expressions 1.0, 2.0</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A Directory Traversal vulnerability exists due to insufficient string
validation, which could let a remote malicious user obtain sensitive information.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">Eshare Expressions Directory Traversal</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Medium</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. There is no exploit code
required.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Etype</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Windows 95/98/NT 4.0/2000, XP</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Eserv 2.97</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Two vulnerabilities exist: a Denial of Service vulnerability exists
when a large number of ‘PASV’ requests are sent to the server; and a vulnerability
exists which could let a remote malicious user connect to an arbitrary port via the
‘PORT’ command.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Upgrade available at: </FONT>ftp://ftp.eserv.ru/pub/beta/2.98/Eserv3123.zip</TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">EServ Multiple Vulnerabilities</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Low</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. There is no exploit code
required.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>FAQ-O-Matic</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Unix</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>FAQ-O-Matic 2.711, 2.712</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A cross-site scripting vulnerability exists because script code
is not properly filtered from URL parameters, which could let a remote malicious
user execute arbitrary code.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Patch available at: </FONT>http://sourceforge.net/cvs/?group_id=10674</TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">Faq-O-Matic Cross-Site Scripting</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<B><FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">High</B></FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. Exploit has been published.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>FreeBSD</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Unix</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>FreeBSD 4.1, 4.1.1, 4.2-4.5</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A Denial of Service vulnerability exists due to a race condition
in the FStatFS Syscall.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Patch available at: </FONT>ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:09/fstatfs.patch</TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">FreeBSD FStatFS Syscall Race Condition</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Low</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Hanterm</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Unix</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Hanterm 3.3</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A buffer overflow vulnerability exists when a maliciously constructed
parameter is sent to the server, which could let a malicious user execute arbitrary
code.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">Hanterm Buffer Overflow</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<B><FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">High</B></FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. Exploit script has been
published.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Hosting Controller</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Windows NT 4.0/2000</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Hosting Controller 1.1, 1.3, 1.4b, 1.4, 1.4.1</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A vulnerability exists when an invalid username is entered, which
could let a remote malicious user obtain sensitive information.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">Hosting Controller Invalid Username</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Medium</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. There is no exploit code
required.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Infopop</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Windows NT 4.0/2000, Unix</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>UBB Threads 5.4; Wired Commun-ity Software WWW Threads
5.0.9, 5.0.8, 5.0.6, 5.0</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A vulnerability exists when a second file extension is added because
only the first file extension is checked, which could let a remote malicious user
upload arbitrary files.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Upgrade available at: </FONT>http://www.infopop.com/support/ubbthreads/index.html</TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">UBBThreads/WWW Threads Arbitrary File </FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<B><FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">High</B></FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. There is no exploit code
required.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Internet Security Systems</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Windows 2000, XP</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>BlackIce Agent 3.0, 3.1, BlackICE Defender 2.9caq, 2.9cap; RealSecure
Server Sensor 6.0.1 Win, 6.5 Win</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A remote Denial of Service vulnerability exists when a continuous
series of ICMP Echo Request 10,000 byte packets are sent to the server.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Workarounds available at: </FONT>http://www.iss.net/security_center/alerts/advise109.php</P>
<FONT SIZE=1><P> </FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">BlackICE and RealSecure Denial of Service</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Low/ <B>High</P>
<P ALIGN="CENTER"> (High if DDoS best prac-tices not in place.)</B></FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. There is no exploit code
required.</P>
<P> Vulnerability has appeared in the press and other public media.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Jelsoft Enter-prises</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Multiple</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>vBulletin 2.2.0</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A cross-site scripting vulnerability exists because user input is
not properly sanitized, which could let a malicious user execute arbitrary code.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">vBulletin Board Cross-Site Scripting</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<B><FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">High</B></FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. Vulnerability can be exploited
via a web browser.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Khaled Mardam-Bey</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Windows 95/98/ME/NT 4.0/2000, XP</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>mIRC 2.1a, 2.3a, 2.4, 2.4a, 2.5a, 2.7a, 2.8c, 3.1-3.9, 4.0, 4.1,
4.5-4.7, 5.0, 5.1, 5.3-5.91</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Two vulnerabilities exists: a buffer overflow vulnerability exists
when a nickname over 200 characters long is used, which could let a remote malicious
user execute arbitrary code; and a vulnerability exists which could let a remote
malicious user direct mIRC users to a compromised IRC server by way of HTML code
on a Web page.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Upgrade available at: </FONT>http://www.mirc.com/get.html</TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">MIRC Nickname Buffer Overflow</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<B><FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">High</B></FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. Exploit script has been
published.</P>
<P>Vulnerability has appeared in the press and other public media.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>KICQ</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Unix</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>KICQ 2.0.0b1</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A remote Denial of Service vulnerability exists when random characters
are sent to the port.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">KICQ Denial of Service</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Low</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. Exploit has been published.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>LICQ</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Unix</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>LICQ 1.0-1.0.4</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A Denial of Service vulnerability exists when excessively long requests
containing format strings are sent to the client.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>The vendor has confirmed this issue and an upgrade is available
via CVS.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">LICQ Format String Denial Of Service</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Low</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. There is no exploit code
required.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Lotus</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Windows NT 4.0/2000, OS/2 4.5Warp, OS/390 V2R9, Unix</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Domino 4.6.1, 4.6.3, 4.6.4, 5.0, 5.0.1-5.0.9</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Two Denial of Service vulnerabilities exist because URL requests
for MS-DOS devices are not handled correctly and when a request for a DOS device
from the CGI-BIN has an extension of 220 characters and is submitted approximately
400 times.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Upgrade available at: </FONT>http://notes.net/qmrdown.nsf</P>
<FONT SIZE=1><P> </P>
<P> </FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">Domino DOS Request Denial Of Service</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Low</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. The URL request vulnerability
can be exploited via a web browser and there is no exploit code required for the
CGI-BIN vulnerability.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Lotus</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Windows NT 4.0/2000, OS/2 4.5Warp, OS/390 V2R9, Unix</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Domino 5.0. 5.0.1-5.0.9</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A vulnerability exists if a malformed URL is created because database
files are not protected with a password, which could let a remote malicious user
bypass authentication.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<B><U><FONT SIZE=1><P>Workaround:</B></U> Set the ACLs on the Web Administrator
template to prevent anonymous access. </FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">Domino Remote Authenti-cation Bypass</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Medium</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. There is no exploit code
required.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Microsoft</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>MacOS X 10.0-10.1.2</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Office v. X</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A Denial of Service vulnerability exists when certain types of malformed
announcements are sent to the PID Checker service.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Frequently asked questions regarding this vulnerability and the
patch can be found at: </FONT>http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-002.asp</TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">Office v. X for Macintosh PID Checker Denial of Service</P>
<P ALIGN="CENTER"> </FONT><FONT SIZE=1 COLOR="#ff0000">CVE Name: CAN-2002-0021</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Low</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Microsoft</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Windows 2000</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Exchange Server 2000, 2000 SP1&2</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A vulnerability exists in the way the System Attendant makes Registry
configuration changes, which could let a remote malicious user obtain sensitive information.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Frequently asked questions regarding this vulnerability and the
patch can be found at: </FONT>http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-003.asp</TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">Exchange Inappropriate Registry Permissions</P>
<P ALIGN="CENTER"> </FONT><FONT SIZE=1 COLOR="#ff0000">CVE Name: CAN-2002-0049</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Medium</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. There is no exploit code
required.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Microsoft</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Windows NT 4.0/2000, XP</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Windows 2000 Advanced Server, 2000 Advanced Server SP2SP1&2,
2000 Datacenter Server, 2000 Datacenter Server SP1&2, 2000 Profes-sional, 2000
Profes-sional SP1&2, 2000 Server, 2000 Server SP1&2, 2000 Server Japanese
Edition, 4.0, 4.0 alpha, 4.0 SP1-5, 4.0 SP1-5 alpha, XP, XP Home, XP Profes-sional</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A vulnerability exists because NTFS could allow files to be hidden,
which could allow viruses to remain undetected on filesystems. </FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">Windows NTFS File Hiding</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Medium</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. Exploit script has been
published.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Microsoft</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Windows NT 4.0/2000</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Windows 2000 Advanced Server, 2000 Advanced Server SP1&2, 2000
Datacenter Server, 2000 Datacenter Server SP1&2, 2000 Server, 2000 Server SP1&2,
NT Enterprise Server 4.0, NT Enterprise Server 4.0 SP1-6a, NT Server 4.0, NT Server
4.0 SP1-6a</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A vulnerability exists when a trust relationship exists between
two domains, the trusting domain will accept the list of Security Identifiers (SIDs)
specified within authorization data, which could let a malicious user obtain elevated
privileges. </FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Frequently asked questions regarding this vulnerability and the
patch can be found at: </FONT>http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-001.asp</TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">Windows Trusted Domain Membership</P>
<P ALIGN="CENTER"> </FONT><FONT SIZE=1 COLOR="#ff0000">CVE Name: CAN-2002-0018</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Medium</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites.</P>
<P> Vulnerability has appeared in the press and other public media.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Microsoft</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Windows NT 4.0/2000</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>IIS 5.0, SQL Server 6.5, 7.0, 7.0 SP1-3, 7.0SP1-3 alpha, 2000, 2000
SP1-2, 2000 Advanced Server, 2000 Advanced Server SP1-2, 2000 Datacenter Server,
2000 Datacenter Server SP1-2, 2000 Profes-sional, 2000 Profes-sional SP1-2, 2000
Server, 2000 Server SP1-2</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A Denial of Service vulnerability exists in the Microsoft Distributed
Transaction Service Coordinator (MSDTC) when a malicious user sends 1024 bytes of
data to the listening port.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">Microsoft MSDTC Service Denial of Service</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Low</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. There is no exploit code
required.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Microsoft</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Windows NT 4.0/2000</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Interix 2.2; Windows 2000 Advanced Server, 2000 Advanced Server
SP1&2, 2000 Datacenter Server, 2000 Datacenter Server SP1&2, 2000 Profes-sional,
2000 Profes-sional SP1&2, 2000 Server, 2000 ServerSP1&2, 2000 Terminal Services,
2000 Terminal Services SP1&2</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A buffer overflow vulnerability exists due to unchecked buffers
in the code that handles the processing of Telnet protocol options, which could let
a remote malicious user execute arbitrary code.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Frequently asked questions regarding this vulnerability and the
patch can be found at: </FONT>http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-004.asp</TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">Telnet Server Unchecked Buffer</P>
<P ALIGN="CENTER"> </FONT><FONT SIZE=1 COLOR="#ff0000">CVE Name: CAN-2002-00020</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<B><FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">High</B></FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Microsoft</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Windows NT 4.0</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Site Server 3.0 with SP3 & prior, Commerce Edition 3.0 SP4 &
prior</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Multiple vulnerabilities exist: multiple cross-site scripting vulnerabilities
exist, which could let a malicious user execute arbitrary code; a Denial of Service
vulnerability exists when a TargetURL parameter is uploaded with more than 250 characters;
multiple vulnerabilities exist in various administrative pages in the /SiteServer/Admin/
directory which could let an unprivileged malicious user obtain sensitive information;
a vulnerability exists because LDAP passwords are stored in plaintext, which could
let an unauthorized remote malicious user obtain sensitive information; a vulnerability
exists due to the way the random LDAP_ Anonymous password is generated, which could
let a malicious user obtain sensitive information; and a vulnerability exists in
the web applications because user input is not properly validated before it is passed
to an SQL query, which could let a malicious user insert arbitrary SQL commands.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">Site Server Multiple Vulnerabilities</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Low/ Medium<B>/High</P>
<P ALIGN="CENTER"> (Med-ium if sensi-tive informa-tion can be acces-sed and
High if arbi-trary code can be exe-cuted)</B></FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. Exploits have been published
for the cross-site scripting vulnerabilities. There is no exploit code required for
the information disclosure vulnerabilities in the administrative pages and the LDAP_Anony-mous
password generation vulnerability.</P>
<P> Vulnerability has appeared in the press and other public media.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Microsoft</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Windows 95/98/ME/NT 4.0/2000, XP</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>MSN Messenger Service 4.5, 4.6</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A vulnerability exists because sensitive information can be obtained
through an ActiveX control that is available to JavaScript programs.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">MSN ActiveX Sensitive Information Disclosure</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Medium</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. There is no exploit code
required.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Mirabilis</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>MacOS X 10.0-10.0.4 10.1-10.1.2</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>ICQ For MacOS X 2.6X Beta</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A Denial of Service vulnerability exists when an excessively long
request is sent to ICQ clients.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">ICQ For MacOS X Denial Of Service</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Low</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. Exploit script has been
published.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>MRTG</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Windows NT 4.0/2000, Unix</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Multi Router Traffic Grapher CGI 2.9.17-win32, 2.9.17-unix</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A vulnerability exists if a web request is submitted that contains
unexpected arguments for script variables, which could let a malicious user obtain
sensitive information.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">MRTG CGI File Display</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Medium</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>MRTG Configura-tion Generator</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Multiple</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>MRTG config 0.5.9</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Two vulnerabilities exist: a vulnerability exists in ‘mrtg.cgi’
which could let a malicious user obtain sensitive information; and a vulnerability
exists if a HTTP request is submitted that contains unusual characters, which could
let a malicious user obtain sensitive information.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">MRTG Path Disclosure Vulnerabilities</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Medium</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. There is no exploit code
required.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Multiple Vendors</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Unix</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>rsync 2.3.1, 2.3.2-1.2 sparc & PPC, 2.3.2-1.2 m68k, intel, ARM
& alpha, 2.3.2, 2.4.1, 2.4.3, 2.4.4, 2.4.6, </FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Several vulnerabilities exist concerning the use of signed and unsigned
variables, which could let a remote malicious user execute arbitrary code.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Upgrade available at: </FONT>http://rsync.samba.org/rsync/download.html
<B><U><FONT SIZE=1>SuSE: </B></U></FONT>ftp://ftp.suse.com/pub/suse/<FONT
SIZE=1> <B><U>Conectiva: </B></U></FONT>ftp://atualizacoes.conectiva.com.br/<B><U><FONT
SIZE=1> Engarde: </B></U></FONT>ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
<B><U><FONT SIZE=1>Debian: </B></U></FONT>http://security.debian.org/dists/stable/updates/main/
<B><U><FONT SIZE=1>Mandrake: </B></U></FONT>http://www.mandrakesecure.net/en/ftp.php
<B><U><FONT SIZE=1>Trustix: </B></U></FONT>http://www.trustix.net/pub/Trustix/updates/
<B><U><FONT SIZE=1>RedHat: </B></U></FONT>ftp://updates.redhat.com/</TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">rsync Signed Variable</P>
<P ALIGN="CENTER"> </FONT><FONT SIZE=1 COLOR="#ff0000">CVE Name: CAN-2002-0048</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<B><FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">High</B></FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Netgear</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Multiple</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>RT314/RT311 Gateway Router Firmware 3.22, 3.24, 3.25</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A cross-site scripting vulnerability exists in the web interface
for the router, which could let a malicious user execute arbitrary script and possibly
obtain unauthorized administrative access.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">RT314/RT311 Gateway Router Cross-Site Scripting</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<B><FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">High</B></FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. There is no exploit code
required.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>NetScreen Technolo-gies</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Windows 95/98/ME/NT 4.0/2000</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>ScreenOS 3.0.0- 3.0.0r3, 2.6.1- 2.6.1r4, 2.7.1-2.7.1r2</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A Denial of Service vulnerability exists in the optional feature,
IP Spoof protection.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Patch available at: </FONT>http://www.netscreen.com/support/updates.html</TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">ScreenOS IP Spoof Protection Denial of Service</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Low</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Network Associ-ates</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Windows 95/98/ME/NT 4.0/2000</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>PGP Security PGPfire 7.1</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A vulnerability exists because the TCP/IP stack of the operating
system is altered during installation, which could let a remote malicious user obtain
sensitive information.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">PGPFire TCP/IP Alteration</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Medium</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Nortel Networks</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Unix</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>WebOS 9.0</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A vulnerability exists when a client has half-closed a session,
which could let a remote malicious user obtain sensitive information.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">WebOS Half-Closed Session</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Medium</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. Exploit has been published.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Novell</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Windows NT 4.0</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>NetWare 5.0, 5.0SP5, 5.1</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A vulnerability exists because access can be obtained to NT domain
machines using a null password, which could let an unprivileged malicious user obtain
Domain Admin access. </FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">NetWare Null Password</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<B><FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">High</B></FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. There is no exploit code
required.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Oracle Corpora-tion</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Multiple</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Oracle9i 9.0, 9.0.1, Oracle9iAS Web Cache 2.0.0.0- 2.0.0.3</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A vulnerability exists because source code is contained in .java
files, which could let a malicious user obtain sensitive information. </P>
<P> </P>
<P> </FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">Oracle 9IAS .java Source Code </FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Medium</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. Vulnerability can be exploited
via a web browser.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Oracle Corpora-tion</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Windows NT 4.0/2000,</P>
<P>Unix</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Oracle9i 9.0, 9.0.1, Oracle9iAS Web Cache 2.00.3, 2.0.0.3, 2.0.0.2
NT, 2.0.0.2, 2.0.0.1, 2.0.0.0</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Multiple vulnerabilities exist: a Denial of Service vulnerability
exists when a request is made to the ‘pls’ module with an HTTP client Authorization
header set but with no auth type; and multiple buffer overflow vulnerabilities exist
in the PL/SQL Apache module, which could let a malicious user execute arbitrary code.
</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Patch available at: </FONT>http://metalink.oracle.com</TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">Oracle 9iAS Denial of Service and Buffer Overflow
Vulnerabilities</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Low/ <B>High</P>
<P ALIGN="CENTER"> (High if arbi-trary code can be exe-cuted)</B></FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. There is no exploit code
required.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Oracle Corpora-tion</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Multiple</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Oracle database server 8.1.7.0.0, Oracle 8i Enterprise Edition 8.0.5.0.0,
8.0.6.0.1, 8.0.6.0.0, 8.1.5.1.0, 8.1.5.0.2, 8.1.5.0.0, 8.1.6.1.0, 8.1.6.0.0, 8.1.7.1.0,
8.1.7.0.0, Oracle8 8.0.3, 8.0.4, 8.0.5.1, 8.0.5, 8.0.6, 8.1.5-8.1.7, 8.0.1, 8.0.2,
8.0.4-8.0.6, 8.1.5-8.1.7.1, 9.0, 9.0.1</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A vulnerability exists because there is no authentication required
for the listener process, which could let a remote malicious user execute arbitrary
functions.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">Oracle TNS Listener Arbitrary Function</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<B><FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">High</B></FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. There is no exploit code
required.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>PHP</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Multiple</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>PHP 3.0- 3.0.13, 3.0.16, 4.0, 4.0.1pl2, 4.0.1, 4.0.3-4.0.6, 4.1,
4.1.1</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A vulnerability exists because the MySQL client library does not
perform proper checking on ‘LOAD DATA INFILE LOCAL’ statements, which could let a
malicious user bypass restrictions to gain unauthorized access to restricted filesystems.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">PHP MySQL Safe_Mode Filesystem Circumven-tion</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<B><FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">High</B></FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. Exploit script has been
published. </FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>PhpSms Send</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Multiple</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>PhpSmsSend 1.0</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A vulnerability exists because user input is not properly validated,
which could let a remote malicious user execute arbitrary commands.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">PhpSmsSend Remote Arbitrary Command </FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<B><FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">High</B></FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. Vulnerability can be exploited
via a web browser.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>PhpWeb Things</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Multiple</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>PhpWeb Things 0.4</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A vulnerability exists in the ‘core/main.php’ helper script, which
could let a remote malicious user modify database queries.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Upgrade available at: </FONT>http://freshmeat.net/redir/phpwebthings/15746/url_zip/phpwebthings-0.4.1.zip</TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">PHPWeb ‘core/ main.php' Script</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Medium</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. Vulnerability can be exploited
via a web browser.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Portix-PHP</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Unix</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Portix-PHP 0.4.02, 0.4.0</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A vulnerability exists because non-expiring cookies are used for
session management, which could let a malicious user obtain administrative access.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">Portix-PHP Cookie Manipulation</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<B><FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">High</B></FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. Exploit has been published.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Portix-PHP</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Unix</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Portix-PHP 0.4.02, 0.4.0</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Two Directory Traversal vulnerabilities exist because web requests
are not properly filtered in the ‘view.php’and ‘portix-php’ scripts, which could
let a malicious user obtain sensitive information.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">Portix-PHP ‘view.php’ and ‘index.php’ Directory Traversal
Vulnerabilities</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Medium</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. Exploit has been published.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>SAP</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Windows 95/98/NT 4.0/2000</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>SAPgui 4.6 for Windows, 4.6A-4.6D for Windows</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A remote Denial of Service vulnerability exists due to the way invalid
connections are handled.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">SAPgui Denial of Service</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Low</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. There is no exploit code
required.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>SAS Institute, Incorpor-ated</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Windows, OS/390, OS/2,</P>
<P>Unix</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>SAS Base 8.0, 8.1</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A buffer overflow and format string vulnerability exists in ‘sastcpd,’
which could let a malicious user execute arbitrary code with administrative privileges.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Patch available at: </FONT>http://ftp.sas.com/techsup/download/hotfix/v82/base/82ba10/</TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">SASTCPD Buffer Overflow and Format String </FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<B><FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">High</B></FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>SAS Institute, Incorpor-ated</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Multiple</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>SAS Base 8.0, Integration Technolo-gies 8.0</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Two vulnerabilities exist: a vulnerability exists in ‘sastcpd’,
which could let a malicious user execute arbitrary code as a root user; and a vulnerability
exists in the 'netencralg' environment variable, which could let a malicious user
execute arbitrary code.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">‘SASTCPD’ and ‘netencralg’ Arbitrary Code Execution</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<B><FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">High</B></FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. There is no exploit code
required.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>SGI</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Unix</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>IRIX 6.5.10m, 6.5.10f, 6.5.11, 6.5.11f, 6.5.11m, 6.5.12, 6.5.12f,
6.5.12m, 6.5.13, 6.5.13f, 6.5.13m, 6.5.14, 6.5.14f, 6.5.14m</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A vulnerability exists when the ‘vcp’ Default Input is set to "Output
Video," which could let a malicious user obtain sensitive information.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Vendor workaround available at: </FONT>http://www.securityfocus.com/advisories/3836</P>
<FONT SIZE=1><P> </P>
<P> </FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">IRIX Output Video Viewing </FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Medium</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. There is no exploit code
required.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Sony</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Multiple</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>VAIO Manual for UAE, Southeast Asia, South Africa, Saudi Arabia,
Oceania, East Asia, Manual Cyber Support for VAIO 3.0&3.1 Japan</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A vulnerability exists in pre-installed software by exploiting particular
software characteristics, which let a remote malicious user obtain unauthorized access
through hidden programs in an Internet web page or E-mail message and take full control
of the user’s system.</P>
<I><P>Note: All VAIO personal computers from January 26th, 2002 are not susceptible
to this issue.</I></FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Sony has prepared a new program called the "VAIO Security Enhancement
Program" and recommends that owners download and install the new software program
immediately. For Customers who purchased VAIO outside Japan: </FONT>http://www.css.ap.sony.com/Vaiofaq/security/agreementen.html
<FONT SIZE=1>For Customers who purchased VAIO in Japan: </FONT>http://vcl.vaio.sony.co.jp/</TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">VAIO Unauthorized Access</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<B><FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">High</B></FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites.</P>
<P> Vulnerability has appeared in the press and other public media.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Steve Kneizys</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Multiple</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Agora.cgi 3.2-3.2r, 3.3a-3.3f, 3.3i, 3.3j, 4.0-4.0e</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A vulnerability exists when a web request for a non-existent .html
file is made, which could let a remote malicious user obtain sensitive information.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">Agora.CGI Path Disclosure</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Medium</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. Exploit has been published.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Sun Micro-Systems, Incorpor-ated</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Unix</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>JRE (Linux Production Release) 1.2.2, 1.3.1</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A Denial of Service vulnerability exists when a maliciously constructed
java program is received.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">JRE Denial of Service</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Low</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. Exploit script has been
published.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>TarantellaIncorpor-ated</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Unix</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Enterprise 3 3.01, 3.0, 3.10, 3.11, 3.20</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A race condition vulnerability exists during the installation process,
which could let a malicious user obtain elevated privileges.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">Enterprise 3 Race Condition</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Medium</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Thunder-stone</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Multiple</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Texis 3.0</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A vulnerability exists when a HTTP request for an invalid path is
submitted, which could let a malicious user obtain sensitive information.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">Texis Path Disclosure</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Medium</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. There is no exploit code
required.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Tolis Group</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Unix</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>BRU 17.0 Linux</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A vulnerability exists due to the creation of insecure tmp files,
which could let a malicious user overwrite system files, or obtain elevated privileges.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">BRU Insecure Temporary File </FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Medium</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. Exploit script has been
published.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>wliang</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Unix</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>wmtv 0.6.5</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Multiple buffer overflow vulnerabilities exist in the configuration
file, which could let a malicious user execute arbitrary code.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Upgrade available at: </FONT>http://security.debian.org/dists/stable/updates</TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">WMTV Buffer Overflow Vulnerabilities</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<B><FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">High</B></FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Xinet</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>MacOS, Unix</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>K-AShare 11.01 IRIX</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A vulnerability exists because the default installation installs
an icon directory with insecure permissions, which could let a malicious user obtain
sensitive information.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. There is no exploit code
required.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">K-AShare Insecure Permissions</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Medium</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. There is no exploit code
required.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Xoops</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Unix</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Xoops 1.0 RC1</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A vulnerability exists because user input is not properly sanitized
in the ‘userinfo.php’ script, which could let a remote malicious user obtain sensitive
information.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">Xoops SQL ‘userinfo.php’ Sensitive Information</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">Medium</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. Vulnerability can be exploited
via a web browser.</FONT></TD>
</TR>
<TR><TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Xoops</FONT></TD>
<TD WIDTH="9%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Unix</FONT></TD>
<TD WIDTH="10%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Xoops 1.0 RC1</FONT></TD>
<TD WIDTH="22%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>A cross-site scripting vulnerability exists in the ‘pmlite.php’
script and in the title field because script code is not sufficiently filtered, which
could let a malicious user execute arbitrary script code.</FONT></TD>
<TD WIDTH="18%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>No workaround or patch available at time of publishing.</FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P ALIGN="CENTER">Xoops Private Message Box Cross-Site Scripting</FONT></TD>
<TD WIDTH="8%" VALIGN="TOP" HEIGHT=72>
<B><FONT SIZE=1 COLOR="#ff0000"><P ALIGN="CENTER">High</B></FONT></TD>
<TD WIDTH="12%" VALIGN="TOP" HEIGHT=72>
<FONT SIZE=1><P>Bug discussed in newsgroups and websites. There is no exploit code
required.</FONT></TD>
</TR>
</TABLE>
<FONT SIZE=1><P> </P>
</FONT><FONT SIZE=2><P>*"Risk" is defined by CyberNotes in the following manner:</P>
<B><P>High</B> - A high-risk vulnerability is defined as one that will allow an
intruder to immediately gain privileged access (e.g., sysadmin or root) to the system
or allow an intruder to execute code or alter arbitrary system files. An example
of a high-risk vulnerability is one that allows an unauthorized user to send a sequence
of instructions to a machine and the machine responds with a command prompt with
administrator privileges.</P>
<B><P>Medium</B> – A medium-risk vulnerability is defined as one that will allow
an intruder immediate access to a system with less than privileged access. Such vulnerability
will allow the intruder the opportunity to continue the attempt to gain privileged
access. An example of medium-risk vulnerability is a server configuration error that
allows an intruder to capture the password file.</P>
<B><P>Low</B> - A low-risk vulnerability is defined as one that will provide information
to an intruder that could lead to further compromise attempts or a Denial of Service
(DoS) attack. It should be noted that while the DoS attack is deemed low from a threat
potential, the frequency of this type of attack is very high. <I>DoS attacks against
mission-critical nodes are not included in this rating and any attack of this nature
should instead be considered to be a "High" threat.</P>
</FONT><B><FONT FACE="Baskerville Old Face,Times New Roman" SIZE=5 COLOR="#0000ff"><P>Recent
Exploit Scripts</A>/Techniques</P>
</B></I></FONT><FONT SIZE=2><P>The table below contains a representative sample
of exploit scripts and How to Guides, identified between January 24 and February
7, 2002, listed by date of script, script names, script description, and comments.
<B>Items listed in boldface/red (if any) are attack scripts/techniques for which
vendors, security vulnerability listservs, or Computer Emergency Response Teams (CERTs)
have not published workarounds or patches, or which represent scripts that malicious
users are utilizing</B>. During this period, 16 scripts, programs, and net-news messages
containing holes or exploits were identified. <I>Note: At times, scripts/techniques
may contain names or content that may be considered offensive. </P></I></FONT>
<TABLE BORDER CELLSPACING=1 CELLPADDING=7 WIDTH=660>
<TR><TD WIDTH="21%" VALIGN="MIDDLE" BGCOLOR="#ffffff" HEIGHT=42>
<P ALIGN="CENTER"><B><FONT SIZE=1>Date of Script (Reverse Chronological Order)</B></FONT></TD>
<TD WIDTH="30%" VALIGN="MIDDLE" BGCOLOR="#ffffff" HEIGHT=42>
<B><FONT SIZE=1><P ALIGN="CENTER">Script name</B></FONT></TD>
<TD WIDTH="49%" VALIGN="MIDDLE" BGCOLOR="#ffffff" HEIGHT=42>
<B><FONT SIZE=1><P ALIGN="CENTER">Script Description</B></FONT></TD>
</TR>
<TR><TD WIDTH="21%" VALIGN="TOP" HEIGHT=14>
<B><FONT SIZE=1 COLOR="#ff0000"><P>February 7, 2002</B></FONT></TD>
<TD WIDTH="30%" VALIGN="TOP" HEIGHT=14>
<B><FONT SIZE=1 COLOR="#ff0000"><P>Hanterm_exp.c</B></FONT></TD>
<TD WIDTH="49%" VALIGN="TOP" HEIGHT=14>
<B><FONT SIZE=1 COLOR="#ff0000"><P>Script which exploits the Hanterm Buffer Overflow
vulnerability.</B></FONT></TD>
</TR>
<TR><TD WIDTH="21%" VALIGN="TOP" HEIGHT=14>
<B><FONT SIZE=1 COLOR="#ff0000"><P>February 5, 2002</B></FONT></TD>
<TD WIDTH="30%" VALIGN="TOP" HEIGHT=14>
<B><FONT SIZE=1 COLOR="#ff0000"><P>Osxicq.c</B></FONT></TD>
<TD WIDTH="49%" VALIGN="TOP" HEIGHT=14>
<B><FONT SIZE=1 COLOR="#ff0000"><P>Script which exploits the ICQ For MacOS X Denial
Of Service vulnerability.</B></FONT></TD>
</TR>
<TR><TD WIDTH="21%" VALIGN="TOP" HEIGHT=14>
<FONT SIZE=1><P>February 4, 2002</FONT></TD>
<TD WIDTH="30%" VALIGN="TOP" HEIGHT=14>
<FONT SIZE=1><P>Ethereal-0.9.1.tar.gz</FONT></TD>
<TD WIDTH="49%" VALIGN="TOP" HEIGHT=14>
<FONT SIZE=1><P>A GTK+-based network protocol analyzer that lets you capture and
interactively browse the contents of network frames.</FONT></TD>
</TR>
<TR><TD WIDTH="21%" VALIGN="TOP" HEIGHT=14>
<FONT SIZE=1><P>February 4, 2002</FONT></TD>
<TD WIDTH="30%" VALIGN="TOP" HEIGHT=14>
<FONT SIZE=1><P>Gps-0.9.0.tar.gz</FONT></TD>
<TD WIDTH="49%" VALIGN="TOP" HEIGHT=14>
<FONT SIZE=1><P>An advanced port scanner and a firewall rule disclosure tool that
uses IP & ARP spoofing, sniffing, stealth scanning, ARP poisoning, IP fragmentation,
and other techniques to perform stealth and untrackable information collection.</FONT></TD>
</TR>
<TR><TD WIDTH="21%" VALIGN="TOP" HEIGHT=14>
<FONT SIZE=1><P>February 4, 2002</FONT></TD>
<TD WIDTH="30%" VALIGN="TOP" HEIGHT=14>
<FONT SIZE=1><P>Lcrzo-4.04-src.tgz</FONT></TD>
<TD WIDTH="49%" VALIGN="TOP" HEIGHT=14>
<FONT SIZE=1><P>A toolbox for network administrators and network malicious users
that contains over 200 functionalities using network library lcrzo.</FONT></TD>
</TR>
<TR><TD WIDTH="21%" VALIGN="TOP" HEIGHT=14>
<FONT SIZE=1><P>February 3, 2002</FONT></TD>
<TD WIDTH="30%" VALIGN="TOP" HEIGHT=14>
<FONT SIZE=1><P>Mircexploit-v591.c</FONT></TD>
<TD WIDTH="49%" VALIGN="TOP" HEIGHT=14>
<FONT SIZE=1><P>Script which exploits the MIRC Nickname Buffer Overflow vulnerability.</FONT></TD>
</TR>
<TR><TD WIDTH="21%" VALIGN="TOP" HEIGHT=14>
<B><FONT SIZE=1 COLOR="#ff0000"><P>February 3, 2002</B></FONT></TD>
<TD WIDTH="30%" VALIGN="TOP" HEIGHT=14>
<B><FONT SIZE=1 COLOR="#ff0000"><P>Safemodexploit.php</B></FONT></TD>
<TD WIDTH="49%" VALIGN="TOP" HEIGHT=14>
<B><FONT SIZE=1 COLOR="#ff0000"><P>Exploit for the PHP MySQL Safe_Mode Filesystem
Circumvention vulnerability.</B></FONT></TD>
</TR>
<TR><TD WIDTH="21%" VALIGN="TOP" HEIGHT=41>
<FONT SIZE=1><P>February 2, 2002</FONT></TD>
<TD WIDTH="30%" VALIGN="TOP" HEIGHT=41>
<FONT SIZE=1><P>Sqlinjectionwhitepaper.pdf</FONT></TD>
<TD WIDTH="49%" VALIGN="TOP" HEIGHT=41>
<FONT SIZE=1><P>A technique for exploiting web applications that uses client-supplied
data in SQL queries without stripping illegal characters first.</FONT></TD>
</TR>
<TR><TD WIDTH="21%" VALIGN="TOP" HEIGHT=14>
<B><FONT SIZE=1 COLOR="#ff0000"><P>January 30, 2002</B></FONT></TD>
<TD WIDTH="30%" VALIGN="TOP" HEIGHT=14>
<B><FONT SIZE=1 COLOR="#ff0000"><P>Crashme.java</B></FONT></TD>
<TD WIDTH="49%" VALIGN="TOP" HEIGHT=14>
<B><FONT SIZE=1 COLOR="#ff0000"><P>Exploit for the Sun JRE Denial of Service vulnerability.</B></FONT></TD>
</TR>
<TR><TD WIDTH="21%" VALIGN="TOP" HEIGHT=14>
<FONT SIZE=1><P>January 30, 2002</FONT></TD>
<TD WIDTH="30%" VALIGN="TOP" HEIGHT=14>
<FONT SIZE=1><P>Nbtenum11.zip</FONT></TD>
<TD WIDTH="49%" VALIGN="TOP" HEIGHT=14>
<FONT SIZE=1><P>A utility for Windows which can be used to enumerate one single
host or an entire class C subnet. This utility can run in two modes, query and attack.</FONT></TD>
</TR>
<TR><TD WIDTH="21%" VALIGN="TOP" HEIGHT=14>
<B><FONT SIZE=1 COLOR="#ff0000"><P>January 30, 2002</B></FONT></TD>
<TD WIDTH="30%" VALIGN="TOP" HEIGHT=14>
<B><FONT SIZE=1 COLOR="#ff0000"><P>Netgear.txt</B></FONT></TD>
<TD WIDTH="49%" VALIGN="TOP" HEIGHT=14>
<B><FONT SIZE=1 COLOR="#ff0000"><P>Perl script which exploits the NetGear RO318
HTTP Filter vulnerability.</B></FONT></TD>
</TR>
<TR><TD WIDTH="21%" VALIGN="TOP" HEIGHT=14>
<B><FONT SIZE=1 COLOR="#ff0000"><P>January 30, 2002</B></FONT></TD>
<TD WIDTH="30%" VALIGN="TOP" HEIGHT=14>
<B><FONT SIZE=1 COLOR="#ff0000"><P>Ntfs-hide.bat</B></FONT></TD>
<TD WIDTH="49%" VALIGN="TOP" HEIGHT=14>
<B><FONT SIZE=1 COLOR="#ff0000"><P>Exploit for the Microsoft Windows NTFS File Hiding
vulnerability.</B></FONT></TD>
</TR>
<TR><TD WIDTH="21%" VALIGN="TOP" HEIGHT=14>
<B><FONT SIZE=1 COLOR="#ff0000"><P>January 29, 2002</B></FONT></TD>
<TD WIDTH="30%" VALIGN="TOP" HEIGHT=14>
<B><FONT SIZE=1 COLOR="#ff0000"><P>Acedirector_request</B></FONT></TD>
<TD WIDTH="49%" VALIGN="TOP" HEIGHT=14>
<B><FONT SIZE=1 COLOR="#ff0000"><P>Exploit for the AceDirector Half-Closed Session
vulnerability.</B></FONT></TD>
</TR>
<TR><TD WIDTH="21%" VALIGN="TOP" HEIGHT=14>
<FONT SIZE=1><P>January 26, 2002</FONT></TD>
<TD WIDTH="30%" VALIGN="TOP" HEIGHT=14>
<FONT SIZE=1><P>Kernel.keylogger.txt</FONT></TD>
<TD WIDTH="49%" VALIGN="TOP" HEIGHT=14>
<FONT SIZE=1><P>Paper that describes the basic concepts and techniques used for
recording keystroke activity under Linux. Also includes proof of concept.</FONT></TD>
</TR>
<TR><TD WIDTH="21%" VALIGN="TOP" HEIGHT=14>
<B><FONT SIZE=1 COLOR="#ff0000"><P>January 26, 2002</B></FONT></TD>
<TD WIDTH="30%" VALIGN="TOP" HEIGHT=14>
<B><FONT SIZE=1 COLOR="#ff0000"><P>Symace.c</B></FONT></TD>
<TD WIDTH="49%" VALIGN="TOP" HEIGHT=14>
<B><FONT SIZE=1 COLOR="#ff0000"><P>Script which exploits the BRU Insecure Temporary
File vulnerability.</B></FONT></TD>
</TR>
<TR><TD WIDTH="21%" VALIGN="TOP" HEIGHT=14>
<B><FONT SIZE=1 COLOR="#ff0000"><P>January 24, 2002</B></FONT></TD>
<TD WIDTH="30%" VALIGN="TOP" HEIGHT=14>
<B><FONT SIZE=1 COLOR="#ff0000"><P>CA-2002-02.aol.icq</B></FONT></TD>
<TD WIDTH="49%" VALIGN="TOP" HEIGHT=14>
<B><FONT SIZE=1 COLOR="#ff0000"><P>Exploit for the ICQ Buffer Overflow vulnerability.</B></FONT></TD>
</TR>
</TABLE>
<B><I><FONT FACE="Baskerville Old Face,Times New Roman" SIZE=5 COLOR="#0000ff"><P> </P>
<P>Trends</P>
<UL>
</I></FONT><FONT SIZE=2><LI>The National Infrastructure Protection Center (NIPC)
has received reporting that infrastructure related information, available on the
Internet, is being accessed from sites around the world. While in and of itself this
information is not significant, it highlights a potential vulnerability. For more
information, see NIPC ADVISORY 02-001, located at: </B></FONT><A HREF="http://www.nipc.gov/warnings/advisories/2002/02-001.htm"><B><FONT
SIZE=2>http://www.nipc.gov/warnings/advisories/2002/02-001.htm></FONT></A><B><FONT
SIZE=2>. </LI>
<LI>The CERT/CC has received credible reports of scanning and exploitation of Solaris
systems running the CDE Subprocess Control Service buffer overflow vulnerability
identified in CA-2001-31 and discussed in VU#172583. For more information, see CERT®
Advisory CA-2002-01, located at: </B></FONT><A HREF="http://www.cert.org/advisories/CA-2002-01.html"><B><FONT
SIZE=2>http://www.cert.org/advisories/CA-2002-01.html></FONT></A><B><FONT SIZE=2>.</LI>
<LI>NIPC has updated their advisory, NIPC Advisory 01-030, regarding what Microsoft
refers to as a critical vulnerability in the universal plug and play (UPnP) service
in Windows. For more information see, NIPC ADVISORY 01-030.3, located at: </B></FONT><A
HREF="http://www.nipc.gov/warnings/advisories/2001/01-030-2.htm"><B><FONT SIZE=2>www.nipc.gov/warnings/advisories/2001/01-030-2.htm</B></FONT></A><B><FONT
SIZE=2>.</LI></UL>
<P> </P>
</FONT><I><FONT FACE="Baskerville Old Face,Times New Roman" SIZE=5 COLOR="#0000ff"><P>Viruses
</P>
</B></I></FONT><FONT SIZE=2><P>The following virus descriptions encompass new viruses
and variations of previously encountered viruses that have been discovered in the
last two weeks. The viruses are listed alphabetically by their common name. While
these viruses might not all be in wide circulation, it is highly recommended that
users update anti-virus programs as often as updates become available. <I>NOTE: At
times, viruses may contain names or content that may be considered offensive.</P>
</I><B><P>IRC/Girls.worm (Internet Worm):</B> This is a worm that spreads via IRC.
Once received, user intervention is required to propagate the worm from your machine.
Two files are appended to the end of the worm (compressed) - GIRLS(1).JPG and README.TXT.
When the worm is executed as GIRLS.ZIP, these two files will be accessible to the
user (assuming the ZIP extension is associated with ZIP archives). The JPEG image
is a pornographic photo. If the ZIP file extension is renamed to EXE, and then executed,
the worm's propagation routine is run. The worm copies itself to %WINDIR%\GIRLS.ZIP.
A countdown is displayed on the screen followed by a message box. The worm searches
for MIRC.INI and PIRCH98.INI in the following folders on drives C, D, and E: </P>
<UL>
<UL>
<LI>MIRC.INI - \mirc\, \mirc32\, \progra~1\mirc\, and \progra~1\mirc32\ </LI>
<LI>PIRCH98.INI - \pirch98\ and \progra~1\pirch98\ </LI></UL>
</UL>
<P>If found, the worm drops the file SCRIPT.INI into that folder (overwriting any
existing files of the same name). This file contains a single instruction to send
a copy of the worm (%WINDIR%\GIRLS.ZIP) via IRC.</P>
<B><P>PE_GOSUSUB.A (Aliases: Gosusub.A, W32.HLLP.Gosusub) (File Infector Virus):</B>
This virus drops a copy of itself as WIN386.EXE in the Windows folder. Upon execution,
it drops the file WIN386.EXE in the /%Windows%/ folder which is a copy of the virus.
It modifies the system file SYSTEM.INI and the registry to allow this copy to execute.
It modifies the SYSTEM.INI by changing a line in the [boot] section from: </P><DIR>
<DIR>
<P>Shell Explorer.exe </P>
<P>to </P>
<P>Shell Explorer.exe Win386.exe </P></DIR>
</DIR>
<P>It adds the following registry key: </P><DIR>
<DIR>
<P>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Win386" "C:\Windows\Win386.exe"
</P></DIR>
</DIR>
<P>This virus is also capable of infecting certain EXE files. Upon execution of
its code, it searches the system for all drives, including the system mapped drives.
It then searches for certain .EXE files in the directory: </P>
<UL>
<UL>
<LI>C:\Windows\Winrep.exe </LI>
<LI>C:\Windows\System\!E4uinit.exe </LI>
<LI>C:\Windows\System\Tapiini.exe </LI>
<LI>C:\Windows\Command\Scanreg.exe</LI></UL>
</UL>
<P>It infects the .EXE files by prepending its code to the file and then deletes
.TXT files found in /%root%/, /%windows%/, /%system%/, and the following directories:
</P>
<UL>
<UL>
<LI>C:\Windows\Command </LI>
<LI>C:\Windows\Help.</LI></UL>
</UL>
<B><P>W32/Klez-G (Win32 Worm):</B> This is a Win32 worm that carries a compressed
copy of the W32/ElKern-B virus, which it drops and executes when the worm is run.
This worm searches for e-mail address entries in the Windows address book but uses
it's own mailing routine. The e-mail subject is either random or chosen from a list.
The worm randomly composes the message text but the message can also be without a
text. An attached file is also included with randomly chosen names with extensions
PIF, .SCR, .EXE, or .BAT. The sender address, which appears in a message, is chosen
from a list inside the virus. W32/Klez-G attempts to disable several anti-virus products
and delete some anti-virus related files. The worm attempts to exploit a MIME vulnerability
in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer
to allow the executable file to run automatically without the user double-clicking
on the attachment. Microsoft has issued a patch that secures against this vulnerability
that can be downloaded from </FONT><A HREF="http://www.microsoft.com/technet/security/bulletin/MS01-027.asp"><FONT
SIZE=2>http://www.microsoft.com/technet/security/bulletin/MS01-027.asp></A><FONT
SIZE=2>. <I>(Note: This patch fixes a number of vulnerabilities in Microsoft's software,
including the one exploited by this worm.) </I>The virus may also spread to remote
shares on other machines using random filenames. It copies itself to the Windows
System directory with a random filename. The worm will set the registry key: </P><DIR>
<DIR>
<P>HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ </P></DIR>
</DIR>
<P>to point to the worm file, so that the file is run on Windows startup.</P>
<B><P>W32/Tariprox-B (Win32 Worm):</B> This is a proxy worm that attaches itself
to out-going e-mail messages. The worm will arrive as an e-mail attachment called
<username.doc.pif, where <username is the name of the e-mail recipient. When
run, it copies itself to the Windows directory as MMOPLIB.EXE and creates the registry
entry: </P><DIR>
<DIR>
<P>HKLM\Software\Microsoft\Windows\CurrentVersion\Run\mmoplib = Windows\MMOPLIB.EXE,
</P></DIR>
</DIR>
<P>so that the worm is run automatically each time the machine is restarted. It
also replaces/creates the HOSTS file, which maps machine names to IP addresses. Various
network-related programs, such as Outlook and Outlook Express use the HOSTS file,
in order to quickly resolve machine IP addresses (rather than having to query the
DNS database). In order to work on both Win9x and NT machines, the worm will try
to create or replace the file HOSTS or HOSTS.bak in the Windows and Winnt\System32\drivers\etc\
directories. The existing HOSTS file may be named HOSTS.sam (the default for W95/W98)
in which case it will remain unchanged. However, the version created by the worm
(without an extension) will be used. The worm creates an entry in the new HOSTS file,
which maps the default SMTP server to the loop-back address 127.0.0.1. The worm then
runs in the background waiting to accept a connection on port 25 (the SMTP port).
When the user tries to send an e-mail, the e-mail client program (such as Outlook
or Outlook Express) tries to establish a connection to the SMTP server on port 25,
but mistakenly uses the address 127.0.0.1 and so actually connects to the worm. The
worm establishes a connection to the real SMTP server (on port 25) and acts as a
go-between, sending its own data at the appropriate moment. The worm avoids repeatedly
sending itself to the same person by keeping a list of the five most recent recipients
in the following registry key:</P><DIR>
<DIR>
<P>HKLM\Software\Microsoft\Media Optimization library\MRU = NULL, NULL, recipient3,
recipient2, recipient1.</P></DIR>
</DIR>
<P>It does not attach itself to e-mail messages destined for these people. On some
networks, the same machine acts as both the outgoing and incoming mail server. If
this is the case, when an e-mail client attempts to connect to the server to download
e-mail, the worm accepts the connection but doesn't pass on responses if they're
not related to sending e-mail. This may prevent the user from downloading new e-mails.
Any other programs that use the HOSTS file to resolve IP addresses (such as Telnet)
will also be unable to establish a connection to the machine acting as the default
SMTP server, because they will attempt to connect to 127.0.0.1. On many network configurations
however, there will be one machine to handle SMTP and one to handle POP3 (or IMAP,
DSMP etc.). On these networks the worm will function as intended. The worm was designed
primarily to work with Outlook Express and so may not work properly with other MAPI
client programs. W32/Tariprox-B is a Windows PE executable. UPX packed versions also
exist. The worm contains the text: 'W32.Taricone-B.worm@proxy by I.V.E.L.'</P>
<B><P>WM97/Comical-A (Word 97 Macro Worm):</B> This is a mass mailing e-mail worm.
It consists of three components: a Word macro file, a Visual Basic script and a Windows
executable. These three components are detected as WM97/Comical-A, VBS/Comical-A
and W32/Comical-A respectively. WM97/Comical-A arrives in an e-mail with the following
characteristics: </P><DIR>
<DIR>
<P>Subject line: A comical story for you</P>
<P>Message text: I send you a comical story found on the Net. </P>
<P>Best Regards, You friend.</P>
<P>Attached file: comical_story.doc</P></DIR>
</DIR>
<P>When the attachment is launched using Microsoft Word, it will display a dialog
box that states 'This file has some problems.' When the user clicks on the OK box,
the worm will drop a Visual Basic script, VBS/Comical-A, to C:\twin.vbs. The worm
will then execute VBS/Comical-A. VBS/Comical-A will collect e-mail addresses from
the Outlook address book and write them to the file C:\backup.win. It will create
the Word document Netinfo.doc in the Windows directory. This file is detected as
WM97/Comical-A. It will then write avw32.exe into the Windows directory and execute
it. The virus will attempt to send Netinfo.doc to all the e-mail addresses listed
in C:\backup.win. It will also add the following registry key to ensure that the
executable is run on startup:</P><DIR>
<DIR>
<P>HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AntiVirus Freeware</P></DIR>
</DIR>
<P>The executable will also delete the file C:\twin.vbs.</P>
<B><P>W32/MyParty-A (Aliases: W32/Myparty@mm, </B></FONT><A HREF="mailto:W32.Myparty@mm"><B><FONT
SIZE=2>W32.Myparty@mm</B></FONT></A><B><FONT SIZE=2>) (Win32 Worm):</B> This virus
has been reported in the wild. It is a Windows 32 e-mail-aware worm which arrives
as an e-mail message with the subject "new photos from my party!" and an attachment,
</FONT>www.myparty.yahoo.com.<FONT
SIZE=2> Some people may be fooled into believing the attached file is a link to a
website. If the attached file is executed, the worm sends a copy of itself to everybody
in the Windows Address book (except the current user) using a built in SMTP engine.
It gets the SMTP server information from the registry key:</P><DIR>
<DIR>
<P>HKCU\Software\Microsoft\Internet Account Manager\Accounts\00000001 </P></DIR>
</DIR>
<P>The worm also sends an e-mail to napster@gala.net to track its spread. </P>
<B><P>W32.Myparty.B@mm (Aliases: WORM_MYPARTY.B, MYPARTY.B) (Win32 Worm):</B> This
variant of WORM_MYPARTY.A also arrives in an e-mail with the subject line "new photos
from my party!" but includes the attachment "myparty.photos.yahoo.com." Similar to
WORM_MYPARTY.A, this variant copies itself to C:\Recycled\REGCTRL.EXE in Windows
9x. In Windows NT it copies itself to C:\REGCTRL.EXE and drops a file named msstask.exe
in "%windows%\profile\%username%\ Start Menu\Programs\Startup." It also drops the
following file that is only visible in MS-DOS prompt: </P><DIR>
<DIR>
<P>C:\RECYCLER\F-&ltRandom Number-&ltRandom Number-&ltRandom Number
(This is the actual file) </P>
<P>or </P>
<P>C:\RECYCLED\F-&ltRandom Number-&ltRandom Number-&ltRandom Number
(This is the actual file) </P></DIR>
</DIR>
<P>However, between the system dates of January 20–24, 2002 this file with a random
filename will not be dropped at C:\RECYCLER nor at C:\RECYCLED. This is different
from the trigger date of WORM_MYPARTY.A that is January 25–29, 2002. It also sends
an infected e-mail with the same message and subject used by WORM_MYPARTY.A but with
a different file attachment name. </P>
</FONT><P><A HREF="mailto:W32.Rexli.A@mm"><B><FONT SIZE=2>W32.Rexli.A@mm</B></FONT></A><B><FONT
SIZE=2> (Win32 Worm):</B> This is a mass-mailing worm that is written in Visual Basic.
When executed, the worm e-mails all contacts in the Microsoft Outlook address book.
If mIRC is found, the worm modifies a file called Script.ini. This modification causes
an infected user to send the worm to people over the IRC network.</P>
</FONT><P><A HREF="mailto:W32.Sysnom.C@mm"><B><FONT SIZE=2>W32.Sysnom.C@mm</B></FONT></A><B><FONT
SIZE=2> (Win32 Worm):</B> This is a mass-mailing worm that copies itself to C:\Windows
\SoftwareKey.exe. When it is executed, it sends itself to all contacts in the Microsoft
Outlook address book. When the AVP button is clicked, it opens Internet Explorer
to the Web site http:/ /www.avp.ch. It will also ping the site ndovirus.8m.com. Finally,
the worm copies itself to C:\Windows\SoftwareKey.exe.</P>
<B><P>W97M.DebilByte.A (Word 97 Macro Virus):</B> This is a simple macro virus that
resides in eight macro modules. Each module is exported to the files Wdr1.sys, Wdr2.sys,
. . . Wdr8.sys, which are created in the Windows directory. The module files are
then used by the virus to infect the Normal.dot template file as well as any other
document whenever a document is opened or closed. The virus also disables the following
menu commands:</P>
<UL>
<UL>
<LI>Tools Macro Macros... (Alt+F8) </LI>
<LI>Tools Macro Visual Basic Editor (Alt+F11)</LI></UL>
</UL>
<P>The only text string in the virus is a URL pointing to the Russian Yandex site.
</P>
<B><P>W97M_NOMED.A (Aliases: Macro.Word97.Demo.C, NOMED.A): </B>This macro virus
infects Word 97 documents. It copies its viral codes to a "DEMON" module in infected
documents. It does not have a destructive payload. </P>
<B><P>WM97/Falcon-A (Word 97 Macro Virus):</B> This virus replicates with errors.
On an infected system, access to the File|Templates and the Visual Basic Editor is
disabled. When a user attempts to access the VB Editor, two message boxes are displayed:
One has the title "CVBEditor::ShowWindow() error!" and contains the text "Installation
error 0x80000025 Please reinstall Visual Basic for Applications." The other displayed
message box has the title "MacroProt v2.0 Beta" with the text "To prevent viruses
the system administrator has disabled Macro editing."</P>
<B><P>WORM_COUPLE.A (Aliases: COUPLE.A, VBS_COUPLE.A, VBS_LASTSCENE.B, WORM_LASTSCENE)
(Worm): </B>This mass-mailing worm propagates via e-mail using MAPI and Microsoft
Outlook, and installs backdoor programs on the infected user's computer. The e-mail
arrives with the subject line: "Nice Couple."</P>
<B><P>WORM_HUNCH.A (Aliases: HUNCH.A, </B></FONT><A HREF="mailto:W32.Hunch@mm"><B><FONT
SIZE=2>W32.Hunch@mm</B></FONT></A><B><FONT SIZE=2>) (Worm):</B> This memory-resident
worm propagates via Microsoft Outlook by sending copies of itself to all addresses
listed in the infected user's address book. It arrives as an attachment called "COSTOS
DE PRODUCCION.xls.exe." It modifies the registry to allow it to execute at every
Windows startup.</P>
<B><P>WORM_NAVIDAD.A (Aliases: NAVIDAD, TROJ_NAVIDAD.A, W32/Navidad@M, W32.Navidad)
(Internet Worm): </B>This Internet worm propagates via Microsoft Messaging API (MAPI).
It responds to messages included in the user INBOX using the default MAPI client
and e-mail. Every response has the subject, "RE:" and the worm as an attachment (NAVIDAD.EXE).
This worm also displays a message box upon execution and maps the opening of Windows
executables so that it is executed instead of the executable that is called.</P>
<B><P>WORM_PORMAN.A (Aliases: I-Worm.Alcaul.m, W32.Porma@mm, PORMAN.A) (Worm):</B>
This mass-mailing worm sends an infected e-mail via Microsoft Outlook with the attachment
http.www.sex.com, and the subject line "pornoman recommends."</P>
<B><P>WORM_WHITEBAIT.A (Aliases: WHITEBAIT.A, </B></FONT><A HREF="mailto:W32.Whitebait@mm"><B><FONT
SIZE=2>W32.Whitebait@mm</B></FONT></A><B><FONT SIZE=2>) (Worm):</B> This mass-mailing
worm propagates via Microsoft Outlook and arrives in an e-mail with the subject line
attachment "WARNING : Black_Piranha" and the attachment "MSSECU.EXE." Upon execution,
it drops two files in the Windows folder, and displays pornographic pictures with
a link to an adult-oriented Web site. </P>
<B><P>XM97/Divi-AQ (Excel 97 Macro Virus):</B> This virus is a member of the XM97/Divi
family with no malicious payload. It creates the viral file 874.xls in the XLSTART
directory.</P>
<P> </P>
</FONT><B><I><FONT FACE="Baskerville Old Face,Times New Roman" SIZE=5 COLOR="#0000ff"><P>Trojans
</P>
</B></I></FONT><FONT SIZE=2><P>Trojans have become increasingly popular as a means
of obtaining unauthorized access to computer systems. This table starts with Trojans
discussed in CyberNotes #2001-01, and items will be added on a cumulative basis.
Trojans that are covered in the current issue of CyberNotes are listed in boldface/red.
Following this table are write-ups of new Trojans and updated versions discovered
in the last two weeks. Readers should contact their anti-virus vendors to obtain
specific information on Trojans and Trojan variants that anti-virus software detects.
<I>Note: At times, Trojans may contain names or content that may be considered offensive.</P></I></FONT>
<P ALIGN="CENTER"><CENTER><TABLE BORDER CELLSPACING=2 BORDERCOLOR="#000000" CELLPADDING=7
WIDTH=523>
<TR><TD WIDTH="33%" VALIGN="TOP" BGCOLOR="#ffffff" HEIGHT=21>
<P ALIGN="CENTER"><B><FONT SIZE=1>Trojan</B></FONT></TD>
<TD WIDTH="36%" VALIGN="TOP" BGCOLOR="#ffffff" HEIGHT=21>
<B><FONT SIZE=1><P ALIGN="CENTER">Version</B></FONT></TD>
<TD WIDTH="31%" VALIGN="TOP" BGCOLOR="#ffffff" HEIGHT=21>
<B><FONT SIZE=1><P ALIGN="CENTER">CyberNotes Issue #</B></FONT></TD>
</TR>
<TR><TD WIDTH="33%" VALIGN="MIDDLE">
<B><FONT SIZE=2 COLOR="#ff0000"><P>APStrojan.sl</B></FONT></TD>
<TD WIDTH="36%" VALIGN="MIDDLE">
<B><FONT SIZE=1 COLOR="#ff0000"><P>N/A</B></FONT></TD>
<TD WIDTH="31%" VALIGN="MIDDLE">
<B><FONT SIZE=1 COLOR="#ff0000"><P>Current Issue</B></FONT></TD>
</TR>
<TR><TD WIDTH="33%" VALIGN="MIDDLE">
<FONT SIZE=2><P>Backdoor.Palukka</FONT></TD>
<TD WIDTH="36%" VALIGN="MIDDLE">
<FONT SIZE=1><P>N/A</FONT></TD>
<TD WIDTH="31%" VALIGN="MIDDLE">
<FONT SIZE=1><P>CyberNotes-2002-01</FONT></TD>
</TR>
<TR><TD WIDTH="33%" VALIGN="MIDDLE">
<FONT SIZE=2><P>BackDoor-AAB</FONT></TD>
<TD WIDTH="36%" VALIGN="MIDDLE">
<FONT SIZE=1><P>N/A</FONT></TD>
<TD WIDTH="31%" VALIGN="MIDDLE">
<FONT SIZE=1><P>CyberNotes-2002-02</FONT></TD>
</TR>
<TR><TD WIDTH="33%" VALIGN="MIDDLE">
<B><FONT SIZE=2 COLOR="#ff0000"><P>BackDoor-FB.svr.gen</B></FONT></TD>
<TD WIDTH="36%" VALIGN="MIDDLE">
<B><FONT SIZE=1 COLOR="#ff0000"><P>N/A</B></FONT></TD>
<TD WIDTH="31%" VALIGN="MIDDLE">
<B><FONT SIZE=1 COLOR="#ff0000"><P>Current Issue</B></FONT></TD>
</TR>
<TR><TD WIDTH="33%" VALIGN="MIDDLE">
<FONT SIZE=2><P>DlDer</FONT></TD>
<TD WIDTH="36%" VALIGN="MIDDLE">
<FONT SIZE=1><P>N/A</FONT></TD>
<TD WIDTH="31%" VALIGN="MIDDLE">
<FONT SIZE=1><P>CyberNotes-2002-01</FONT></TD>
</TR>
<TR><TD WIDTH="33%" VALIGN="MIDDLE">
<B><FONT SIZE=2 COLOR="#ff0000"><P>DoS-Winlock</B></FONT></TD>
<TD WIDTH="36%" VALIGN="MIDDLE">
<B><FONT SIZE=1 COLOR="#ff0000"><P>N/A</B></FONT></TD>
<TD WIDTH="31%" VALIGN="MIDDLE">
<B><FONT SIZE=1 COLOR="#ff0000"><P>Current Issue</B></FONT></TD>
</TR>
<TR><TD WIDTH="33%" VALIGN="MIDDLE">
<FONT SIZE=2><P>Hacktool.IPStealer</FONT></TD>
<TD WIDTH="36%" VALIGN="MIDDLE">
<FONT SIZE=1><P>N/A</FONT></TD>
<TD WIDTH="31%" VALIGN="MIDDLE">
<FONT SIZE=1><P>CyberNotes-2002-02</FONT></TD>
</TR>
<TR><TD WIDTH="33%" VALIGN="MIDDLE">
<B><FONT SIZE=2 COLOR="#ff0000"><P>Irc-Smallfeg</B></FONT></TD>
<TD WIDTH="36%" VALIGN="MIDDLE">
<B><FONT SIZE=1 COLOR="#ff0000"><P>N/A</B></FONT></TD>
<TD WIDTH="31%" VALIGN="MIDDLE">
<B><FONT SIZE=1 COLOR="#ff0000"><P>Current Issue</B></FONT></TD>
</TR>
<TR><TD WIDTH="33%" VALIGN="MIDDLE">
<FONT SIZE=2><P>JS/Seeker-E</FONT></TD>
<TD WIDTH="36%" VALIGN="MIDDLE">
<FONT SIZE=1><P>N/A</FONT></TD>
<TD WIDTH="31%" VALIGN="MIDDLE">
<FONT SIZE=1><P>CyberNotes-2002-01</FONT></TD>
</TR>
<TR><TD WIDTH="33%" VALIGN="MIDDLE">
<FONT SIZE=2><P>JS_EXCEPTION.GEN</FONT></TD>
<TD WIDTH="36%" VALIGN="MIDDLE">
<FONT SIZE=1><P>N/A</FONT></TD>
<TD WIDTH="31%" VALIGN="MIDDLE">
<FONT SIZE=1><P>CyberNotes-2002-01</FONT></TD>
</TR>
<TR><TD WIDTH="33%" VALIGN="MIDDLE">
<FONT SIZE=2><P>SecHole.Trojan</FONT></TD>
<TD WIDTH="36%" VALIGN="MIDDLE">
<FONT SIZE=1><P>N/A</FONT></TD>
<TD WIDTH="31%" VALIGN="MIDDLE">
<FONT SIZE=1><P>CyberNotes-2002-01</FONT></TD>
</TR>
<TR><TD WIDTH="33%" VALIGN="MIDDLE">
<FONT SIZE=2><P>Troj/Download-A</FONT></TD>
<TD WIDTH="36%" VALIGN="MIDDLE">
<FONT SIZE=1><P>N/A</FONT></TD>
<TD WIDTH="31%" VALIGN="MIDDLE">
<FONT SIZE=1><P>CyberNotes-2002-01</FONT></TD>
</TR>
<TR><TD WIDTH="33%" VALIGN="MIDDLE">
<B><FONT SIZE=2 COLOR="#ff0000"><P>Troj/Msstake-A</B></FONT></TD>
<TD WIDTH="36%" VALIGN="MIDDLE">
<B><FONT SIZE=1 COLOR="#ff0000"><P>N/A</B></FONT></TD>
<TD WIDTH="31%" VALIGN="MIDDLE">
<B><FONT SIZE=1 COLOR="#ff0000"><P>Current Issue</B></FONT></TD>
</TR>
<TR><TD WIDTH="33%" VALIGN="MIDDLE">
<FONT SIZE=2><P>Troj/Optix-03-C</FONT></TD>
<TD WIDTH="36%" VALIGN="MIDDLE">
<FONT SIZE=1><P>N/A</FONT></TD>
<TD WIDTH="31%" VALIGN="MIDDLE">
<FONT SIZE=1><P>CyberNotes-2002-01</FONT></TD>
</TR>
<TR><TD WIDTH="33%" VALIGN="MIDDLE">
<FONT SIZE=2><P>Troj/Sub7-21-I</FONT></TD>
<TD WIDTH="36%" VALIGN="MIDDLE">
<FONT SIZE=1><P>N/A</FONT></TD>
<TD WIDTH="31%" VALIGN="MIDDLE">
<FONT SIZE=1><P>CyberNotes-2002-01</FONT></TD>
</TR>
<TR><TD WIDTH="33%" VALIGN="MIDDLE">
<FONT SIZE=2><P>Troj/WebDL-E</FONT></TD>
<TD WIDTH="36%" VALIGN="MIDDLE">
<FONT SIZE=1><P>N/A</FONT></TD>
<TD WIDTH="31%" VALIGN="MIDDLE">
<FONT SIZE=1><P>CyberNotes-2002-01</FONT></TD>
</TR>
<TR><TD WIDTH="33%" VALIGN="MIDDLE">
<FONT SIZE=2><P>TROJ_CYN12.B</FONT></TD>
<TD WIDTH="36%" VALIGN="MIDDLE">
<FONT SIZE=1><P>N/A</FONT></TD>
<TD WIDTH="31%" VALIGN="MIDDLE">
<FONT SIZE=1><P>CyberNotes-2002-02</FONT></TD>
</TR>
<TR><TD WIDTH="33%" VALIGN="MIDDLE">
<FONT SIZE=2><P>TROJ_DANSCHL.A</FONT></TD>
<TD WIDTH="36%" VALIGN="MIDDLE">
<FONT SIZE=1><P>N/A</FONT></TD>
<TD WIDTH="31%" VALIGN="MIDDLE">
<FONT SIZE=1><P>CyberNotes-2002-01</FONT></TD>
</TR>
<TR><TD WIDTH="33%" VALIGN="MIDDLE" HEIGHT=19>
<B><FONT SIZE=2 COLOR="#ff0000"><P>TROJ_DSNX.A</B></FONT></TD>
<TD WIDTH="36%" VALIGN="MIDDLE" HEIGHT=19>
<B><FONT SIZE=1 COLOR="#ff0000"><P>N/A</B></FONT></TD>
<TD WIDTH="31%" VALIGN="MIDDLE" HEIGHT=19>
<B><FONT SIZE=1 COLOR="#ff0000"><P>Current Issue</B></FONT></TD>
</TR>
<TR><TD WIDTH="33%" VALIGN="MIDDLE">
<FONT SIZE=2><P>TROJ_FRAG.CLI.A</FONT></TD>
<TD WIDTH="36%" VALIGN="MIDDLE">
<FONT SIZE=1><P>N/A</FONT></TD>
<TD WIDTH="31%" VALIGN="MIDDLE">
<FONT SIZE=1><P>CyberNotes-2002-02</FONT></TD>
</TR>
<TR><TD WIDTH="33%" VALIGN="MIDDLE">
<B><FONT SIZE=2 COLOR="#ff0000"><P>TROJ_ICONLIB.A</B></FONT></TD>
<TD WIDTH="36%" VALIGN="MIDDLE">
<B><FONT SIZE=1 COLOR="#ff0000"><P>N/A</B></FONT></TD>
<TD WIDTH="31%" VALIGN="MIDDLE">
<B><FONT SIZE=1 COLOR="#ff0000"><P>Current Issue</B></FONT></TD>
</TR>
<TR><TD WIDTH="33%" VALIGN="MIDDLE">
<FONT SIZE=2><P>Trojan.Badcon</FONT></TD>
<TD WIDTH="36%" VALIGN="MIDDLE">
<FONT SIZE=1><P>N/A</FONT></TD>
<TD WIDTH="31%" VALIGN="MIDDLE">
<FONT SIZE=1><P>CyberNotes-2002-02</FONT></TD>
</TR>
<TR><TD WIDTH="33%" VALIGN="MIDDLE">
<FONT SIZE=2><P>Trojan.StartPage</FONT></TD>
<TD WIDTH="36%" VALIGN="MIDDLE">
<FONT SIZE=1><P>N/A</FONT></TD>
<TD WIDTH="31%" VALIGN="MIDDLE">
<FONT SIZE=1><P>CyberNotes-2002-02</FONT></TD>
</TR>
<TR><TD WIDTH="33%" VALIGN="MIDDLE">
<FONT SIZE=2><P>Trojan.Suffer</FONT></TD>
<TD WIDTH="36%" VALIGN="MIDDLE">
<FONT SIZE=1><P>N/A</FONT></TD>
<TD WIDTH="31%" VALIGN="MIDDLE">
<FONT SIZE=1><P>CyberNotes-2002-02</FONT></TD>
</TR>
<TR><TD WIDTH="33%" VALIGN="MIDDLE">
<B><FONT SIZE=2 COLOR="#ff0000"><P>VBS_THEGAME.A</B></FONT></TD>
<TD WIDTH="36%" VALIGN="MIDDLE">
<B><FONT SIZE=1 COLOR="#ff0000"><P>N/A</B></FONT></TD>
<TD WIDTH="31%" VALIGN="MIDDLE">
<B><FONT SIZE=1 COLOR="#ff0000"><P>Current Issue</B></FONT></TD>
</TR>
</TABLE>
</CENTER></P>
<B><FONT SIZE=2><P ALIGN="CENTER"> </P>
<P>APStrojan.sl:</B> This Trojan attempts to steal AOL Instant Messenger usernames
and passwords. It also logs keystrokes and sends this data to a Yahoo.com e-mail
address. When run, the Trojan copies itself to the WINDOWS\START MENU|PROGRAMS\STARTUP
folder. If AOL Instant Messenger is not installed, an error message appears. All
window titles and keystrokes typed are logged to the file DAT.LOG in the same directory
as the executable (the STARTUP folder). With this information, the Trojan attempts
to create the file C:\PROGRAM FILES\DMSYSMAIL.EML and send it, using MAPI messaging
to </FONT><A HREF="mailto:it090d@yahoo.com"><FONT SIZE=2>it090d@yahoo.com</FONT></A><FONT
SIZE=2>.</P>
<B><P>BackDoor-FB.svr.gen:</B> This Trojan is dropped by the </FONT><A HREF="mailto:W32/Myparty@mm"><FONT
SIZE=2>W32/Myparty@mm</FONT></A><FONT SIZE=2> virus. When the W32/Myparty@MM virus
executable is executed on Windows NT machines, (Windows NT, 2000 or XP) a variant
of this backdoor is dropped to the startup folder within the profile of the current
user, MSSTASK.EXE: </P><DIR>
<DIR>
<P>%userprofile%\Start Menu\Programs\Startup\msstask.exe</P></DIR>
</DIR>
<P>This ensures the backdoor is executed upon system startup, at which point it
goes memory resident, and the machine is becomes vulnerable. W32/Myparty@MM only
massmails itself and drops the backdoor component if the system date is within the
following range: 25th - 29th January 2002, inclusive. Outside of this date range,
no backdoor component is dropped. MSSTASK.EXE is compressed with UPX. Once running,
the backdoor tries to connect to the following IP address: </FONT><A HREF="http://209.151.250.170/"><FONT
SIZE=2>http://209.151.250.170/></A><FONT SIZE=2>, in order to download the
command file that operates the backdoor. A second W32/Myparty@MM variant, which only
operates between 20th-24th January 2002, drops an identical backdoor component to
that described above. The only difference is the date range in which the backdoor
is dropped.</P>
<B><P>DoS-Winlock:</B> This Trojan initiates a Denial of Service attack against
several systems, most of which are in the langame.net domain. The executable has
been packed with the PECompact packer. When run, the Trojan copies itself to WINDOWS
directory as NETDLL16.EXE and the Recycle Bin as Winlock.exe with hidden file attributes.
A WIN.INI entry is added to load itself at startup, run=C:\RECYCLED\winlock.exe.
The next time Windows is rebooted, the Trojan starts its DoS attack and stays resident
in memory.</P>
<B><P>Irc-Smallfeg:</B> Users are most likely to encounter this Trojan in the form
of a dropper (which may be named ModemSpeedEnhancer.Exe). When executed on NT/2000
the dropper creates the folder, %WINDIR%\CACHE, and drops the file SVCHOST.EXE into
it. Subsequently, SVCHOST.EXE is executed as a process. When executed on Windows
9x machines, the dropper is harmless - it does not drop the server component. Once
running as a process, the file JUPE.DLL is dropped in the %WINDIR%\CACHE directory.
This file contains a small amount of encrypted data,(possibly information about the
victim machine). The Trojan then attempts to connect to port 6667 of 22 various remote
servers (all -----.--.undernet.org). If successful, the Trojan then attempts to join
a specific channel in the Undernet IRC network, with a nickname built up from two
words stored within the SVCHOST.EXE file (e.g. gold, plat, fat, bomb, hehe, goal).</P>
<B><P>TROJ_DSNX.A (Aliases: DSNX, DSNX.A, Trojan.Win32.DSNX):</B> This destructive
Win32 Trojan enables a remote malicious user access to an infected computer. It compromises
network security. Upon execution, this Trojan copies itself to a WIN<text.EXE
file in the Windows System directory, where <text is a randomly generated text
string. It then adds the following registry entry that allows it to run at every
startup:</P><DIR>
<DIR>
<P>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run = WinDSNX </P></DIR>
</DIR>
<P>The Trojan then connects to an IRC server and joins a channel where the remote
malicious user is connected. The remote malicious user may execute any or all of
the following in an infected system:</P>
<UL>
<UL>
<LI>Upload/Download files </LI>
<LI>Perform a port scan on the local area network </LI>
<LI>Flood a specified IP address </LI>
<LI>Log keystrokes </LI>
<LI>Delete files</LI></UL>
</UL>
<B><P>TROJ_ICONLIB.A (Aliases: Trojan.IconLib, ICONLIB.A, ICONLIB):</B> This Trojan's
destructive payload deletes system files on the infected computer. It then replaces
deleted files with copies of itself. Thereafter, the infected system hangs, due to
missing system files, and will no longer restart.</P>
<B><P>Troj/Msstake-A (Alias: BackDoor-AAF):</B> This is a backdoor Trojan that allows
others to have remote access to your machine over a network. It is dropped by the
W32/MyParty-A virus. </P>
<B><P>VBS_THEGAME.A (Alias: THEGAME.A):</B> This Script Trojan has the ability to
mass mail, drop other Trojan files, modify registries, and modify WIN.INI. It is
encrypted but not destructive.</P>
<P> </P></FONT></BODY>
<p><!-- body="end" -->
<hr noshade>
<ul>
------------------------ Yahoo! Groups Sponsor ---------------------~-->
Sponsored by VeriSign - The Value of Trust
Pinpoint the right security solution for your company - FREE
Guide from industry leader VeriSign gives you all the facts.
http://us.click.yahoo.com/pCuuSA/WdiDAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->
------------------
http://all.net/
Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2002-12-31 02:15:03 PST