30 jul 2004
29 jul 2004
Secunia Weekly Summary - Issue: 2004-31
========================================================================
The Secunia Weekly Advisory Summary
2004-07-22 - 2004-07-29
This week : 43 advisories
========================================================================
Table of Contents:
1.....................................................Word From Secunia
2....................................................This Week In Brief
3...............................This Weeks Top Ten Most Read Advisories
4.......................................Vulnerabilities Summary Listing
5.......................................Vulnerabilities Content Listing
========================================================================
1) Word From Secunia:
New Features at Secunia.com
Secunia has implemented various statistical features at the websites
for both Secunia advisories and Virus Information.
Secunia Advisories Statistics:
http://secunia.com/advisory_statistics/
Examples of Specific Product Statistics:
http://secunia.com/product/11/ (Internet Explorer 6)
http://secunia.com/product/761/ (Opera 7.x)
http://secunia.com/product/1480/ (Mozilla 1.3)
Secunia Virus Information Statistics:
http://secunia.com/virus_statistics/
Furthermore, Secunia has made it possible for you to include all graphs
available at secunia.com on your own website.
This is described in detail at:
http://secunia.com/secunia_image_inclusion/
========================================================================
2) This Week in Brief:
ADVISORIES:
The Opera Browser is continuously plagued by a vulnerability, which
allows malicious websites to spoof the content of the address bar.
The first time Opera patched this vulnerability was on the 13th of May
2004. Since then, three variants of the same vulnerability have been
found, forcing Opera Software to issue new browser versions with the
latest being version 7.53.
The latest variant is still pending a patch from Opera Software, who
hopefully will develop a permanent solution to this.
Reference:
http://secunia.com/SA12162
http://secunia.com/SA12028
http://secunia.com/SA11901
http://secunia.com/SA11532
--
Mozilla and Mozilla Firefox were reported vulnerable to a certificate
spoofing vulnerability. This could be exploited by a malicious website
to include a certificate from a trusted site, thereby making the
malicious website look like it is "signed" with the trusted site's
certificate.
Reference:
http://secunia.com/SA12160
VIRUS ALERTS:
During the last week, Secunia issued one MEDIUM RISK virus alert and
one HIGH RISK virus alert. Please refer to the grouped virus profiles
below for more information:
Mydoom.M - HIGH RISK Virus Alert - 2004-07-26 20:25 GMT+1
http://secunia.com/virus_information/10755/mydoom.m/
Mydoom.M - MEDIUM RISK Virus Alert - 2004-07-26 17:25 GMT+1
http://secunia.com/virus_information/10755/mydoom.m/
========================================================================
3) This Weeks Top Ten Most Read Advisories:
1. [SA12048] Microsoft Internet Explorer Multiple Vulnerabilities
2. [SA11978] Multiple Browsers Frame Injection Vulnerability
3. [SA11793] Internet Explorer Local Resource Access and Cross-Zone
Scripting Vulnerabilities
4. [SA12160] Mozilla / Mozilla Firefox "onunload" SSL Certificate
Spoofing
5. [SA12157] Apple Mac OS X Internet Connection Privilege Escalation
6. [SA12162] Opera Browser Address Bar Spoofing Vulnerability
7. [SA12027] Mozilla Fails to Restrict Access to "shell:"
8. [SA12077] mod_ssl Unspecified "mod_proxy" Hook Functions Format
String Vulnerability
9. [SA12028] Opera Browser Address Bar Spoofing Vulnerability
10. [SA11966] Internet Explorer Frame Injection Vulnerability
========================================================================
4) Vulnerabilities Summary Listing
Windows:
[SA12164] ASPRunner Multiple Vulnerabilities
[SA12165] FTPGlide Exposure of Passwords
UNIX/Linux:
[SA12178] SCO OpenServer update for sendmail
[SA12172] Mandrake update for mod_ssl
[SA12163] Gentoo update for pavuk
[SA12153] Dropbear SSH Server DSS Verification Vulnerability
[SA12152] Pavuk Digest Authentication Buffer Overflow Vulnerabilities
[SA12149] Fedora update for php
[SA12142] Debian update for libapache-mod-ssl
[SA12138] Slackware update for mod_ssl
[SA12131] Gentoo update for mod_ssl
[SA12179] UnixWare update for tcpdump
[SA12171] Mandrake update for webmin
[SA12170] Mandrake update for postgresql
[SA12146] Fedora update for abiword
[SA12144] Debian update for courier
[SA12143] Debian update for mailreader
[SA12139] SuSE update for samba
[SA12136] AbiWord "wv" Library Buffer Overflow Vulnerability
[SA12128] Gentoo update for l2tpd
[SA12168] HP-UX CIFS Server Buffer Overflow Vulnerability
[SA12141] Mandrake update for samba
[SA12133] Red Hat update for samba
[SA12130] Samba Two Buffer Overflow Vulnerabilities
[SA12181] IBM HTTP Server Input Header Folding Denial of Service
Vulnerability
[SA12161] Gentoo update for subversion
[SA12148] Fedora update for subversion
[SA12140] SCO OpenServer update for Mozilla
[SA12134] Sun Java System Portal Server Proxy Authentication Failure
[SA12157] Apple Mac OS X Internet Connection Privilege Escalation
[SA12132] Gentoo update for kernel
[SA12129] InstallAnywhere Insecure Temporary File Creation
Vulnerability
[SA12135] Sun Java System Web Server Cross Site Scripting
Vulnerability
Other:
[SA12154] Thintune Client Multiple Vulnerabilities
Cross Platform:
[SA12177] Check Point VPN-1 ASN.1 Decoding Heap Overflow Vulnerability
[SA12166] Nucleus "itemid" SQL Injection Vulnerability
[SA12162] Opera Browser Address Bar Spoofing Vulnerability
[SA12160] Mozilla / Mozilla Firefox "onunload" SSL Certificate
Spoofing
[SA12159] OpenDocMan "commitchange.php" Unauthorised Commitment of
Changes
[SA12150] Hitachi Web Page Generator Multiple Vulnerabilities
[SA12173] RiSearch Open Proxy Relay Vulnerability
[SA12155] Mensajeitor "AdminNick" Administrative User Spoofing
Vulnerability
[SA12151] EasyWeb FileManager "pathext" Directory Traversal
========================================================================
5) Vulnerabilities Content Listing
Windows:--
[SA12164] ASPRunner Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data, Exposure of
sensitive information
Released: 2004-07-27
Ferruh Mavituna has reported some vulnerabilities in ASPRunner,
allowing malicious people to conduct SQL injection and cross-site
scripting attacks against pages created using ASPRunner.
Full Advisory:
http://secunia.com/advisories/12164/
--
[SA12165] FTPGlide Exposure of Passwords
Critical: Less critical
Where: Local system
Impact: Exposure of sensitive information
Released: 2004-07-27
Ziv Kamir has reported a security issue in FTPGlide, which can be
exploited by malicious, local users to view usernames and passwords.
Full Advisory:
http://secunia.com/advisories/12165/
UNIX/Linux:--
[SA12178] SCO OpenServer update for sendmail
Critical: Extremely critical
Where: From remote
Impact: System access, DoS
Released: 2004-07-29
SCO has issued an update for sendmail. This fixes two old
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) or compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/12178/
--
[SA12172] Mandrake update for mod_ssl
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2004-07-28
MandrakeSoft has issued an update for mod_ssl. This fixes a
vulnerability, which can be exploited by malicious people to compromise
a vulnerable system.
Full Advisory:
http://secunia.com/advisories/12172/
--
[SA12163] Gentoo update for pavuk
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2004-07-27
Gentoo has issued an update for pavuk. This fixes multiple
vulnerabilities, which can be exploited by malicious people to
compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/12163/
--
[SA12153] Dropbear SSH Server DSS Verification Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2004-07-26
Arne Bernin has reported a vulnerability in Dropbear SSH Server,
potentially allowing malicious people to compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/12153/
--
[SA12152] Pavuk Digest Authentication Buffer Overflow Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2004-07-27
Matthew Murphy has reported multiple vulnerabilities in Pavuk, which
can be exploited by malicious people to compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/12152/
--
[SA12149] Fedora update for php
Critical: Highly critical
Where: From remote
Impact: Security Bypass, System access
Released: 2004-07-26
Fedora has issued an update for php. This fixes two vulnerabilities,
which can be exploited by malicious people to bypass certain security
functionality or compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/12149/
--
[SA12142] Debian update for libapache-mod-ssl
Critical: Highly critical
Where: From remote
Impact: DoS, System access
Released: 2004-07-23
Debian has issued an update for libapache-mod-ssl. This fixes two
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) or compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/12142/
--
[SA12138] Slackware update for mod_ssl
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2004-07-26
Slackware has issued an update for mod_ssl. This fixes a vulnerability,
which potentially can be exploited by malicious people to compromise a
vulnerable system.
Full Advisory:
http://secunia.com/advisories/12138/
--
[SA12131] Gentoo update for mod_ssl
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2004-07-22
Gentoo has issued an update for mod_ssl. This fixes a vulnerability,
which can be exploited by malicious people to compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/12131/
--
[SA12179] UnixWare update for tcpdump
Critical: Moderately critical
Where: From remote
Impact: System access, DoS
Released: 2004-07-29
UnixWare has issued updated packages for tcpdump. These fix three
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially compromise a system running
tcpdump.
Full Advisory:
http://secunia.com/advisories/12179/
--
[SA12171] Mandrake update for webmin
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, DoS
Released: 2004-07-28
MandrakeSoft has issued an update for webmin. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) or bypass certain security restrictions.
Full Advisory:
http://secunia.com/advisories/12171/
--
[SA12170] Mandrake update for postgresql
Critical: Moderately critical
Where: From remote
Impact: System access, DoS
Released: 2004-07-28
MandrakeSoft has issued an update for postgresql. This fixes a
vulnerability in the ODBC driver, which can be exploited by malicious
people to cause a DoS (Denial of Service) and potentially compromise a
vulnerable system.
Full Advisory:
http://secunia.com/advisories/12170/
--
[SA12146] Fedora update for abiword
Critical: Moderately critical
Where: From remote
Impact: System access
Released: 2004-07-26
Fedora has issued an update for abiword. This fixes a vulnerability,
which potentially can be exploited by malicious people to compromise a
user's system.
Full Advisory:
http://secunia.com/advisories/12146/
--
[SA12144] Debian update for courier
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting
Released: 2004-07-23
Debian has issued an update for courier. This fixes a vulnerability,
which can be exploited by malicious people to conduct script insertion
attacks.
Full Advisory:
http://secunia.com/advisories/12144/
--
[SA12143] Debian update for mailreader
Critical: Moderately critical
Where: From remote
Impact: Exposure of sensitive information
Released: 2004-07-23
Full Advisory:
http://secunia.com/advisories/12143/
--
[SA12139] SuSE update for samba
Critical: Moderately critical
Where: From remote
Impact: System access
Released: 2004-07-23
SuSE has issued an update for samba. This fixes two vulnerabilities,
which can be exploited by malicious people to compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/12139/
--
[SA12136] AbiWord "wv" Library Buffer Overflow Vulnerability
Critical: Moderately critical
Where: From remote
Impact: System access
Released: 2004-07-26
AbiWord is affected by a vulnerability in the "wv" library, which
potentially can be exploited by malicious people to compromise a user's
system.
Full Advisory:
http://secunia.com/advisories/12136/
--
[SA12128] Gentoo update for l2tpd
Critical: Moderately critical
Where: From remote
Impact: System access
Released: 2004-07-22
Gentoo has issued an update for l2tpd. This fixes a vulnerability,
which can be exploited by malicious people to compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/12128/
--
[SA12168] HP-UX CIFS Server Buffer Overflow Vulnerability
Critical: Moderately critical
Where: From local network
Impact: System access
Released: 2004-07-28
HP has confirmed a vulnerability in HP-UX, which potentially can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/12168/
--
[SA12141] Mandrake update for samba
Critical: Moderately critical
Where: From local network
Impact: System access
Released: 2004-07-23
MandrakeSoft has issued an update for samba. This fixes two
vulnerabilities, which can be exploited by malicious people to
compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/12141/
--
[SA12133] Red Hat update for samba
Critical: Moderately critical
Where: From local network
Impact: System access
Released: 2004-07-23
Red Hat has issued an update for samba. This fixes two vulnerabilities,
which can be exploited by malicious people to compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/12133/
--
[SA12130] Samba Two Buffer Overflow Vulnerabilities
Critical: Moderately critical
Where: From local network
Impact: System access
Released: 2004-07-23
Two vulnerabilities have been reported in Samba, potentially allowing
malicious people to compromise a vulnerability system.
Full Advisory:
http://secunia.com/advisories/12130/
--
[SA12181] IBM HTTP Server Input Header Folding Denial of Service
Vulnerability
Critical: Less critical
Where: From remote
Impact: DoS
Released: 2004-07-29
IBM has acknowledged a vulnerability in IBM HTTP Server, which can be
exploited by malicious people to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/12181/
--
[SA12161] Gentoo update for subversion
Critical: Less critical
Where: From remote
Impact: Exposure of sensitive information
Released: 2004-07-27
Gentoo has issued an update for subversion. This fixes a vulnerability,
which can be exploited by malicious users to read protected files.
Full Advisory:
http://secunia.com/advisories/12161/
--
[SA12148] Fedora update for subversion
Critical: Less critical
Where: From remote
Impact: Exposure of sensitive information
Released: 2004-07-26
Fedora has issued an update for subversion. This fixes a vulnerability,
which can be exploited by malicious users to read protected files.
Full Advisory:
http://secunia.com/advisories/12148/
--
[SA12140] SCO OpenServer update for Mozilla
Critical: Less critical
Where: From remote
Impact: Exposure of sensitive information, Security Bypass
Released: 2004-07-23
SCO has issued an update for Mozilla. This fixes some older
vulnerabilities, which potentially exposes proxy authentication
credentials, allows cross domain access and cookie path traversal.
Full Advisory:
http://secunia.com/advisories/12140/
--
[SA12134] Sun Java System Portal Server Proxy Authentication Failure
Critical: Less critical
Where: From local network
Impact: Privilege escalation
Released: 2004-07-23
The vendor has reported a vulnerability in Sun Java System Portal
Server, which may allow malicious users to gain administrative
credentials.
Full Advisory:
http://secunia.com/advisories/12134/
--
[SA12157] Apple Mac OS X Internet Connection Privilege Escalation
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2004-07-27
B-r00t has reported a vulnerability in Mac OS X, which can be exploited
by malicious, local users to gain escalated privileges.
Full Advisory:
http://secunia.com/advisories/12157/
--
[SA12132] Gentoo update for kernel
Critical: Less critical
Where: Local system
Impact: DoS
Released: 2004-07-22
Gentoo has issued an update for the kernel. This fixes multiple
vulnerabilities, which can be exploited by malicious, local users to
bypass certain restrictions, cause a DoS (Denial of Service), or gain
knowledge of sensitive information.
Full Advisory:
http://secunia.com/advisories/12132/
--
[SA12129] InstallAnywhere Insecure Temporary File Creation
Vulnerability
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2004-07-26
Larry W. Cashdollar has reported a vulnerability in InstallAnywhere,
which can be exploited by malicious, local users to perform certain
actions on a vulnerable system with escalated privileges.
Full Advisory:
http://secunia.com/advisories/12129/
--
[SA12135] Sun Java System Web Server Cross Site Scripting
Vulnerability
Critical: Not critical
Where: From remote
Impact: Cross Site Scripting
Released: 2004-07-23
Sun has issued an update for Sun Java System Web Server. This fixes a
vulnerability, allowing malicious people to conduct Cross Site
Scripting attacks.
Full Advisory:
http://secunia.com/advisories/12135/
Other:--
[SA12154] Thintune Client Multiple Vulnerabilities
Critical: Moderately critical
Where: From local network
Impact: System access
Released: 2004-07-26
Dirk Loss has reported some vulnerabilities in Thintune OS, allowing
malicious people to gain system access and local users to escalate
their privileges.
Full Advisory:
http://secunia.com/advisories/12154/
Cross Platform:--
[SA12177] Check Point VPN-1 ASN.1 Decoding Heap Overflow Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2004-07-29
ISS X-Force has discovered a vulnerability in various Check Point VPN-1
products, which can be exploited by malicious people to compromise a
vulnerable system.
Full Advisory:
http://secunia.com/advisories/12177/
--
[SA12166] Nucleus "itemid" SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2004-07-28
aCiDBiTS has reported a vulnerability in Nucleus, allowing malicious
people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/12166/
--
[SA12162] Opera Browser Address Bar Spoofing Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Spoofing
Released: 2004-07-27
bitlance winter has discovered a vulnerability in the Opera browser,
which potentially can be exploited by malicious people to conduct
phishing attacks against a user.
Full Advisory:
http://secunia.com/advisories/12162/
--
[SA12160] Mozilla / Mozilla Firefox "onunload" SSL Certificate
Spoofing
Critical: Moderately critical
Where: From remote
Impact: Spoofing
Released: 2004-07-26
Emmanouel Kellinis has reported a vulnerability in Mozilla and Mozilla
Firefox, allowing malicious sites to abuse SSL certificates of other
sites.
Full Advisory:
http://secunia.com/advisories/12160/
--
[SA12159] OpenDocMan "commitchange.php" Unauthorised Commitment of
Changes
Critical: Moderately critical
Where: From remote
Impact: Security Bypass
Released: 2004-07-26
A vulnerability has been discovered in OpenDocMan, which can be
exploited by malicious users to bypass certain security restrictions.
Full Advisory:
http://secunia.com/advisories/12159/
--
[SA12150] Hitachi Web Page Generator Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Exposure of system information, DoS
Released: 2004-07-28
Multiple vulnerabilities have been discovered in Web Page Generator,
which can be exploited by malicious people to cause a DoS (Denial of
Service), disclose content of directories, or conduct cross-site
scripting attacks.
Full Advisory:
http://secunia.com/advisories/12150/
--
[SA12173] RiSearch Open Proxy Relay Vulnerability
Critical: Less critical
Where: From remote
Impact: Security Bypass
Released: 2004-07-29
A vulnerability has been reported in RiSearch, allowing malicious
people to relay connections.
Full Advisory:
http://secunia.com/advisories/12173/
--
[SA12155] Mensajeitor "AdminNick" Administrative User Spoofing
Vulnerability
Critical: Less critical
Where: From remote
Impact: Spoofing
Released: 2004-07-27
Jordi Corrales has reported a vulnerability in Mensajeitor, which can
be exploited by malicious users to impersonate administrative users.
Full Advisory:
http://secunia.com/advisories/12155/
--
[SA12151] EasyWeb FileManager "pathext" Directory Traversal
Critical: Less critical
Where: From remote
Impact: Exposure of system information, Exposure of sensitive
information
Released: 2004-07-26
sullo has reported a vulnerability in EasyWeb FileManager, allowing a
malicious user to retrieve arbitrary files.
Full Advisory:
http://secunia.com/advisories/12151/
The Secunia Weekly Advisory Summary
2004-07-22 - 2004-07-29
This week : 43 advisories
========================================================================
Table of Contents:
1.....................................................Word From Secunia
2....................................................This Week In Brief
3...............................This Weeks Top Ten Most Read Advisories
4.......................................Vulnerabilities Summary Listing
5.......................................Vulnerabilities Content Listing
========================================================================
1) Word From Secunia:
New Features at Secunia.com
Secunia has implemented various statistical features at the websites
for both Secunia advisories and Virus Information.
Secunia Advisories Statistics:
http://secunia.com/advisory_statistics/
Examples of Specific Product Statistics:
http://secunia.com/product/11/ (Internet Explorer 6)
http://secunia.com/product/761/ (Opera 7.x)
http://secunia.com/product/1480/ (Mozilla 1.3)
Secunia Virus Information Statistics:
http://secunia.com/virus_statistics/
Furthermore, Secunia has made it possible for you to include all graphs
available at secunia.com on your own website.
This is described in detail at:
http://secunia.com/secunia_image_inclusion/
========================================================================
2) This Week in Brief:
ADVISORIES:
The Opera Browser is continuously plagued by a vulnerability, which
allows malicious websites to spoof the content of the address bar.
The first time Opera patched this vulnerability was on the 13th of May
2004. Since then, three variants of the same vulnerability have been
found, forcing Opera Software to issue new browser versions with the
latest being version 7.53.
The latest variant is still pending a patch from Opera Software, who
hopefully will develop a permanent solution to this.
Reference:
http://secunia.com/SA12162
http://secunia.com/SA12028
http://secunia.com/SA11901
http://secunia.com/SA11532
--
Mozilla and Mozilla Firefox were reported vulnerable to a certificate
spoofing vulnerability. This could be exploited by a malicious website
to include a certificate from a trusted site, thereby making the
malicious website look like it is "signed" with the trusted site's
certificate.
Reference:
http://secunia.com/SA12160
VIRUS ALERTS:
During the last week, Secunia issued one MEDIUM RISK virus alert and
one HIGH RISK virus alert. Please refer to the grouped virus profiles
below for more information:
Mydoom.M - HIGH RISK Virus Alert - 2004-07-26 20:25 GMT+1
http://secunia.com/virus_information/10755/mydoom.m/
Mydoom.M - MEDIUM RISK Virus Alert - 2004-07-26 17:25 GMT+1
http://secunia.com/virus_information/10755/mydoom.m/
========================================================================
3) This Weeks Top Ten Most Read Advisories:
1. [SA12048] Microsoft Internet Explorer Multiple Vulnerabilities
2. [SA11978] Multiple Browsers Frame Injection Vulnerability
3. [SA11793] Internet Explorer Local Resource Access and Cross-Zone
Scripting Vulnerabilities
4. [SA12160] Mozilla / Mozilla Firefox "onunload" SSL Certificate
Spoofing
5. [SA12157] Apple Mac OS X Internet Connection Privilege Escalation
6. [SA12162] Opera Browser Address Bar Spoofing Vulnerability
7. [SA12027] Mozilla Fails to Restrict Access to "shell:"
8. [SA12077] mod_ssl Unspecified "mod_proxy" Hook Functions Format
String Vulnerability
9. [SA12028] Opera Browser Address Bar Spoofing Vulnerability
10. [SA11966] Internet Explorer Frame Injection Vulnerability
========================================================================
4) Vulnerabilities Summary Listing
Windows:
[SA12164] ASPRunner Multiple Vulnerabilities
[SA12165] FTPGlide Exposure of Passwords
UNIX/Linux:
[SA12178] SCO OpenServer update for sendmail
[SA12172] Mandrake update for mod_ssl
[SA12163] Gentoo update for pavuk
[SA12153] Dropbear SSH Server DSS Verification Vulnerability
[SA12152] Pavuk Digest Authentication Buffer Overflow Vulnerabilities
[SA12149] Fedora update for php
[SA12142] Debian update for libapache-mod-ssl
[SA12138] Slackware update for mod_ssl
[SA12131] Gentoo update for mod_ssl
[SA12179] UnixWare update for tcpdump
[SA12171] Mandrake update for webmin
[SA12170] Mandrake update for postgresql
[SA12146] Fedora update for abiword
[SA12144] Debian update for courier
[SA12143] Debian update for mailreader
[SA12139] SuSE update for samba
[SA12136] AbiWord "wv" Library Buffer Overflow Vulnerability
[SA12128] Gentoo update for l2tpd
[SA12168] HP-UX CIFS Server Buffer Overflow Vulnerability
[SA12141] Mandrake update for samba
[SA12133] Red Hat update for samba
[SA12130] Samba Two Buffer Overflow Vulnerabilities
[SA12181] IBM HTTP Server Input Header Folding Denial of Service
Vulnerability
[SA12161] Gentoo update for subversion
[SA12148] Fedora update for subversion
[SA12140] SCO OpenServer update for Mozilla
[SA12134] Sun Java System Portal Server Proxy Authentication Failure
[SA12157] Apple Mac OS X Internet Connection Privilege Escalation
[SA12132] Gentoo update for kernel
[SA12129] InstallAnywhere Insecure Temporary File Creation
Vulnerability
[SA12135] Sun Java System Web Server Cross Site Scripting
Vulnerability
Other:
[SA12154] Thintune Client Multiple Vulnerabilities
Cross Platform:
[SA12177] Check Point VPN-1 ASN.1 Decoding Heap Overflow Vulnerability
[SA12166] Nucleus "itemid" SQL Injection Vulnerability
[SA12162] Opera Browser Address Bar Spoofing Vulnerability
[SA12160] Mozilla / Mozilla Firefox "onunload" SSL Certificate
Spoofing
[SA12159] OpenDocMan "commitchange.php" Unauthorised Commitment of
Changes
[SA12150] Hitachi Web Page Generator Multiple Vulnerabilities
[SA12173] RiSearch Open Proxy Relay Vulnerability
[SA12155] Mensajeitor "AdminNick" Administrative User Spoofing
Vulnerability
[SA12151] EasyWeb FileManager "pathext" Directory Traversal
========================================================================
5) Vulnerabilities Content Listing
Windows:--
[SA12164] ASPRunner Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data, Exposure of
sensitive information
Released: 2004-07-27
Ferruh Mavituna has reported some vulnerabilities in ASPRunner,
allowing malicious people to conduct SQL injection and cross-site
scripting attacks against pages created using ASPRunner.
Full Advisory:
http://secunia.com/advisories/12164/
--
[SA12165] FTPGlide Exposure of Passwords
Critical: Less critical
Where: Local system
Impact: Exposure of sensitive information
Released: 2004-07-27
Ziv Kamir has reported a security issue in FTPGlide, which can be
exploited by malicious, local users to view usernames and passwords.
Full Advisory:
http://secunia.com/advisories/12165/
UNIX/Linux:--
[SA12178] SCO OpenServer update for sendmail
Critical: Extremely critical
Where: From remote
Impact: System access, DoS
Released: 2004-07-29
SCO has issued an update for sendmail. This fixes two old
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) or compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/12178/
--
[SA12172] Mandrake update for mod_ssl
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2004-07-28
MandrakeSoft has issued an update for mod_ssl. This fixes a
vulnerability, which can be exploited by malicious people to compromise
a vulnerable system.
Full Advisory:
http://secunia.com/advisories/12172/
--
[SA12163] Gentoo update for pavuk
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2004-07-27
Gentoo has issued an update for pavuk. This fixes multiple
vulnerabilities, which can be exploited by malicious people to
compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/12163/
--
[SA12153] Dropbear SSH Server DSS Verification Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2004-07-26
Arne Bernin has reported a vulnerability in Dropbear SSH Server,
potentially allowing malicious people to compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/12153/
--
[SA12152] Pavuk Digest Authentication Buffer Overflow Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2004-07-27
Matthew Murphy has reported multiple vulnerabilities in Pavuk, which
can be exploited by malicious people to compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/12152/
--
[SA12149] Fedora update for php
Critical: Highly critical
Where: From remote
Impact: Security Bypass, System access
Released: 2004-07-26
Fedora has issued an update for php. This fixes two vulnerabilities,
which can be exploited by malicious people to bypass certain security
functionality or compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/12149/
--
[SA12142] Debian update for libapache-mod-ssl
Critical: Highly critical
Where: From remote
Impact: DoS, System access
Released: 2004-07-23
Debian has issued an update for libapache-mod-ssl. This fixes two
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) or compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/12142/
--
[SA12138] Slackware update for mod_ssl
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2004-07-26
Slackware has issued an update for mod_ssl. This fixes a vulnerability,
which potentially can be exploited by malicious people to compromise a
vulnerable system.
Full Advisory:
http://secunia.com/advisories/12138/
--
[SA12131] Gentoo update for mod_ssl
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2004-07-22
Gentoo has issued an update for mod_ssl. This fixes a vulnerability,
which can be exploited by malicious people to compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/12131/
--
[SA12179] UnixWare update for tcpdump
Critical: Moderately critical
Where: From remote
Impact: System access, DoS
Released: 2004-07-29
UnixWare has issued updated packages for tcpdump. These fix three
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially compromise a system running
tcpdump.
Full Advisory:
http://secunia.com/advisories/12179/
--
[SA12171] Mandrake update for webmin
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, DoS
Released: 2004-07-28
MandrakeSoft has issued an update for webmin. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) or bypass certain security restrictions.
Full Advisory:
http://secunia.com/advisories/12171/
--
[SA12170] Mandrake update for postgresql
Critical: Moderately critical
Where: From remote
Impact: System access, DoS
Released: 2004-07-28
MandrakeSoft has issued an update for postgresql. This fixes a
vulnerability in the ODBC driver, which can be exploited by malicious
people to cause a DoS (Denial of Service) and potentially compromise a
vulnerable system.
Full Advisory:
http://secunia.com/advisories/12170/
--
[SA12146] Fedora update for abiword
Critical: Moderately critical
Where: From remote
Impact: System access
Released: 2004-07-26
Fedora has issued an update for abiword. This fixes a vulnerability,
which potentially can be exploited by malicious people to compromise a
user's system.
Full Advisory:
http://secunia.com/advisories/12146/
--
[SA12144] Debian update for courier
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting
Released: 2004-07-23
Debian has issued an update for courier. This fixes a vulnerability,
which can be exploited by malicious people to conduct script insertion
attacks.
Full Advisory:
http://secunia.com/advisories/12144/
--
[SA12143] Debian update for mailreader
Critical: Moderately critical
Where: From remote
Impact: Exposure of sensitive information
Released: 2004-07-23
Full Advisory:
http://secunia.com/advisories/12143/
--
[SA12139] SuSE update for samba
Critical: Moderately critical
Where: From remote
Impact: System access
Released: 2004-07-23
SuSE has issued an update for samba. This fixes two vulnerabilities,
which can be exploited by malicious people to compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/12139/
--
[SA12136] AbiWord "wv" Library Buffer Overflow Vulnerability
Critical: Moderately critical
Where: From remote
Impact: System access
Released: 2004-07-26
AbiWord is affected by a vulnerability in the "wv" library, which
potentially can be exploited by malicious people to compromise a user's
system.
Full Advisory:
http://secunia.com/advisories/12136/
--
[SA12128] Gentoo update for l2tpd
Critical: Moderately critical
Where: From remote
Impact: System access
Released: 2004-07-22
Gentoo has issued an update for l2tpd. This fixes a vulnerability,
which can be exploited by malicious people to compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/12128/
--
[SA12168] HP-UX CIFS Server Buffer Overflow Vulnerability
Critical: Moderately critical
Where: From local network
Impact: System access
Released: 2004-07-28
HP has confirmed a vulnerability in HP-UX, which potentially can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/12168/
--
[SA12141] Mandrake update for samba
Critical: Moderately critical
Where: From local network
Impact: System access
Released: 2004-07-23
MandrakeSoft has issued an update for samba. This fixes two
vulnerabilities, which can be exploited by malicious people to
compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/12141/
--
[SA12133] Red Hat update for samba
Critical: Moderately critical
Where: From local network
Impact: System access
Released: 2004-07-23
Red Hat has issued an update for samba. This fixes two vulnerabilities,
which can be exploited by malicious people to compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/12133/
--
[SA12130] Samba Two Buffer Overflow Vulnerabilities
Critical: Moderately critical
Where: From local network
Impact: System access
Released: 2004-07-23
Two vulnerabilities have been reported in Samba, potentially allowing
malicious people to compromise a vulnerability system.
Full Advisory:
http://secunia.com/advisories/12130/
--
[SA12181] IBM HTTP Server Input Header Folding Denial of Service
Vulnerability
Critical: Less critical
Where: From remote
Impact: DoS
Released: 2004-07-29
IBM has acknowledged a vulnerability in IBM HTTP Server, which can be
exploited by malicious people to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/12181/
--
[SA12161] Gentoo update for subversion
Critical: Less critical
Where: From remote
Impact: Exposure of sensitive information
Released: 2004-07-27
Gentoo has issued an update for subversion. This fixes a vulnerability,
which can be exploited by malicious users to read protected files.
Full Advisory:
http://secunia.com/advisories/12161/
--
[SA12148] Fedora update for subversion
Critical: Less critical
Where: From remote
Impact: Exposure of sensitive information
Released: 2004-07-26
Fedora has issued an update for subversion. This fixes a vulnerability,
which can be exploited by malicious users to read protected files.
Full Advisory:
http://secunia.com/advisories/12148/
--
[SA12140] SCO OpenServer update for Mozilla
Critical: Less critical
Where: From remote
Impact: Exposure of sensitive information, Security Bypass
Released: 2004-07-23
SCO has issued an update for Mozilla. This fixes some older
vulnerabilities, which potentially exposes proxy authentication
credentials, allows cross domain access and cookie path traversal.
Full Advisory:
http://secunia.com/advisories/12140/
--
[SA12134] Sun Java System Portal Server Proxy Authentication Failure
Critical: Less critical
Where: From local network
Impact: Privilege escalation
Released: 2004-07-23
The vendor has reported a vulnerability in Sun Java System Portal
Server, which may allow malicious users to gain administrative
credentials.
Full Advisory:
http://secunia.com/advisories/12134/
--
[SA12157] Apple Mac OS X Internet Connection Privilege Escalation
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2004-07-27
B-r00t has reported a vulnerability in Mac OS X, which can be exploited
by malicious, local users to gain escalated privileges.
Full Advisory:
http://secunia.com/advisories/12157/
--
[SA12132] Gentoo update for kernel
Critical: Less critical
Where: Local system
Impact: DoS
Released: 2004-07-22
Gentoo has issued an update for the kernel. This fixes multiple
vulnerabilities, which can be exploited by malicious, local users to
bypass certain restrictions, cause a DoS (Denial of Service), or gain
knowledge of sensitive information.
Full Advisory:
http://secunia.com/advisories/12132/
--
[SA12129] InstallAnywhere Insecure Temporary File Creation
Vulnerability
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2004-07-26
Larry W. Cashdollar has reported a vulnerability in InstallAnywhere,
which can be exploited by malicious, local users to perform certain
actions on a vulnerable system with escalated privileges.
Full Advisory:
http://secunia.com/advisories/12129/
--
[SA12135] Sun Java System Web Server Cross Site Scripting
Vulnerability
Critical: Not critical
Where: From remote
Impact: Cross Site Scripting
Released: 2004-07-23
Sun has issued an update for Sun Java System Web Server. This fixes a
vulnerability, allowing malicious people to conduct Cross Site
Scripting attacks.
Full Advisory:
http://secunia.com/advisories/12135/
Other:--
[SA12154] Thintune Client Multiple Vulnerabilities
Critical: Moderately critical
Where: From local network
Impact: System access
Released: 2004-07-26
Dirk Loss has reported some vulnerabilities in Thintune OS, allowing
malicious people to gain system access and local users to escalate
their privileges.
Full Advisory:
http://secunia.com/advisories/12154/
Cross Platform:--
[SA12177] Check Point VPN-1 ASN.1 Decoding Heap Overflow Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2004-07-29
ISS X-Force has discovered a vulnerability in various Check Point VPN-1
products, which can be exploited by malicious people to compromise a
vulnerable system.
Full Advisory:
http://secunia.com/advisories/12177/
--
[SA12166] Nucleus "itemid" SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2004-07-28
aCiDBiTS has reported a vulnerability in Nucleus, allowing malicious
people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/12166/
--
[SA12162] Opera Browser Address Bar Spoofing Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Spoofing
Released: 2004-07-27
bitlance winter has discovered a vulnerability in the Opera browser,
which potentially can be exploited by malicious people to conduct
phishing attacks against a user.
Full Advisory:
http://secunia.com/advisories/12162/
--
[SA12160] Mozilla / Mozilla Firefox "onunload" SSL Certificate
Spoofing
Critical: Moderately critical
Where: From remote
Impact: Spoofing
Released: 2004-07-26
Emmanouel Kellinis has reported a vulnerability in Mozilla and Mozilla
Firefox, allowing malicious sites to abuse SSL certificates of other
sites.
Full Advisory:
http://secunia.com/advisories/12160/
--
[SA12159] OpenDocMan "commitchange.php" Unauthorised Commitment of
Changes
Critical: Moderately critical
Where: From remote
Impact: Security Bypass
Released: 2004-07-26
A vulnerability has been discovered in OpenDocMan, which can be
exploited by malicious users to bypass certain security restrictions.
Full Advisory:
http://secunia.com/advisories/12159/
--
[SA12150] Hitachi Web Page Generator Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Exposure of system information, DoS
Released: 2004-07-28
Multiple vulnerabilities have been discovered in Web Page Generator,
which can be exploited by malicious people to cause a DoS (Denial of
Service), disclose content of directories, or conduct cross-site
scripting attacks.
Full Advisory:
http://secunia.com/advisories/12150/
--
[SA12173] RiSearch Open Proxy Relay Vulnerability
Critical: Less critical
Where: From remote
Impact: Security Bypass
Released: 2004-07-29
A vulnerability has been reported in RiSearch, allowing malicious
people to relay connections.
Full Advisory:
http://secunia.com/advisories/12173/
--
[SA12155] Mensajeitor "AdminNick" Administrative User Spoofing
Vulnerability
Critical: Less critical
Where: From remote
Impact: Spoofing
Released: 2004-07-27
Jordi Corrales has reported a vulnerability in Mensajeitor, which can
be exploited by malicious users to impersonate administrative users.
Full Advisory:
http://secunia.com/advisories/12155/
--
[SA12151] EasyWeb FileManager "pathext" Directory Traversal
Critical: Less critical
Where: From remote
Impact: Exposure of system information, Exposure of sensitive
information
Released: 2004-07-26
sullo has reported a vulnerability in EasyWeb FileManager, allowing a
malicious user to retrieve arbitrary files.
Full Advisory:
http://secunia.com/advisories/12151/
CA aumenta el riesgo de amenaza de MyDoom.O
(29/07/2004 06:07): El gusano sobrecarga sitios de motores de busqueda y portales corporativos mientras busca nuevos objetivos.
SANTIAGO: Computer Associates anuncia que ha aumentado a alto el riesgo de amenaza del gusano Mydoom.O, basado en su crecimiento exponencial y los niveles de actividad extremadamente intensivos. Los usuarios de computadoras estan siendo advertidos para verificar con los emisarios cualquier mail no solicitado. Los e-mails infectados con Mydomm.O pueden presentar uno de los siguientes titulos:
Hello / hi / error / status / test / report delivery failed / Message could not be delivered / Mail System Error - Returned Mail / Delivery reports about your e-mail / Returned mail: see transcript for details / Returned mail: Data format error.
Mydoom.O utiliza unicamente motores de busqueda y sitios web mientras busca encontrar nuevos objetivos, y el solo volumen de dicho trafico efectivamente causa negacion de servicios. CA ha recibido mas de 1.000 muestras de Mydoom.O por parte de clientes corporativos, lo que esta abusando de los siguientes sitios con intensa actividad de busqueda:
http://search.lycos.com/
http://www.altavista.com/
http://search.yahoo.com/
http://www.google.com/
Dado que Mydoom.O puede esparcirse facilmente de PC a PC, solo es necesario un par de victimas desinformadas para comenzar una avalancha de infecciones, dijo Sam Curry, Vicepresidente de Administracion eTrust en CA en un comunicado de prensa. Esto resalta la necesidad de asegurarnos que los gusanos no encuentren un suelo fertil para reproducirse.
Este ultimo gusano es una amenaza Combinada-Hibrida, utilizando varias tecnicas para enviar su peligrosa carga. El Concejo de Seguridad de CA, que investiga y responde a las amenazas globales a traves de una red de centros de rapida respuesta a traves del mundo, recomienda que los usuarios hogareños y corporativos chequeen los sitios de los vendors de seguridad/antivirus para mantenerse al tanto de las ultimas variantes y actualizar su software al menos diariamente dada la emergencia constante de nuevos virus.
SANTIAGO: Computer Associates anuncia que ha aumentado a alto el riesgo de amenaza del gusano Mydoom.O, basado en su crecimiento exponencial y los niveles de actividad extremadamente intensivos. Los usuarios de computadoras estan siendo advertidos para verificar con los emisarios cualquier mail no solicitado. Los e-mails infectados con Mydomm.O pueden presentar uno de los siguientes titulos:
Hello / hi / error / status / test / report delivery failed / Message could not be delivered / Mail System Error - Returned Mail / Delivery reports about your e-mail / Returned mail: see transcript for details / Returned mail: Data format error.
Mydoom.O utiliza unicamente motores de busqueda y sitios web mientras busca encontrar nuevos objetivos, y el solo volumen de dicho trafico efectivamente causa negacion de servicios. CA ha recibido mas de 1.000 muestras de Mydoom.O por parte de clientes corporativos, lo que esta abusando de los siguientes sitios con intensa actividad de busqueda:
http://search.lycos.com/
http://www.altavista.com/
http://search.yahoo.com/
http://www.google.com/
Dado que Mydoom.O puede esparcirse facilmente de PC a PC, solo es necesario un par de victimas desinformadas para comenzar una avalancha de infecciones, dijo Sam Curry, Vicepresidente de Administracion eTrust en CA en un comunicado de prensa. Esto resalta la necesidad de asegurarnos que los gusanos no encuentren un suelo fertil para reproducirse.
Este ultimo gusano es una amenaza Combinada-Hibrida, utilizando varias tecnicas para enviar su peligrosa carga. El Concejo de Seguridad de CA, que investiga y responde a las amenazas globales a traves de una red de centros de rapida respuesta a traves del mundo, recomienda que los usuarios hogareños y corporativos chequeen los sitios de los vendors de seguridad/antivirus para mantenerse al tanto de las ultimas variantes y actualizar su software al menos diariamente dada la emergencia constante de nuevos virus.
28 jul 2004
Hispasec 28/07/2004
Hispasec - una-al-día 28/07/2004
Todos los días una noticia de seguridad www.hispasec.com
---------------------------------------------------------
Indicador del tiempo de reacción antivirus
------------------------------------------
Como continuación de la nota "Comparativas y certificaciones antivirus:
la necesidad de un nuevo modelo", presentamos una prueba de concepto
sobre la construcción de un indicador para evaluar los tiempos de
reacción de las soluciones antivirus.
Las tablas que se presentan a continuación fueron generadas para
la presentación de VirusTotal en el foro de e-Gallaecia a principios
del pasado mes de junio. En ellas se recogen los tiempos de reacción
de los primeros motores antivirus que se integraron en VirusTotal en
relación a las variantes de Sasser aparecidas hasta la fecha, como
el gusano con más relevancia del momento.
Los campos que se incluyen en las tablas son antivirus, fecha y
hora en la que se encontró disponible la actualización para detectar
a la variante, denominación con la que era detectada, y tiempo de
reacción en segundos.
El campo "tiempo de reacción en segundos" se calcula restando la
fecha y hora de la disponibilidad de la actualización con la fecha
y hora de aparición del gusano In-the-Wild (cuando se detectan por
primera vez infecciones reales). Como no podemos determinar la hora
exacta en que el gusano comenzó a actuar, tomamos de partida las
00:00 del día en que por primera vez se detecta su presencia.
En la primera tabla tenemos a la primera variante de Sasser
aparecida el 01/05/2004
Sasser.A 01.05.2004 0:00:00
Sophos 01.05.2004 9:00:47 :: W32/Sasser-A [32447]
TrendMicro 01.05.2004 11:29:53 :: WORM_SASSER.A [41393]
NOD32 01.05.2004 11:36:45 :: Win32/Sasser.A [41805]
Panda 01.05.2004 11:59:59 :: W32/Sasser.A.worm [43199]
Symantec 01.05.2004 12:40:37 :: W32.Sasser.Worm [45637]
Kaspersky 01.05.2004 18:48:17 :: Worm.Win32.Sasser.a [67697]
McAfee 01.05.2004 18:50:53 :: W32/Sasser.worm [67853]
eTrustAV 03.05.2004 11:38:40 :: Win32/Sasser.A.Worm [214720]
Aquí podemos apreciar que según los datos de VirusTotal el primer
antivirus en detectarlo fue Sophos el mismo día de su aparición a
Las 9:00:47 (siempre hora española, GMT+1). Tomando como hora de
aparición del Sasser.A las 00:00, el tiempo de Sophos en facilitar
la actualización fue de 32447 segundos.
A continuación el resto de tablas con las siguientes variantes de
Sasser.
Sasser.B 01/05/2004 0:00:00
Kaspersky 01.05.2004 18:48:17 :: Worm.Win32.Sasser.a [67697]
Panda 01.05.2004 20:26:47 :: W32/Sasser.B.worm [73607]
NOD32 01.05.2004 23.39.26 :: Win32/Sasser.B [85166]
TrendMicro 02.05.2004 3:37:50 :: WORM_SASSER.B [99470]
McAfee 02.05.2004 20:04:25 :: W32/Sasser.worm.b [158665]
Symantec 02.05.2004 20:53:40 :: W32.Sasser.B.Worm [161620]
Sophos 02.05.2004 21:25:40 :: W32/Sasser-B [163540]
eTrustAV 03.05.2004 11:38:40 :: Win32/Sasser.B.Worm [214720]
En esta segunda tabla podemos apreciar como Kaspersky reconoció a la
segunda variante de Sasser con la misma firma que la primera.
Sasser.C 02/05/2004 0:00:00
Kaspersky 01.05.2004 18:48:17 :: Worm.Win32.Sasser.a [0]
Panda 01.05.2004 20:26:47 :: W32/Sasser.B.worm [0]
NOD32 02.05.2004 17:05:57 :: Win32/Sasser.C [61557]
McAfee 02.05.2004 20:04:25 :: W32/Sasser.worm.c [72265]
Sophos 02.05.2004 21:25:40 :: W32/Sasser-B [77140]
TrendMicro 03.05.2004 2:12:38 :: WORM_SASSER.C [94358]
eTrustAV 03.05.2004 11:38:40 :: Win32/Sasser.C.Worm [128320]
Symantec 03.05.2004 23:13:33 :: W32.Sasser.C.Worm [170013]
En el caso de Sasser.C, que comenzó su actividad el 02/05/2004,
apreciamos que tanto Kaspersky como Panda lo detectaban con firmas y
actualizaciones del día anterior destinadas a sus predecesores. En
estos casos, bien porque se detecta por una firma anterior o por
funciones heurísticas, el tiempo de reacción es 0, ya que lo
detectaban en el mismo momento que comienza su circulación.
Sasser.D 03/05/2004 0:00:00
Panda 03.05.2004 13:58:08 :: W32/Netsky.AD.worm [50288]
TrendMicro 03.05.2004 16:41:50 :: WORM_SASSER.D [60110]
Kaspersky 03.05.2004 18:27:39 :: Worm.Win32.Sasser.c [66459]
Sophos 03.05.2004 18:28:03 :: W32/Sasser-D [66483]
eTrustAV 03.05.2004 19:15:06 :: Win32/Sasser.D.Worm [69306]
NOD32 03.05.2004 19:15:33 :: Win32/Sasser.D [69333]
Symantec 03.05.2004 23:13:33 :: W32.Sasser.D [83613]
McAfee 04.05.2004 14:49:33 :: W32/Sasser.worm.d [139773]
En el caso del Sasser.D todos los antivirus tuvieron que proporcionar
actualizaciones específicas, con Panda como primera solución en
reaccionar seguida de TrendMicro.
Sasser.E 09/05/2004 0:00:00
Panda 09.05.2004 5:49:53 :: W32/Sasser.E.worm [20993]
Kaspersky 09.05.2004 7:04:29 :: Worm.Win32.Sasser.d [25469]
NOD32 09.05.2004 13:32:30 :: Win32/Sasser.E [48750]
Symantec 09.05.2004 17:49:13 :: W32.Sasser.E.Worm [64153]
Sophos 10.05.2004 2:03:54 :: W32/Sasser-E [93834]
TrendMicro 10.05.2004 13:38:17 :: WORM_SASSER.E [135497]
McAfee 10.05.2004 22:14:34 :: W32/Sasser.worm.e [166474]
eTrustAV 14.05.2004 0:56:42 :: Win32/Sasser.E.Worm [176202]
Con Sasser.E los antivirus también deben proporcionar una
actualización específica, ya que no era detectado por las firmas
anteriores. Panda seguido de Kaspersky encabezan el listado.
Para calcular el ranking global/final sobre las variantes del gusano
Sasser, sumamos todos los tiempos de reacción obtenidos por cada uno
de los antivirus. El valor menor será el más positivo (el antivirus
habrá tardado menos segundos en proporcionar las actualizaciones).
Ranking Final
1º Panda 188087
2º Kaspersky 227322
3º NOD32 306611
4º TrendMicro 430828
5º Sophos 433444
6º Symantec 525036
7º McAfee 605030
8º eTrustAV 803268
Además de obtener un ranking, con Panda, Kaspersky y NOD32 en los tres
primeros puestos respectivamente, el indicador de tiempo de reacción
en segundos también nos da información para cuantificar cual es la
diferencia real entre los diferentes puestos. Así por ejemplo entre
el primero y segundo la diferencia es de 10 horas, mientras que entre
el cuarto y quinto apenas hay 43 minutos. La ventana de tiempo más
importante, entre el primero y el octavo, es de 170 horas.
Basándonos en este indicador, podríamos realizar una evaluación
continua de las soluciones antivirus partiendo de los especímenes más
relevantes que van surgiendo, proporcionando un ranking en un periodo
de tiempo determinado, con periodicidad mensual, trimestral y/o anual.
Inclusive se podría determinar unos tiempos de respuesta mínimos y
ofrecer una certificación continua inédita hasta la fecha, con la que
los antivirus podrían garantizar a los usuarios que cumplen en tiempo
y forma con las actualizaciones para protegerlos.
Una de las primeras incógnitas a resolver podría ser determinar que
especímenes deben formar parte de la evaluación. Aunque hay casos
que parecen claros, por ejemplo este mes entrarían la última versión
de Bagle y Mydoom aparecidas por su relevancia y número de infecciones
conseguidas, habría que definir claramente un método que especifique
que fuentes y parámetros se valorarán para determinar las muestras
que participarían en la evaluación.
Otra posibilidad podría ser ponderar los resultados obtenidos con
cada espécimen en función del peligro que entraña o los niveles de
propagación alcanzados, aunque en este caso complicaríamos aun más
el indicador.
Quedamos a la espera de recibir las opiniones de las casas antivirus,
profesionales y usuarios sobre todo lo anteriormente expuesto,
agradeceremos cualquier crítica, sugerencia o comentario, con la
idea de poder ofrecer una evaluación lo más real, consensuada y justa
posible.
Opina sobre esta noticia:
http://www.hispasec.com/unaaldia/2103/comentar
Más información:
Comparativas y certificaciones antivirus: la necesidad de un nuevo modelo
http://www.hispasec.com/unaaldia/209621/07/2004
VirusTotal
http://www.virustotal.com
Bernardo Quintero
[email protected]
Todos los días una noticia de seguridad www.hispasec.com
---------------------------------------------------------
Indicador del tiempo de reacción antivirus
------------------------------------------
Como continuación de la nota "Comparativas y certificaciones antivirus:
la necesidad de un nuevo modelo", presentamos una prueba de concepto
sobre la construcción de un indicador para evaluar los tiempos de
reacción de las soluciones antivirus.
Las tablas que se presentan a continuación fueron generadas para
la presentación de VirusTotal en el foro de e-Gallaecia a principios
del pasado mes de junio. En ellas se recogen los tiempos de reacción
de los primeros motores antivirus que se integraron en VirusTotal en
relación a las variantes de Sasser aparecidas hasta la fecha, como
el gusano con más relevancia del momento.
Los campos que se incluyen en las tablas son antivirus, fecha y
hora en la que se encontró disponible la actualización para detectar
a la variante, denominación con la que era detectada, y tiempo de
reacción en segundos.
El campo "tiempo de reacción en segundos" se calcula restando la
fecha y hora de la disponibilidad de la actualización con la fecha
y hora de aparición del gusano In-the-Wild (cuando se detectan por
primera vez infecciones reales). Como no podemos determinar la hora
exacta en que el gusano comenzó a actuar, tomamos de partida las
00:00 del día en que por primera vez se detecta su presencia.
En la primera tabla tenemos a la primera variante de Sasser
aparecida el 01/05/2004
Sasser.A 01.05.2004 0:00:00
Sophos 01.05.2004 9:00:47 :: W32/Sasser-A [32447]
TrendMicro 01.05.2004 11:29:53 :: WORM_SASSER.A [41393]
NOD32 01.05.2004 11:36:45 :: Win32/Sasser.A [41805]
Panda 01.05.2004 11:59:59 :: W32/Sasser.A.worm [43199]
Symantec 01.05.2004 12:40:37 :: W32.Sasser.Worm [45637]
Kaspersky 01.05.2004 18:48:17 :: Worm.Win32.Sasser.a [67697]
McAfee 01.05.2004 18:50:53 :: W32/Sasser.worm [67853]
eTrustAV 03.05.2004 11:38:40 :: Win32/Sasser.A.Worm [214720]
Aquí podemos apreciar que según los datos de VirusTotal el primer
antivirus en detectarlo fue Sophos el mismo día de su aparición a
Las 9:00:47 (siempre hora española, GMT+1). Tomando como hora de
aparición del Sasser.A las 00:00, el tiempo de Sophos en facilitar
la actualización fue de 32447 segundos.
A continuación el resto de tablas con las siguientes variantes de
Sasser.
Sasser.B 01/05/2004 0:00:00
Kaspersky 01.05.2004 18:48:17 :: Worm.Win32.Sasser.a [67697]
Panda 01.05.2004 20:26:47 :: W32/Sasser.B.worm [73607]
NOD32 01.05.2004 23.39.26 :: Win32/Sasser.B [85166]
TrendMicro 02.05.2004 3:37:50 :: WORM_SASSER.B [99470]
McAfee 02.05.2004 20:04:25 :: W32/Sasser.worm.b [158665]
Symantec 02.05.2004 20:53:40 :: W32.Sasser.B.Worm [161620]
Sophos 02.05.2004 21:25:40 :: W32/Sasser-B [163540]
eTrustAV 03.05.2004 11:38:40 :: Win32/Sasser.B.Worm [214720]
En esta segunda tabla podemos apreciar como Kaspersky reconoció a la
segunda variante de Sasser con la misma firma que la primera.
Sasser.C 02/05/2004 0:00:00
Kaspersky 01.05.2004 18:48:17 :: Worm.Win32.Sasser.a [0]
Panda 01.05.2004 20:26:47 :: W32/Sasser.B.worm [0]
NOD32 02.05.2004 17:05:57 :: Win32/Sasser.C [61557]
McAfee 02.05.2004 20:04:25 :: W32/Sasser.worm.c [72265]
Sophos 02.05.2004 21:25:40 :: W32/Sasser-B [77140]
TrendMicro 03.05.2004 2:12:38 :: WORM_SASSER.C [94358]
eTrustAV 03.05.2004 11:38:40 :: Win32/Sasser.C.Worm [128320]
Symantec 03.05.2004 23:13:33 :: W32.Sasser.C.Worm [170013]
En el caso de Sasser.C, que comenzó su actividad el 02/05/2004,
apreciamos que tanto Kaspersky como Panda lo detectaban con firmas y
actualizaciones del día anterior destinadas a sus predecesores. En
estos casos, bien porque se detecta por una firma anterior o por
funciones heurísticas, el tiempo de reacción es 0, ya que lo
detectaban en el mismo momento que comienza su circulación.
Sasser.D 03/05/2004 0:00:00
Panda 03.05.2004 13:58:08 :: W32/Netsky.AD.worm [50288]
TrendMicro 03.05.2004 16:41:50 :: WORM_SASSER.D [60110]
Kaspersky 03.05.2004 18:27:39 :: Worm.Win32.Sasser.c [66459]
Sophos 03.05.2004 18:28:03 :: W32/Sasser-D [66483]
eTrustAV 03.05.2004 19:15:06 :: Win32/Sasser.D.Worm [69306]
NOD32 03.05.2004 19:15:33 :: Win32/Sasser.D [69333]
Symantec 03.05.2004 23:13:33 :: W32.Sasser.D [83613]
McAfee 04.05.2004 14:49:33 :: W32/Sasser.worm.d [139773]
En el caso del Sasser.D todos los antivirus tuvieron que proporcionar
actualizaciones específicas, con Panda como primera solución en
reaccionar seguida de TrendMicro.
Sasser.E 09/05/2004 0:00:00
Panda 09.05.2004 5:49:53 :: W32/Sasser.E.worm [20993]
Kaspersky 09.05.2004 7:04:29 :: Worm.Win32.Sasser.d [25469]
NOD32 09.05.2004 13:32:30 :: Win32/Sasser.E [48750]
Symantec 09.05.2004 17:49:13 :: W32.Sasser.E.Worm [64153]
Sophos 10.05.2004 2:03:54 :: W32/Sasser-E [93834]
TrendMicro 10.05.2004 13:38:17 :: WORM_SASSER.E [135497]
McAfee 10.05.2004 22:14:34 :: W32/Sasser.worm.e [166474]
eTrustAV 14.05.2004 0:56:42 :: Win32/Sasser.E.Worm [176202]
Con Sasser.E los antivirus también deben proporcionar una
actualización específica, ya que no era detectado por las firmas
anteriores. Panda seguido de Kaspersky encabezan el listado.
Para calcular el ranking global/final sobre las variantes del gusano
Sasser, sumamos todos los tiempos de reacción obtenidos por cada uno
de los antivirus. El valor menor será el más positivo (el antivirus
habrá tardado menos segundos en proporcionar las actualizaciones).
Ranking Final
1º Panda 188087
2º Kaspersky 227322
3º NOD32 306611
4º TrendMicro 430828
5º Sophos 433444
6º Symantec 525036
7º McAfee 605030
8º eTrustAV 803268
Además de obtener un ranking, con Panda, Kaspersky y NOD32 en los tres
primeros puestos respectivamente, el indicador de tiempo de reacción
en segundos también nos da información para cuantificar cual es la
diferencia real entre los diferentes puestos. Así por ejemplo entre
el primero y segundo la diferencia es de 10 horas, mientras que entre
el cuarto y quinto apenas hay 43 minutos. La ventana de tiempo más
importante, entre el primero y el octavo, es de 170 horas.
Basándonos en este indicador, podríamos realizar una evaluación
continua de las soluciones antivirus partiendo de los especímenes más
relevantes que van surgiendo, proporcionando un ranking en un periodo
de tiempo determinado, con periodicidad mensual, trimestral y/o anual.
Inclusive se podría determinar unos tiempos de respuesta mínimos y
ofrecer una certificación continua inédita hasta la fecha, con la que
los antivirus podrían garantizar a los usuarios que cumplen en tiempo
y forma con las actualizaciones para protegerlos.
Una de las primeras incógnitas a resolver podría ser determinar que
especímenes deben formar parte de la evaluación. Aunque hay casos
que parecen claros, por ejemplo este mes entrarían la última versión
de Bagle y Mydoom aparecidas por su relevancia y número de infecciones
conseguidas, habría que definir claramente un método que especifique
que fuentes y parámetros se valorarán para determinar las muestras
que participarían en la evaluación.
Otra posibilidad podría ser ponderar los resultados obtenidos con
cada espécimen en función del peligro que entraña o los niveles de
propagación alcanzados, aunque en este caso complicaríamos aun más
el indicador.
Quedamos a la espera de recibir las opiniones de las casas antivirus,
profesionales y usuarios sobre todo lo anteriormente expuesto,
agradeceremos cualquier crítica, sugerencia o comentario, con la
idea de poder ofrecer una evaluación lo más real, consensuada y justa
posible.
Opina sobre esta noticia:
http://www.hispasec.com/unaaldia/2103/comentar
Más información:
Comparativas y certificaciones antivirus: la necesidad de un nuevo modelo
http://www.hispasec.com/unaaldia/209621/07/2004
VirusTotal
http://www.virustotal.com
Bernardo Quintero
[email protected]
