Security Bytes: Sophos spots Windows validation worm |
 |
By SearchSecurity.com Staff
03 Jul 2006 | SearchSecurity.com |
|
|
Sophos spots Windows validation worm
A new worm is on the loose, and it reportedly uses the guise of Microsoft's Windows Genuine Advantage program to lure its victims. UK-based antivirus firm Sophos plc reports that the Cuebot-K worm propagates via America Online Inc.'s AOL Instant Messenger program and registers itself as a system driver service called "wgavn." It runs automatically upon system startup, cloaking itself under the title "Windows Genuine Advantage Validation Notification." According to Sophos, it then disables the Windows firewall and opens a secret backdoor that allows malicious hackers to gain remote access, spy on users and potentially launch a distributed denial-of-service attack.
Microsoft has caused controversy following the recent revamping of its Windows Genuine Advantage strategy. The WGA notification program validates the authenticity of a user's copy of Windows, in hopes of rooting out software pirates. The software giant last month began issuing the program for download as a high-priority software update alongside its urgent security patches. However, some likened the new tool to spyware after it was learned that it contacted Microsoft without a user's knowledge each time a customer restarts his or her PC. Microsoft has since issued a new version of the WGA download and has also published instructions for removing it altogether.
FrSIRT identifies new IE flaw
The French Security Incident Response Team has identified a new flaw in Internet Explorer that cold make it vulnerable to remote attacks. The IE memory corruption flaw, which could be exploited by remote attackers to crash a vulnerable browser or take complete control of an affected system, is caused by the HTML Help Control "HHCtrl" when processing a specially crafted property. Attackers could use it to cause a denial of service or execute arbitrary commands if a user is convinced to visit a specially crafted Web page. A patch is not currently available.
Internet Explorer flaws have been coming frequently as of late. Late last week FrSIRT reported two new IE flaws, involving an origin validation error and a vulnerability involving malicious .hta files, and only days earlier Microsoft and Symantec warned of flaws and exploits targeting Microsoft's Remote Access Connection Manager (RASMAN), which was patched in the MS06-025 security bulletin June 13; and Windows Live Messenger, the instant messaging client formerly called MSN Messenger.
Sun patches StarOffice flaws
Sun Microsystems Inc. has posted fixes for a trio of flaws affecting its StarOffice productivity software. The first problem can be caused by a Java applet execution flaw that may make it possible for a local or remote user to execute malicious Java applets. Those applets could be used to destroy or replace system files, read or send private data or cause other problems by inducing a local user to load a specially crafted StarOffice document. The second issue involves a macro problem that may make it possible to inject documents with basic code that can be executed upon loading of the document. According to Sun, an affected user will not be aware of the macro, which will have full access to system resources with the current user's privileges. Again, system files may be deleted or replaced and private data may be viewed or sent. The final issue involves malformed XML documents that a non-privileged user may use to crash the application or execute arbitrary commands. Versions of StarOffice and StarSuite on SPARC, x86, Linux and Windows are affected. Danish vulnerability clearinghouse Secunia has listed the vulnerable platforms and links to Sun's patch downloads.
This article originally appeared on SearchSecurity.com.
|
|
|
|
