Editor's note: As a service to our readers and with the permission of the Computer Emergency Response Team (CERT), we are publishing CERT's quarterly summary of issues that have come before its incident response team. CERT Summary CS-2000-03 Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT Summary to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems.
Past CERT summaries are available from http://www.cert.org/summaries/.
Since the last regularly scheduled CERT summary, issued in May (CS-2000-02), we have published information on a vulnerability in rpc.statd on Linux systems, several ActiveX controls, vulnerabilities in Outlook and Outlook Express, security considerations for using chat software, hidden file extensions, and vulnerabilities in many FT daemons.
1. Input Validation Vulnerability in rpc.statd.
We have begun receiving multiple daily reports of sites being root compromised via a recently discovered vulnerability in rpc.statd. These issues are described in CERT Advisory CA-2000-17 Input Validation Problem in rpc.statd.
We have received a number of reports that indicate that intruders are performing widespread scanning for this vulnerability and using toolkits to automate the compromise of vulnerable machines.
2. Multiple Vulnerabilities in FTP Daemons.
The CERT/CC continues to receive regular reports of intruders probing for and exploiting vulnerabilities in many FTP server implementations. Sites are strongly encouraged to follow the advice contained in CA-2000-13 to protect systems running FTP servers.
CERT Advisory CA-2000-13, Two Input Validation Problems in FTPD.
Additionally, we receive daily reports from sites indicating that intruders are scanning large network blocks for vulnerable FTP servers.
3. ActiveX Control Vulnerabilities.
Exploitations of a vulnerability in the Scriptlet.Typelib ActiveX control are discussed in CERT Incident Note IN-2000-06. This vulnerability allows local files to be created or modified, and is used in viruses such as Bubbleboy and kak.
CERT Incident Note IN-2000-06, Exploitation of "Scriptlet.Typelib" ActiveX Control.
Additionally, information about a serious vulnerability in the HHCtrl ActiveX control was published in CERT Advisory CA-2000-12. This vulnerability could allow remote intruders to execute arbitrary code.
CERT Advisory CA-2000-12, HHCtrl ActiveX Control Allows Local Files to be Executed.
4. Exploitation of Hidden File Extensions.
Attackers have used a number of malicious programs to exploit the default behavior of Windows operating systems to hide file extensions from the user.
This behavior can be used to trick users into executing malicious code by making a file appear to be something it is not.
CERT Incident Note IN-2000-07, Exploitation of Hidden File Extensions/.
5. Outlook and Outlook Express Cache Bypass Vulnerability A vulnerability in Microsoft (Corp.) Outlook and Outlook Express that can allow a remote attacker to read certain types of files on the user's machine is detailed in CERT Advisory CA-2000-14.
CERT Advisory CA-2000-14, Microsoft Outlook and Outlook Express Cache Bypass Vulnerability/.
6. Chat Clients and Network Security.
CERT Incident Note IN-2000-08 outlines the security issues inherent in the use of chat client software. We have published this information in response to inquiries about the risks this type of software poses to an organization.
CERT Incident Note IN-2000-08, Chat Clients and Netword Security/ Expiration of CERT PGP keys On September 30, 2000, the operational CERT PGP keys will expire.
Sites using these keys should be prepared to update their keyrings.
More information about the CERT PGP keys can be found at:http://www.cert.org/contact_cert/encryptmail.html/.
The new PGP keys will also be available at this location when they are created.
The CERT Coordination Center publishes an XML RSS 0.91 format file containing headlines about recently published CERT Advisories, Incident Notes, Vulnerability Notes, and Summaries. Using this RSS channel, Internet sites can automate creation of Web site pointers to the latest computer security information from the CERT/CC.
More information about the CERT/CC RSS channel can be found at http://www.cert.org/channels/.
"CERT/CC Current Activity" Web Page
The CERT/CC Current Activity Web page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities currently being reported to the CERT/CC. It is available from http://www.cert.org/current/current_activity.html/.
The information on the Current Activity page is reviewed and updated as reporting trends change.
What's New and Updated
Since the last CERT summary, we have published new and updated Advisories Incident notes Vulnerability notes Tech tips/FAQs, including one on how the FBI (U.S. Federal Bureau of Investigation) investigates computer crimes CERT/CC statistics Infosec Outlook newsletter Security improvement modules Security improvement implementationsThere are descriptions of these documents and links to them on our "What's New" web page at http://www.cert.org/summaries/CS-2000-03.html.
This document is available from: CERT/CC Contact Information Email: firstname.lastname@example.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key.
If you prefer to use DES, please call the CERT hotline for more information.
Getting Security Information
CERT publications and other security information are available from our Web site http://www.cert.org/.
To be added to our mailing list for advisories and bulletins, send email to email@example.com and include SUBSCRIBE your-email-address in the subject of your message.
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.
Copyright 2000 Carnegie Mellon University.