Friday, June 30, 2006

Open Office Vulnerability

Open Office Vulnerability - The new version of OpenOffice.org 2.0.3 corrects
three vulnerabilities. Although no attacks have yet been detected that
exploit these vulnerabilities, users of this office suite are advised to
install it as soon as possible.

The first of these flaws could allow certain Java applets to break
through the "sandbox" and therefore have full access to system resources
with current user privileges. The malicious Applets could, among other
things, modify or destroy files and read or send private data.
The second problem corrected is the possibility to inject macro code
into documents which is executed transparently when opening the
document, without notifying or consulting the user. The security
consequences are similar to those of the first vulnerability.

Finally, a vulnerability has been corrected in the processing of XML
documents that could cause a buffer overflow. Exploiting this problem
could lead to the application blocking and, possibly, command execution
in the context of the current user.

All the vulnerabilities affect OpenOffice.org 1.1.5 and 2.0.x. In the
latter case, users are advised to update to OpenOffice 2.0.3, while
patches are due to be released shortly for version 1.1.5.

More information is available in the security bulletin at:
http://www.openoffice.org/

Current Virus & Trojan Threats

The Kelvir.EO worm, the virus Kukudro.A and the Downloader.JIH Trojan are the subject of this week's report.

Kelvir.EO is a worm with backdoor functions. It spreads by exploiting certain Windows vulnerabilities in the LSASS, RPC DCOM, Workstation Service and Plug and Play services, and then transfers a copy of itself using its own FTP server. Once it has infected a computer it installs a rootkit, detected as Ruffle.A, in order to disguise its actions. The worm connects to an IRC server which, in turn, connects to a certain channel in order to run commands that, among other things, can obtain passwords stored in Protected Storage, which contains the passwords for programs including Outlook and Internet Explorer. Kelvir.EO also allows attackers to terminate processes, get data about the infected system, and update or eliminate the worm's code.

Kukudro.A is a macro virus that drops the Downloader.JIH Trojan on infected computers, creating a file called 66INSE_1.EXE, a copy of the Trojan, in the hard disk root directory. It does this using an old vulnerability, described in bulletin MS01-34, to avoid the security warning about macros included in Word documents and run its own code automatically. Kukudro.A cannot propagate automatically by itself and therefore needs user interaction in order to spread. The virus spreads in emails with an attachment called My_notebook.doc. This file includes the specifications of a range of different laptop computers.

Finally, Downloader.JIH is a Trojan that downloads the Sality.S virus onto computers. This virus infects executable files and can terminate security processes and capture system information. Once the Trojan is run, it connects to a series of web pages to download an executable file which it then saves on the infected computer under a random name. Downloader.JIH cannot spread by itself, but has to be dropped by other malware, in this case Kukudro.A, or executed by users as an email attachment or a file downloaded from the Internet or P2P networks.