Security Watch: Trojans by E-Mail, Acrobat Exploits and More

News Analysis: Larry Loeb takes a look at this week's security news, including current threats to e-mail, Internet Exporer and Adobe Acrobat.

  • New Trojan Attack

The United States Computer Emergency Readiness Team has received reports of an e-mail-based technique for spreading Trojan horse programs. Once opened, the malicious code can collect unauthorized information that can be exploited for various purposes, or permit computers to be used surreptitiously for other malicious activity.

Unlike the usual viral attacks, the e-mails are sent to specific individuals rather than the random distributions associated with phishing attacks or other Trojan horse activity. The sender address is spoofed, indicating that the message comes from a trusted sender. This increases the likelihood that the Trojan code will be activated by the user opening the e-mail.

US-CERT recommends that anomalous slow-running machines be investigated, and any unknown processes or unexpected Internet connections be investigated.

  • MS Internet Explorer Vulnerability Rated "Highly Critical" by Secunia

IEs latest woes include a vulnerability that works around existing patches. The vulnerability is caused due to the "javaprxy.dll COM" object being instantiated incorrectly in Internet Explorer through the object tag. This can be exploited via a malicious Web site to cause a memory corruption.

Exploit code is publicly available. Successful exploitation allows execution of arbitrary code, but requires that the file "javaprxy.dll" exist on the system. The file "javaprxy.dll" is included with Microsoft Java Virtual Machine. No patch is currently available, though some workarounds have been suggested, including de-registering the .dll.

  • Acrobat Reader for Unix Can Be Exploited

The vulnerability in Acrobat Reader for Unix is caused due to a boundary error in "UnixAppOpenFilePerform()" when Acrobat Reader opens a document containing a "/Filespec" tag. This can be exploited to execute arbitrary code with the privileges of the user running Acrobat Reader by tricking the user into opening a specially crafted PDF document.

The vulnerability has been reported in Adobe Acrobat Reader for Unix version 5.0.9 and 5.0.10. The solution is to upgrade to the latest version of Adobe Acrobat Reader for the specific operating system in use.

  • Multiple Vulnerabilities in McAfee IntruShield IPS Management Console

Malicious users that are logged into the McAfee IntruShield IPS Management Console can conduct cross-site scripting attacks, bypass security restrictions, and gain escalated privileges in the Web application.

1) Inputs passed to the "thirdMenuName" and "resourceName" parameters in "SystemEvent.jsp" are not sanitized before being returned to users. This can be exploited to execute arbitrary HTML and script code in a users browser session in context of a vulnerable site.

2) Inputs that are passed to the "AccessRight" parameter in "reports-column-center.jsp" are not properly sanitized before they are used. This can be exploited to view the "Generate Reports" page, which should not be accessible by non-privileged users.

3) Inputs passed to the "fullAccess" parameter in "SystemEvent.jsp" are not being sanitized before they are being used. This can be exploited to gain escalated privileges in the application.

Since the exploits require a successful login, the workaround is to control access to the program.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.