In-Depth

Security Briefs

New vulnerability erases hard drives; open source tool at risk; Oracle SQL exposure

• By Mathew Schwartz
• 06/16/2004

New Virus Wipes Hard Drive

For every computer user who ever wondered why, if viruses could spread so far so fast, they didn’t more frequently sow real devastation on individual PCs in their path, prepare to meet VBS.Pub, a 5.832 Kbyte worm that deletes all files on an infected computer when it’s the 6th, 13th, 21st, or 28th day of the month.

Users must open the worm, which arrives as an e-mail attachment, to execute it. Symantec says when executed, the worm first creates a VBS [Visual Basic script] of itself if it’s not already in that form, then attaches itself to files with the .asp, .hta, .htm, .htt, .html, .vbe, or .vbs extensions, making those files read-only to prevent attempted re-infection. The worm also sends itself, using Microsoft Outlook, to everyone in that user’s Outlook address book.

Symantec reports that though the potential damage level to a computer is high, so far worm propagation is low.

The worm affects Windows 95, 98, 2000, Me, NT and Windows Server 2003.

For more information:http://www.symantec.com/avcenter/venc/data/vbs.pub.html

- - - -

CVS Vulnerabilities Abound

Several new vulnerabilities affect Concurrent Versioning System (CVS), open source source-code-control software that allows a large number of developers to collaborate remotely. Secunia detailed seven vulnerabilities, each of which could let an attacker compromise a system remotely.

“These new vulnerability discoveries come right on the heel of administrators scrambling to patch their systems from the last CVS vulnerability that was disclosed in late May. Hopefully, the increased attention and scrutiny from CVS developers and Linux vendors focused on the CVS code base since its high-profile compromise will shake loose any other exploitable bugs,” says David Endler, TippingPoint’s director of Digital Vaccine.

Unpatched CVS users face an especial threat from attackers using Trojan software to torpedo open source projects currently underway. Enders says a number of open source projects have been previously sabotaged in this manner, including OpenSSH, Sendmail, TCPDump, and CVS itself. The open source peer-review approach, however, should help eliminate any malicious changes snuck into open source code in development.

Users can upgrade to CVS Feature Version 1.12.9 or CVS Stable Version 1.11.17, in which the vulnerabilities have been fixed. A number of Linux distributors have also upgraded their software.

Link: https://ccvs.cvshome.org/servlets/ProjectDownloadListM

- - - -

Oracle: SQL Injection Vulnerability

Security vulnerability information company Secunia warned of a “highly critical” vulnerability in Oracle’s E-Business Suite, which could lead to disclosure of data or unwanted system access. Versions 11.0.x, and 11.5.1 to 11.5.8, of E-Business Suite are affected. In particular, all users of Oracle’s 11i applications are at risk.

In an online announcement, Stephen Kost of Integrigy Corp., who discovered the vulnerability, notes it’s a SQL injection vulnerability, meaning it “allows an attacker to execute SQL statements or database functions by inserting SQL code fragments into input fields of a Web page.”

Such an attack “can easily and effectively compromise the entire [Oracle] database and application,” he says. Furthermore, “customers with Internet-facing application servers are most vulnerable since these vulnerabilities can be exploited remotely using a browser.” Attacks can be easily disguised—using the HTTP Get or Post command, for example—to “evade most intrusion detection and prevention systems.”

Oracle has released a patch:
http://info.101com.com/default.asp?id=7819