A new and previously unknown vulnerability affecting the Microsoft Internet Explorer 7 browser has been reported, just at the start of the Microsoft “Patch Tuesday” cycle for the month of December. Bad luck, or an intentional strategy by the attackers? It’s not clear at the moment, but the reality is that users around the world started to download and patch their systems just yesterday, while at the same time a new and dangerous exploit surfaced on the Web, trying to infect computers in China and other parts of Asia.
We ran some tests and confirmed that the new vulnerability is, unfortunately, not fixed by the current set of patches released yesterday. The attack is indeed new and it works successfully against a fully patched Windows XP SP3 with Internet Explorer 7, including all recent Microsoft Tuesday patches. Also, Internet Explorer 6 could potentially be affected by the same problem and is therefore only temporarily immune to this initial exploit,...
Vulnerabilities in Microsoft Access and MSJET40.DLL have been discussed in many blogs recently. Our friends at Panda blogged about a possible (new?) vulnerability of the MS Jet library on March 3rd and McAfee also blogged this past December about a different vulnerability reported on Bugtraq. Here at Symantec we also reported some of these vulnerabilities to Microsoft and also the many targeted attacks carried with .mdb files since March 2006, but this is almost the usual sort of response:
"You appear to be reporting an issue with a file type Microsoft considers to be unsafe. Many programs, such as Internet Explorer and Outlook, automatically block these files. For more information, please visit http://support.microsoft.com/kb/925330"
This sentence translates into a very simple equation: .mdb = .exe...
The publicly released exploit works successfully when tested withthe latest stand-alone QuickTime player application version 7.3. Itdoes not seem to execute any shellcode when tested with the QuickTimebrowser plugin even though the browser crashes due to the bufferoverflow.
At the moment we believe the most likely attack scenarios to appear using this vulnerability could be: 1. Email based attacks. 2. Web browser based attacks.
In the email attack scenario the user receives a malicious emailwith an attachment containing a file with...
A few weeks ago, we warned users about a new Local Privilege Escalation vulnerability in Windows XP and 2003.The original exploit was found in the wild and actively used againstWindows-based computers to gain SYSTEM privileges and installadditional malware or bypass other restrictions. It wasn’t justproof-of-concept code, but a malicious exploit used in real (butlimited) attacks. Today, Microsoft posted Microsoft Security Advisory (944653) about this issue.
With the release of this advisory, I’d like to answer a few follow-up questions for blog readers:
Q: I don’t play games and I don’t use Macrovision software, so am I safe? A: No. The vulnerable component affected by the bug is theMacrovision driver...
During the weekend I found an interestingsample exploiting a possibly new and undocumented vulnerability forWindows XP and 2003. The exploit is a local privilege escalationthat allows users with a restricted account to gain a SYSTEM shell withhigher privileges. In my tests the exploit seems to work successfullyagainst a fully patched Windows XP-SP2 and also Windows 2003-SP1. Atthis time, Vista does not seem to be affected by the problem.
(Click for larger image)
We notified Microsoft and they were already aware of this specificissue. The mitigating factor is that the attacker has to be logged onto or have access to the compromised computer with a valid account,...
When SkyLined released in 2004 one of the first proof-of-conceptexploits introducing the “Heap Spraying” technique, he commented [1]his code in this way:
“The JavaScript creates a large amount of heap-blocksfilled with 0x0D byte nopslides followed by the shellcode. This is tomake sure [0x0D0D0D0D] == 0x0D0D0D0D. It's not the most efficient thingin the world but it works like a charm for most IE bugs.”
Well, it was not the most efficient thing in the world, but it hasbeen proven to work so well that it actually is the mostcopied-and-pasted piece of code used to exploit many of the InternetExplorer vulnerabilities discovered since 2004. So, I was surprised to come across an exploit in the wild that uses adifferent heap manipulation technique. The malicious code was hosted ona Russian domain (hxxp://crun[REMOVED].info) and was part of one of thetypical web attacker toolkits developed by Eastern European gangs. Thecode exploited...
We verified a report of a large-scale web attack on going in Italy at the moment. The attack is similar to what we described in our previous blog; it just uses a new different final domain which runs the hostile exploits of Mpack 0.86 kit.
The gang behind the attack had successfully compromised the homepagesof hundreds of legitimate Italian websites. We checked many of them andwe verified that they include now a malicious IFRAME (detected asTrojan.Mpkit!html) which redirects to the same bad IP address. The listof compromised sites is huge and from Mpack statistics this attack...
In these days of “zero-day”, I’ve analyzed many malicious filesexploiting some of the recent MS Office vulnerabilities for Word, Exceland PowerPoint. The "Trojan.Mdropper" and “Trojan.PPDropper” familieshave grown very quickly in the last year, and I was trying to come upwith some numbers by looking at the samples received here in the viruslab.
During my analysis I was surprised by some data about the number of samples picked up for Trojan.Mdropper.X.For most of these attacks the number of samples received for a singlefamily is very low (usually less than five samples), and allows vendorsto speak of “limited targeted attacks”. However for Trojan.Mdropper.Xthe situation was slightly different. The set of Mdropper.X samplesexploiting the same CVE-2006-6456 vulnerability has up to 30 different.doc files at the moment and started to increase quickly in the lastfew months.
There was no evident reason behind these statistics and it seemedobvious to me that...
We've been getting a lot of requests from people asking what it looks like when your computer is compromised by one of these very limited targeted attacksthat involves any of the recent MS Word zero-day vulnerabilities. Atargeted attack begins with an incoming email that has a .DOC fileattached; a very common event that happens to almost everyone everyday. The email sender looks legitimate (it's spoofed of course!) andthe document name is selected to appeal to the recipient. For example,if the targeted user is an accountant, then the document would looklike a tax certificate or an invoice. For members of governments, itcould appear to be an important communication from a Minister. Forfinance brokers, a stocks analysis and so on...
Targeted attacks are not intended for the masses, so we're nevergoing to see the usual "Very exciting greeting postcard.exe" attachedto those emails. But the big question is: what happens when someoneopens...
Just a day after Microsoft released theirJuly security bulletins, a new PowerPoint zero-day vulnerability wasdiscovered as part of a targeted and limited attack. It was Tuesday,July 12th, and it was Microsoft’s "patch day". On July 11th, Microsofthad released seven new security bulletins aspart of the standard security life cycle. The following bulletins arerated as “critical” and affect the Microsoft Office suite, which isquickly becoming the next most popular platform exploited by attackers: • MS06-037 - Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (917285) • MS06-038 - Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (917284) • MS06-039 - Vulnerabilities in Microsoft Office Filters Could Allow Remote Code Execution (915384)
Inaddition, the MS06-037 patch was long awaited because it fixes severalExcel...
