A new exploit targeting Internet Explorer was published to the BugTraq mailing list yesterday. Symantec has conducted further tests and confirmed that it affects Internet Explorer versions 6 and 7 as well. The exploit currently exhibits signs of poor reliability, but we expect that a fully-functional reliable exploit will be available in the near future. When this happens, attackers will have the ability to insert the exploit into Web sites, infecting potential visitors. For an attacker to launch a successful attack, they must lure victims to their malicious Web page or a Web site they have compromised. In both cases, the attack requires JavaScript to exploit Internet Explorer.
The exploit targets a vulnerability in the way Internet Explorer uses cascading style sheet (CSS) information. CSS is used in many Web pages to define...
As mentioned in a recent blog, Symantec is aware of the exploitation of a previously unknown and unpatched vulnerability affecting the Microsoft Video Streaming ActiveX control. Initially, there were limited in-the-wild attacks; however, new developments indicate that the flaw is now being exploited to great extent in China and other parts of Asia. Reports indicate that thousands of websites have been compromised and are now hosting the exploit for this issue.
Our tests show that Microsoft Windows XP systems are affected, while Windows Vista systems do not seem to be affected by the attack. The flaw lies in the “msvidctl.dll” library and can be exploited by providing a crafted file as input to the “data” parameter of the “BDATuner.MPEG2TuneRequest.1” ActiveX object. The object is associated with the following...
This has been an interesting year for high-profile vulnerabilities and security research. In 2008, awareness has been raised about a number of high impact, remote code-execution vulnerabilities affecting both server- and client-side applications. Published attacks targeted important protocols used by critical Internet infrastructure. A number of flaws in the implementation of a number of cryptographic implementations have also been made public. In addition to the aforementioned issues, new exploitation techniques were demonstrated that emphasized the growing trend toward application-specific attacks targeting Web technologies.
Let's begin with a few high-profile memory corruption flaws on the Microsoft Windows front. The year started with a bang, MS08-001, which is a remotely exploitable memory-corruption vulnerability affecting the Microsoft Windows kernel. Then, in October we saw in-the-wild exploitation of a previously undisclosed RPC vulnerability affecting...
Hello, this is Anthony from the Symantec Intelligence Analysis Team. Earlier this week we had the opportunity to analyze an interesting shellcode that is associated with the initial malicious exploit attempts against the Microsoft Internet Explorer XML Handling Remote Code Execution Vulnerability (BID 32721). Currently this vulnerability is not patched and there are several public exploits available to leverage the issue. The vulnerability exists due to a flaw in how Internet Explorer handles XML data bindings. Specially crafted XML can lead to object corruption and code execution. I am not going to go into describing the vulnerability in detail because this has already been done well elsewhere. However, I think that the shellcode is unique enough to warrant some discussion.
Microsoft Security bulletin MS08-067 was an out-of-band security update that was released on October 23, 2008, to address a critical remotely exploitable vulnerability that was being exploited in the wild. The Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability that was addressed by the patch affects Windows 2000, XP, Server 2003, Vista, and Server 2008 to varying degrees. Ultimately the issue can be exploited by a remote attacker to install malicious applications on a target computer without the victim’s knowledge.
Microsoft released a detailed matrix describing the risk that this vulnerability presents to different versions of Microsoft Windows. When reading this matrix it becomes clear that this issue is exploitable by an unauthenticated attacker on Windows 2000, Windows...
The Symantec DeepSight ThreatAnalysis team recently observed an interesting attack developmentrelated to a known vulnerability type. This seemingly new techniqueallows attackers to execute a malicious payload immediately on avictim's system, where in the past they weren't able to achieve instantcode execution by exploiting such vulnerabilities.
Publicexamples of this new attack typically employ file-overwrite andfile-download vulnerabilities in ActiveX controls to download amalicious file onto the target machine. In the past, attackers wereable to download files without much difficulty, but until recently theoptions for attackers seeking to have malicious programs executed on avictim's system were limited. In order to execute a malicious file onan affected computer, attackers generally needed to place the file inone of the load points such as the "Startup" directory in MicrosoftWindows, or use social-engineering or other attacks to have the fileexecuted...
