A new zero-day exploit that affects Microsoft Internet Information Services (IIS) was posted on Milw0rm yesterday. According to the posting the exploit works on both IIS 5.0 and 6.0, on the FTP module.
We performed some analysis and testing in our lab with the proof-of-concept code that was provided, and we successfully executed arbitrary code remotely on IIS 5.0. Yet, our results with IIS 6.0 were less than conclusive. What this essentially means is that malicious code can be run on the exploited server; however, there are certain conditions that need to be met for remote execution to happen. First of all, only IIS 5.0 and 6.0 are affected, which consequently means that only Windows 2000 and Windows Server 2003 are affected. Second, write access to the FTP server is needed. This can be either through an anonymous account or a valid user account. The proof of concept targets an anonymous account with write permissions; however, we have validated that any account with...
This morning Microsoft released an out-of-band security update -MS08-067 -for a vulnerability in the Server service. This issue is tracked asBugTraq ID 31874. Thisissue affects all supported versions of the Windows operating system.
Theweakness allows an attacker to effectively take complete control of avulnerable system. It is imperative that end users apply the patch fromMicrosoft as soon as possible.
While we haven't seen widespreadexploitation of this issue, there have been reports of a certain file, "n2.exe," being downloaded on compromised computers. This file copiesanother piece of malicious code onto the compromised computer. Symantecproducts already detect both of these files as ...
From the moment the recent earthquake struck in China on May 12th, mass grief poured out from within the Chinese population at the loss of their loved ones. Many thousands of people have donated their time and money, while some have prayed and expressed their grief using the Web. Unfortunately, as is so often the case in such tragic circumstances, miscreants are all too ready to try and create mayhem and profit from the misfortune of others.
In the weeks following the earthquake, the Symantec Security Response team based in Chengdu discovered that a legitimate Web site [http://]www.85163.cn/q[REMOVED]), which is used for the expression of grief and condolences, had been compromised. The attackers had embedded a malicious IFRAME into the page.
The malicious code pointed to another URL, which in turn caused yet another page to be opened. The latter page contains JavaScript that will attempt to exploit a number of...
This sort of news certainly doesn't come around as frequently or on a strict schedule, but it is nonetheless just as important as (for example) Microsoft's well known "Patch Tuesdays." On Tuesday, March 18th, Apple released a comprehensive security update for Mac OS X 10.4.11 and Mac OS X 10.5.2, as well as a security update package for its Safari Web browser. Apple doesn't follow the same monthly release schedule as their best competitor, but that doesn't affect the importance of such a security update.
Since the release of these security updates, we have come across all kinds of news feeds and blogs that refer to it as a patch release. Those writers calling it a "patch release" has of course raised the ire of users and readers alike, with arguments ranging from the size of the downloads to comparisons with Microsoft or Linux updates. Some people have referred to it as a software upgrade, but we must call for calm in the industry. :-) Instead of...
In 2006, Web security expert Jeremiah Grossman came up with aninteresting attack that can be used to read the history of visitors toa Web page using only a simple piece of JavaScript. In February 2007,RSnake came up with a modification of this attack that does not needJavaScript or any other scripting language. This is a rediscovery of an attack discovered by Andrew Clover in 2002.
In the original proof of concept, a Web site was set up with ascript that lists the sites that the user had visited. This was donewas by creating a set of links and looking up the color attribute ofthe link text. If the link was visited, it was rendered in a differentcolor than if the page was not visited. The script goes through each ofthe links, checks the colors and reports back to the owner of the site.
In the new version of this attack, Cascading Style Sheets (CSS) areused to achieve the same result without...
Microsoft have announced they are investigating yet another zero-dayvulnerability, apparently unrelated to the December 5 MicrosoftSecurity Advisory 929433. According to their investigations, Word 2000,Word 2002, Word 2003 and the Word Viewer 2003 are affected, but Word2007 is not affected by the vulnerability. They also report that thevulnerability is being exploited on a very limited and targeted basis.Symantec Security Response is monitoring the situation and will respondappropriately once further information is available. As always,standard best practices apply in this situation and caution should beexercised when dealing with unsolicited attachments from both unknownsources, as well as from trusted sources.
On December 5, 2006, Microsoft announcedthey were investigating reports of the exploitation of a zero-dayvulnerability in Microsoft Word (described in Microsoft Security Advisory 929433).There is very little information available regarding the technicaldetails of this new vulnerability. Symantec Security Response ismonitoring the situation and will respond appropriately once furtherinformation is known.
At this time, Security Response has seen various malware binarieswhich may be related to the limited reports noted by Microsoft. Thesefiles are detected as "Downloader" by LiveUpdate virus definitions,version 12/6/2006 rev. 16. At least one known downloaded file isdetected as Backdoor.HackDefender, using Rapid Release virusdefinitions, version 12/6/2006 rev. 25.
The standard best practices apply in this situation and as such,caution should be exercised when...
Update: On September 30,2006, Symantec Security Response received reports that theWebViewFolderIcon ActiveX control vulnerability is being activelyexploited in the wild.
Shortly following the out-of-band patch for the VML vulnerabilityearlier this week, Microsoft is releasing yet another out-of bandadvisory. The latest advisory, released today (September 29, 2006),addresses an ActiveX vulnerability in Microsoft Windows.
The vulnerability is a buffer overflow in the MicrosoftWebViewFolderIcon ActiveX control, which, if successfully exploited,will allow an attacker to perform remote code execution on the victimmachine. Failed attempts would likely result in browser crashes.Proof-of-concept exploit code is available publicly.
In order to carry out an attack, the attacker would need to employsome form of social engineering (such as emails, instant messages, orbanner ads) and try to convince potential victims to click on...
Symantec Security Response is aware of anexploit currently running in the wild on a vulnerability in MicrosoftPowerPoint. The exploit targets Chinese language versions of Office2000 running on Chinese language versions of Windows XP. Thus far, thisattack is not widespread and there is no reason to believe it willbecome more prevalent, based on our experience with similar attacksthis year. This is a continuation of the trend (which we have beentracking throughout this year) toward exploiting vulnerabilities inMicrosoft Office applications in order to install malware—mainlyTrojans.
It is not currently known if other languages or versions areaffected by the underlying vulnerability. Symantec has releasedantivirus definitions that detect this threat as Trojan.PPDropper. Allof the normal advice applies here (i.e., don't open attachments frompeople you don't know or are not expecting them from and keep yourantivirus and security solutions up to date).
Just days after Microsoft's September PatchTuesday announcement, Security Response has confirmed that there is anew Internet Explorer zero-day vulnerability. Because this is anunpatched vulnerability with proof-of-concept exploit code available,Symantec Security Response is considering this to be rated as"critical". The vulnerability itself was announced by XSec.
Uponfurther analysis, we have determined that the vulnerability is, infact, a buffer overflow related to how Internet Explorer tries toinstantiate a certain DirectionAnimation COM object as an ActiveXcontrol. At this point, we believe that successful exploitation of thisvulnerabilitiy may allow an attacker to execute remote code on thecompromised system.
There is no patch available from Microsoft for this particularzero-day exploit, as of yet. In order to provide proactive protectionto our customers against malicious attacks that attempt to leverage thevulnerability, Symantec Security...
Over the last few days there's been a lotof buzz about whether or not there is a new zero-day vulnerability inthe Microsoft PowerPoint application being exploited. Some peoplethought that the exploit was a spin-off from the recently announcedPowerPoint vulnerability in MS06-048 (in August). However, whatSymantec Security Response has determined is that the exploit is infact based on Microsoft Office vulnerabilities disclosed in MS06-012,which was announced back in March of this year.
Uponanalysis of samples related to this particular exploit in question, wediscovered that it is related to Trojan.PPDropper, which we've haddetection for since August 17, 2006. This file then drops a downloaderthat will download Keylogger.Trojan from two separate addresses (we'vehad detection for the downloader and Keylogger.Trojan since August 12,2006).
Symantec has also determined that the exploit occurs just as youclose a PowerPoint document, which is typical of MS06...
In an earlier blog regardingMicrosoft’s recent vulnerability announcement, MS06-040 (Server servicevulnerability) was discussed, along with how this issue would beexploitable for worm-based attacks. Although there were samples ofproof-of-concept exploits released last week, it was pretty quiet onthis front, until now. We have now seen our first real, in-the-wildstyle attack leveraging MS06-040.
Here's what we know so far: • On August 12, 2006 Symantec Security Response detected a new exploitbased on MS06-040, dubbed W32.Wargbot. This is a network-aware wormthat leverages the described vulnerability to spread itself onvulnerable machines. Once on the compromised machine, W32.Wargbot thenproceeds to open an IRC backdoor. • In response to this new attack, Symantec has released AV signaturesspecific to W32.Wargbot;...
Guess what time it is (again)? Yep—it’sthat time of the month when our friends at Microsoft open a bit oftheir kimono in the interest of "community service”. For Star DateAugust 8, 2006, Microsoft presents us with a cornucopia of issues: 23vulnerabilities spread over 12 bulletins, to be exact.
Manyof the items disclosed are rated "critical" by Microsoft and I couldn'tagree more. Some of the items carrying a critical rating are highlyexploitable and the most severe of them all is contained in theMS06-040 bulletin entitled "Vulnerability in Server Service Could AllowRemote Code Execution”. The bulletin speaks to a buffer overflowcondition (in the "Server" service, which is used for sharing resourcesbetween Windows machines) that may occur if specially crafted RPCmessages are sent to vulnerable machines. If successfully exploited, anattacker can take complete control over the affected system.
Worse yet, do you remember the worms of yore in the not too...
Well, it seems that things will never get too boring around here inSymantec Security Response. There is a new, in-the-wild threat runningaround on the Internet that is exploiting a previously undisclosedvulnerability in Microsoft PowerPoint.
In particular,attackers can create specially crafted PowerPoint files to exploit thevulnerability. These files can then be special delivered to yourcomputer via your Inbox as an attachment, or perhaps placed on Webpages for downloading (like a wolf in sheep’s clothing). All you haveto do is open the file—and WHAMMO!—the vulnerability is triggered,potentially allowing the attacker to run his or her code on yourmachine.
At this point in time, we have discovered a Trojan attached to thePowerPoint exploits that we’ve seen in the wild, and made antivirussignatures available for it; the Trojan is detected as Trojan.PPDropper.B....
Within the last 24 hours, Security Response has discovered a newattack which exploits a previously undocumented vulnerability inMicrosoft Word. The malicious Microsoft Word document is emailed to thevictim as an attachment, and upon being opened, it installs an embeddedTrojan horse program we are calling Trojan.Mdropper.H.
Thedropper Trojan then installs a backdoor, Backdoor.Ginwui, which binds acommand shell for allowing remote access to the victim machine by theattacker and contacts a remote web server via HTTP. Both the source andthe target of the attack were based in Asia. The Web site thatBackdoor.Ginwui was contacting every minute via HTTP POST commands hasbeen taken down, though the IP addresses were being juggled by theattacker.
Security Response has seen a number of attacks like this of late andit really serves to underscore the new threat landscape we’re dealingwith today. Here’s a few of the signs of the time illustrated by thislatest attack.
