The Fragus exploit pack showed up on our radar a few months ago and has been steadily growing to become one of the most prevalent exploit packs being seen in the wild today by Symantec. It is similar to other popular exploit packs available—such as Unique, YES, Eleonore, and Liberty—but it brings some new and interesting features with it. Exploit packages are generally designed as a means to allow attackers to group and serve exploits from their website against the browsers of unsuspecting visitors. It is done in a nice GUI form, hosted on a Web server, and allows the attacker to generally choose which exploits to run. Once exploited, a final payload is served to the system. All of this is dished up in a control panel with some nice statistics on how successful the campaign has been.
Hello and welcome to this month’s blog on the Microsoft patch releases. This is a very heavy month—the vendor is releasing 13 bulletins covering a total of 34 vulnerabilities.
Twenty-one of the issues are rated “Critical” and affect GDI+, Active Template Library (ATL), Media Player, .NET, Silverlight, Internet Explorer, Server Message Block (SMB), and Media Runtime. Most of those are client-side vulnerabilities that require a victim to open a malicious file or visit a malicious page. The SMB issue is a fairly serious server-side vulnerability that was reported early last month.
The remaining issues, rated “Important” and “Moderate,” affect GDI+, Windows Indexing Service, Windows kernel, CryptoAPI, Internet Information Services (IIS), LSASS, and SMB.
As always, customers are advised to follow these security best practices:
- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while...
Recently we became aware of a new security vulnerability that affects various versions of Microsoft Windows operating systems. This vulnerability allows remote attackers to carry out denial-of-service and local privilege escalation attacks against affected computers and though not confirmed, it may also facilitate remote code-execution with kernel-level privileges.
The issue was publicly released on September 7, 2009, by a researcher named Laurent Gaffié. The researcher published proof-of-concept code and some technical details on the Full Disclosure mailing list. He indicated that the code targets the Microsoft Server Message Block version 2 (SMB v2) protocol implementation in Microsoft Windows Vista and Windows 7 and it could be used to trigger a denial-of-service...
Hello and welcome to this month’s blog on the Microsoft patch releases. This is a fairly light month—the vendor is releasing five bulletins covering a total of eight vulnerabilities.
Six of the issues are rated “Critical” and affect DHTML Editing ActiveX control, Windows TCP/IP, Windows Wireless, Windows Media, and JScript. The DHTML, Media, and JScript issues are all familiar client-side vulnerabilities that can allow arbitrary code to run in the context of the currently logged-in user. The TCP/IP issue is a remote code-execution vulnerability that attackers can leverage to gain complete control of a vulnerable computer.
The remaining issues, rated “Important,” are denial-of-service vulnerabilities affecting Windows TCP/IP.
As always, customers are advised to follow these security best practices:
- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining...
Because PDF-related threats are on the increase in the wild, my colleagues and I have been focusing on the investigation into new ways to stop these threats. The majority of PDF-related exploits can be categorized into two areas.
The first method involves camouflaging the PDF file structure, and the second involves obfuscating the enclosed JavaScript. With the former type of threat, filters (such as an ASCIIHexDecode filter) are employed to change the file content to confuse antivirus engines and disable the use of signature detections. With the latter, it encrypts or obfuscates the exploit code injected into the PDF file, thereby making the exploit code impossible to differentiate from the clean JavaScript.
Between these two types of exploit, the vast majority of threats that are out in the wild are of the obfuscated JavaScript variety. That’s because it’s difficult to change the PDF file while adhering to the PDF file format, thus limiting the actions...
A new zero-day exploit that affects Microsoft Internet Information Services (IIS) was posted on Milw0rm yesterday. According to the posting the exploit works on both IIS 5.0 and 6.0, on the FTP module.
We performed some analysis and testing in our lab with the proof-of-concept code that was provided, and we successfully executed arbitrary code remotely on IIS 5.0. Yet, our results with IIS 6.0 were less than conclusive. What this essentially means is that malicious code can be run on the exploited server; however, there are certain conditions that need to be met for remote execution to happen. First of all, only IIS 5.0 and 6.0 are affected, which consequently means that only Windows 2000 and Windows Server 2003 are affected. Second, write access to the FTP server is needed. This can be either through an anonymous account or a valid user account. The proof of concept targets an anonymous account with write permissions; however, we have validated that any account with...
Symantec Security Response has found a new threat that spreads through Renren.com, which is a very popular Social Networking Site in China ala Facebook. The threat comes in a form of a Flash video, which pretends to be a famous Pink Floyd promotional video clip "Wish you were here."
Viewing the Flash video results in concealed JavaScript being executed while the video is playing.
The video is hosted on a legitimate site. The threat exploits an authentication cookie of a currently logged-in user in order to send out the same link (for the Flash file) to users on the Friends list.
Hello and welcome to this month’s blog on the Microsoft patch releases. This is a fairly heavy month—the vendor is releasing nine bulletins covering a total of 19 vulnerabilities.
Fifteen of the issues are rated “Critical” and affect Active Template Library (ATL), Office Web Components, Remote Desktop Connection, WINS, and Windows AVI file handling. The ATL issues are a continuation of the vulnerabilities addressed in the out-of-band bulletins Microsoft released last month. The two WINS issues, primarily affecting Enterprise...
Some of my colleagues from Symantec and I attended Black Hat in Las Vegas this past week. Wednesday was the first day of talks and there were some very interesting topics discussed. For me, the highlights were the following talks:
• “Stoned Boot Kit,” by Peter Kleissner
• “Using Guided Missiles in Drive-Bys: Automatic browser fingerprinting and exploitation with Metasploit,” by Egypt
• “Attacking Interoperability,” by Mark Dowd, Ryan Smith, and David Dewey
The papers for these presentations are available on the Black Hat website, but I did manage to talk to most of the presenters and get their views on various topics. In this post I’ll talk about the “Using Guided Missiles in Drive-Bys” and follow up with info on the other talks in later posts.
In his presentation “Using Guided Missiles in Drive-Bys,” James Lee (a.k.a. “...
Recently we came into possession of an Adobe Acrobat PDF file that upon opening drops and executes a malicious binary. It was quite clear that this PDF was exploiting some vulnerability in order to drop its payload. And, during the analysis it soon became apparent that this vulnerability was not one we had seen in the wild before. What was even more surprising was that this vulnerability affects Adobe Flash—not Adobe Reader as we initially suspected.
An issue in Adobe Flash is more serious. Most vulnerabilities are confined to one technology; for example, a vulnerability may affect a particular browser or a particular operating system, but it is rare for a vulnerability to span multiple platforms and products. This is not the case with Flash. Flash exists in all popular browsers and is also available in PDF documents. It is also largely operating system independent; therefore, the threat posed by this issue is not to be taken lightly. Flash has become an integral part...
Web browsers have been having a real torrid time of late, it seems the only people showing them any great attention these days are those looking for new 0-day vulnerabilities. Two weeks ago we blogged about the Microsoft Video Streaming ActiveX control vulnerability (Microsoft Windows 'MPEG2TuneRequest' ActiveX Control Remote Code Execution Vulnerability – BID 35558) that can be exploited through mostly the older but still widely used versions of Internet Explorer 6 and 7. That vulnerability was quite widely used by malware in the attack involving a Trojan named Downloader.Fostrem. The Trojan In turn downloads various other bits and pieces of malware that we detected as Backdoor.Trojan and...
Hello and welcome to this month’s blog on the Microsoft patch releases. This is a fairly light month—the vendor is releasing six bulletins covering a total of nine vulnerabilities.
Six of the issues are rated “Critical” and affect Windows, DirectX, and Windows OpenType Font engine. One of the DirectX issues and one of the ActiveX issues were previously disclosed back in May of this year and earlier this month. Both issues have also seen active exploit attempts in the wild. The remaining issues, rated “Important,” affect Publisher, Virtual PC, Virtual Server, and ISA Server.
As always, customers are advised to follow these security best practices:
- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining functionality.
- Avoid handling files from unknown or questionable sources.
- Never visit sites of unknown or questionable integrity.
- Block...
As mentioned in a recent blog, Symantec is aware of the exploitation of a previously unknown and unpatched vulnerability affecting the Microsoft Video Streaming ActiveX control. Initially, there were limited in-the-wild attacks; however, new developments indicate that the flaw is now being exploited to great extent in China and other parts of Asia. Reports indicate that thousands of websites have been compromised and are now hosting the exploit for this issue.
Our tests show that Microsoft Windows XP systems are affected, while Windows Vista systems do not seem to be affected by the attack. The flaw lies in the “msvidctl.dll” library and can be exploited by providing a crafted file as input to the “data” parameter of the “BDATuner.MPEG2TuneRequest.1” ActiveX object. The object is associated with the following...
It's Independence Day weekend in the United States and many folks are out at picnics, barbeques, and catching firework shows. However, some of us here in the security industry missed out on these events due a new exploit for a zero-day vulnerability in Microsoft's Video Streaming ActiveX control that we discovered in the wild right before the weekend started.
The exploit uses a specially crafted JavaScript file, along with a data file, to take advantage of a vulnerability in the IMPEG2TuneRequest DirectX object interface located in the Msvidctl.dll file. When a user visits a malicious website hosting these files, the vulnerability allows remote code execution and malicious files are downloaded.
Windows XP users with Internet Explorer 6 and 7 are in danger, but those with Internet Explorer 8 installed are not vulnerable. Preliminary testing shows that computers running Windows Vista are not affected by the attack....
As previously promised, Security Researcher Aviv Raff officially launched the Month of Twitter Bugs (MoTB) website on July 1. Aviv will be posting a “Twitter bug a day” on MoTB in order to raise awareness of Twitter APIs and to warn end users of potential problems with the software and systems they use.
MoTB will be following a limited disclosure approach. On the bright side for Twitter, third-party service providers and Twitter themselves are notified of high-risk vulnerabilities at least 24 hours in advance, giving service providers time to create patches before the information goes public on MoTB. When a vulnerability notification is issued, it is hoped that having a deadline will push the affected provider to take action, and the resulting solution will protect end users. On the other hand, if the provider cannot—or will not—come up with a solution in time, the vulnerability information will be posted on MoTB and the bad guys are likely to...
