Video Screencast Help

Security Response

Showing posts tagged with Vulnerabilities & Exploits
Showing posts in English
Adrian Pisarczyk | 16 Nov 2009 21:03:47 GMT

On November 4, 2009, Marsh Ray published detailed information about a vulnerability that affects the TLS/SSL protocols and allows for limited man-in-the-middle (MITM) attacks. We say “limited” because the attack exploiting this issue would be different from traditionally viewed MITM attacks, which would involve an attacker placing themselves in the middle of the SSL session between a client and a server and being able to intercept, view, and modify any requests or responses exchanged by the two communicating parties. In an attack using this recent TLS vulnerability, due to the way SSL-enabled applications handle the session-renegotiation process, an attacker may inject arbitrary plaintext into the beginning of the application protocol stream. This can affect multiple protocols that can communicate over an SSL session, such as HTTPS, IMAP, POPS, SIP, etc. Note that in this attack, the attacker would have no ability (...

Robert Keith | 10 Nov 2009 19:57:46 GMT

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a moderate month—the vendor is releasing six bulletins covering a total of 15 vulnerabilities.

Three of the issues are rated “Critical” and affect Web Services on Devices API, License Logging Server, and the Windows kernel. An attacker could exploit these issues remotely to gain complete control of a vulnerable computer.

The remaining issues, rated “Important”, affect Excel, the Windows kernel, Office, and Active Directory. Although these are only rated “Important” by Microsoft, we consider the Office and Excel issues quite serious and advise customers to apply updates as soon as possible.

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining functionality.
- Avoid handling files from unknown or...

Peter Coogan | 04 Nov 2009 19:26:49 GMT

The Fragus exploit pack showed up on our radar a few months ago and has been steadily growing to become one of the most prevalent exploit packs being seen in the wild today by Symantec. It is similar to other popular exploit packs available—such as Unique, YES, Eleonore, and Liberty—but it brings some new and interesting features with it. Exploit packages are generally designed as a means to allow attackers to group and serve exploits from their website against the browsers of unsuspecting visitors. It is done in a nice GUI form, hosted on a Web server, and allows the attacker to generally choose which exploits to run. Once exploited, a final payload is served to the system. All of this is dished up in a control panel with some nice statistics on how successful the campaign has been.  

...

Robert Keith | 13 Oct 2009 19:09:22 GMT

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a very heavy month—the vendor is releasing 13 bulletins covering a total of 34 vulnerabilities.

Twenty-one of the issues are rated “Critical” and affect GDI+, Active Template Library (ATL), Media Player, .NET, Silverlight, Internet Explorer, Server Message Block (SMB), and Media Runtime. Most of those are client-side vulnerabilities that require a victim to open a malicious file or visit a malicious page. The SMB issue is a fairly serious server-side vulnerability that was reported early last month.

The remaining issues, rated “Important” and “Moderate,” affect GDI+, Windows Indexing Service, Windows kernel, CryptoAPI, Internet Information Services (IIS), LSASS, and SMB.

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while...

Greg Ahmad | 15 Sep 2009 21:46:13 GMT

Recently we became aware of a new security vulnerability that affects various versions of Microsoft Windows operating systems. This vulnerability allows remote attackers to carry out denial-of-service and local privilege escalation attacks against affected computers and though not confirmed, it may also facilitate remote code-execution with kernel-level privileges.

The issue was publicly released on September 7, 2009, by a researcher named Laurent Gaffié. The researcher published proof-of-concept code and some technical details on the Full Disclosure mailing list. He indicated that the code targets the Microsoft Server Message Block version 2 (SMB v2) protocol implementation in Microsoft Windows Vista and Windows 7 and it could be used to...

Robert Keith | 08 Sep 2009 18:50:03 GMT

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a fairly light month—the vendor is releasing five bulletins covering a total of eight vulnerabilities.

Six of the issues are rated “Critical” and affect DHTML Editing ActiveX control, Windows TCP/IP, Windows Wireless, Windows Media, and JScript. The DHTML, Media, and JScript issues are all familiar client-side vulnerabilities that can allow arbitrary code to run in the context of the currently logged-in user. The TCP/IP issue is a remote code-execution vulnerability that attackers can leverage to gain complete control of a vulnerable computer.

The remaining issues, rated “Important,” are denial-of-service vulnerabilities affecting Windows TCP/IP.

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining...

Takashi Katsuki | 08 Sep 2009 13:12:49 GMT

Because PDF-related threats are on the increase in the wild, my colleagues and I have been focusing on the investigation into new ways to stop these threats. The majority of PDF-related exploits can be categorized into two areas.

The first method involves camouflaging the PDF file structure, and the second involves obfuscating the enclosed JavaScript. With the former type of threat, filters (such as an ASCIIHexDecode filter) are employed to change the file content to confuse antivirus engines and disable the use of signature detections. With the latter, it encrypts or obfuscates the exploit code injected into the PDF file, thereby making the exploit code impossible to differentiate from the clean JavaScript.

Between these two types of exploit, the vast majority of threats that are out in the wild are of the obfuscated JavaScript variety. That’s because it’s difficult to change the PDF file while adhering to the PDF file format, thus limiting the actions...

Symantec Security Response | 01 Sep 2009 15:55:02 GMT

A new zero-day exploit that affects Microsoft Internet Information Services (IIS) was posted on Milw0rm yesterday. According to the posting the exploit works on both IIS 5.0 and 6.0, on the FTP module.

We performed some analysis and testing in our lab with the proof-of-concept code that was provided, and we successfully executed arbitrary code remotely on IIS 5.0. Yet, our results with IIS 6.0 were less than conclusive. What this essentially means is that malicious code can be run on the exploited server; however, there are certain conditions that need to be met for remote execution to happen. First of all, only IIS 5.0 and 6.0 are affected, which consequently means that only Windows 2000 and Windows Server 2003 are affected. Second, write access to the FTP server is needed. This can be either through an anonymous account or a valid user account. The proof of concept targets an anonymous account with write permissions; however, we have validated that any account with...

Shunichi Imano | 26 Aug 2009 00:16:31 GMT

Symantec Security Response has found a new threat that spreads through Renren.com, which is a very popular Social Networking Site in China ala Facebook. The threat comes in a form of a Flash video, which pretends to be a famous Pink Floyd promotional video clip "Wish you were here."

Viewing the Flash video results in concealed JavaScript being executed while the video is playing.

imagebrowser image

The video is hosted on a legitimate site. The threat exploits an authentication cookie of a currently logged-in user in order to send out the same link (for the Flash file) to users on the Friends list.

imagebrowser image

We detect this malicious XSS threat as Js.Frienren.

Robert Keith | 11 Aug 2009 19:22:45 GMT

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a fairly heavy month—the vendor is releasing nine bulletins covering a total of 19 vulnerabilities.


 


 

Fifteen of the issues are rated “Critical” and affect Active Template Library (ATL), Office Web Components, Remote Desktop Connection, WINS, and Windows AVI file handling. The ATL issues are a continuation of the vulnerabilities addressed in the out-of-band bulletins Microsoft released last month. The two WINS issues, primarily affecting Enterprise...