Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts tagged with Vulnerabilities & Exploits
Showing posts in English
Has Elvis Left the Building?
Shunichi Imano | 03 Jul 2009 16:10:42 GMT

I know people are getting sick of malware, attacks, and blogs associated with recent celebrities’ deaths, especially over the past week. But, here we go again. Even a week after Michael Jackson's death was announced, some people refuse to accept that he is gone. Well, after 32 years, even some fanatic followers believe Elvis Presley is still alive.

Security Response has found a suspiciously titled PDF file named “Elvis_Presley_is_alive!!!.pdf.” Maybe Elvis really is still alive, but this particular Elvis has hellhounds with him in the form of exploit code and malware.

When the malicious PDF file is opened, users won’t see any pictures or articles on the aging “King of Rock 'n' Roll,” but instead the file tries to exploit three separate PDF vulnerabilities:

• Adobe Acrobat and Reader Collab 'getIcon()' JavaScript Method Remote Code Execution Vulnerability (...

Read more
DirectShow Exploit In the Wild, Part II
Liam O Murchu | 19 Jun 2009 13:38:03 GMT | 0 comments

In part one of this blog, I gave an overview of the exploitation flow for the recent DirectShow vulnerability. With no patch for this vulnerability available as of yet, the fact that we are seeing this exploit used more commonly in the wild is worrying. In this article I will discuss the exploit, how it works, and mitigation strategies to protect against it.

To get straight to the mitigation strategies jump to the bottom of the page. This vulnerability does not exist in Vista or Windows Server 2008.

The Vulnerability

To trigger this vulnerability, attackers are currently enticing users to visit a malicious page. Attackers have become quite adept at doing this by embedding iframe tags in legitimate pages, among other techniques.  This is the most likely attack vector. We have seen iframe tags pointing to this exploit inside phishing pages already and we do expect to see iframe tags added...

Read more
DirectShow Exploit In the Wild
Liam O Murchu | 17 Jun 2009 21:44:25 GMT | 0 comments

In this article I will outline the stages involved in the full exploitation of the recent DirectShow vulnerability. In particular I will discuss a specific example of how this exploit was used in the wild. The recent DirectShow vulnerability was interesting for a number of reasons and to explore each of those reasons in detail I will first give an overview of the entire exploitation flow, and then explore individual portions in more detail.

Some of the first pages to use this exploit for this vulnerability in the wild were linked from phishing pages. The phishing pages in question not only attempted to steal the visitors’ login credentials, but also silently redirected users to a malicious Web page hosting an exploit for the DirectShow vulnerability (CVE-2009-1537). This malicious Web page loads a corrupt .avi file that exploits the vulnerability and also loads some additional...

Read more
Microsoft Patch Tuesday - June 2009
Robert Keith | 09 Jun 2009 20:41:41 GMT | 0 comments

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a very heavy month—the vendor is releasing 10 bulletins covering a total of 31 vulnerabilities, which is the largest number of vulnerabilities covered in a single "Patch Tuesday" since Microsoft started the monthly patch program.

A video of Symantec Security Response’s John Harrison discussing the vulnerabilities addressed this month can be viewed here: http://www.youtube.com/watch?v=-X51L07fk48

Seventeen of the issues are rated “Critical” and affect Office, Print Spooler, Excel, Word, Internet Explorer, and Active Directory. The more severe of the two Active Directory issues can be remotely exploited to gain complete access to a vulnerable computer. In most cases, the remaining “Critical” issues require some sort of user interaction to trigger (e.g. visiting a...

Read more
Microsoft Patch Tuesday for May 2009
Robert Keith | 12 May 2009 18:58:57 GMT | 0 comments

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a light, yet moderate month—the vendor is releasing one bulletin covering a total of 14 vulnerabilities. This is the first time we've seen a single bulletin cover so many vulnerabilities since Microsoft started the monthly patch program.

All the issues are remote code-execution vulnerabilities in PowerPoint, and Microsoft has rated 11 of them “Critical.” For any of these issues to be triggered, a victim must open a specially crafted file with a vulnerable version of PowerPoint.

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining functionality.
- Avoid handling files from unknown or questionable sources.

Microsoft’s summary of the May releases can be found here:

...

Read more
Microsoft's Patch Tuesday - April 2009
Robert Keith | 14 Apr 2009 19:16:49 GMT | 0 comments

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a fairly heavy month—the vendor is releasing eight bulletins covering a total of 21 vulnerabilities. Two of these issues are covered in more than one bulletin: CVE-2008-2540 in MS09-015 and MS09-014, and CVE-2009-0550 in MS09-013 and MS09-014.

Ten of the issues, rated “Critical,” are remote code-execution vulnerabilities affecting WordPad, Word, DirectX, Windows HTTP services, Internet Explorer, and Excel. The remaining issues, rated “Important” and “Moderate,” affect Windows, Internet Explorer, ISA Server, WordPad, and Windows HTTP services. Nearly all of the bulletins this month address issues that were previously disclosed or are variants of those issues.

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.
- Block external access at the...

Read more
Yet Another PDF Vulnerability Exploited—Collab.getIcon
Sean Hittel | 09 Apr 2009 20:57:45 GMT | 0 comments

First the CollectEmailInfo vulnerability was exploited in the wild, then the util.printf vulnerability, followed by JBIG2, and Foxit. With the level of obfuscation of the exploits often used, distinguishing each vulnerability in the wild has become a problem. An in-the-wild exploit against the Adobe Reader Collab.getIcon vulnerability (described in BID 34169) was discovered on April 5. Adobe has already updated Reader to patch this...

Read more
Foxit PDF Reader is Being Exploited in the Wild—So Now Where Do We Go?
Sean Hittel | 23 Mar 2009 22:48:01 GMT | 0 comments

Last year when Adobe Acrobat was being exploited in the wild, some were calling for people to switch their PDF reader software as a defense against the exploits targeting Acrobat Reader. While application diversity can enhance an individual's ability to withstand broadcast attacks, it is important to consider that any alternative software still needs to be maintained, and consideration needs to be given as to how security systems handle this software. If a replacement application is not handled well by perimeter systems, has security been improved by the replacement?

Today's Web attack toolkit operators are often content with only a small percentage of success with their attacks. This often means that they are deploying any and every functional exploit they can get their hands on without regard for how successful it may be. Thinking that one can simply move to software that is not currently being exploited is not a good long term solution. In the long term, moving...

Read more
New Ichitaro Vulnerability Right on Cue
John McDonald | 17 Mar 2009 10:14:48 GMT | 0 comments

Well, it's that time of year again. April is the first month of the fiscal year in Japan, and a time when people look forward to the breath-taking beauty of cherry blossoms—known as sakura in Japan—slowly covering the country from end to end for an all-too-brief few weeks. Unfortunately it also seems to be a time malicious code authors in the Land of the Rising Sun see as opportune to do some of their dirty work. In this case, that misuse of perfectly good time resulted in the release of an exploit for a new Ichitaro vulnerability.

JustSystems’ Ichitaro is one of the most widely used word processing programs in Japan. On this occasion, a specially crafted Ichitaro word document creates a randomly named .tmp file in the Windows system directory. This .tmp file then drops and opens a legitimate Ichitaro word document, but it also creates a file named “beer80.exe” in the system directory. The .exe file will be unseen by the user and will,...

Read more
Microsoft Patch Tuesday—March 2009
Robert Keith | 10 Mar 2009 18:23:09 GMT | 0 comments

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a fairly light month. The vendor is releasing three bulletins covering a total of eight vulnerabilities. Ben Greenbaum (Sr. Research Manager, Symantec Security Response) discusses these vulnerabilities in a video that can be viewed here.

Of the eight vulnerabilities, only one is rated “Critical”—a remote code-execution vulnerability affecting the Windows kernel. This is a fairly serious issue, because a successful exploit will result in a complete compromise of the affected computer. The remaining issues, all rated “Important”, affect the Windows kernel, SChannel, and Windows WINS and DNS servers.

 

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.
- Block external access...

Read more