Video Screencast Help
Security Response
Showing posts tagged with Vulnerabilities & Exploits
Showing posts in English
Robert Keith | 13 Oct 2009 19:09:22 GMT

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a very heavy month—the vendor is releasing 13 bulletins covering a total of 34 vulnerabilities.

Twenty-one of the issues are rated “Critical” and affect GDI+, Active Template Library (ATL), Media Player, .NET, Silverlight, Internet Explorer, Server Message Block (SMB), and Media Runtime. Most of those are client-side vulnerabilities that require a victim to open a malicious file or visit a malicious page. The SMB issue is a fairly serious server-side vulnerability that was reported early last month.

The remaining issues, rated “Important” and “Moderate,” affect GDI+, Windows Indexing Service, Windows kernel, CryptoAPI, Internet Information Services (IIS), LSASS, and SMB.

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while...

Greg Ahmad | 15 Sep 2009 21:46:13 GMT

Recently we became aware of a new security vulnerability that affects various versions of Microsoft Windows operating systems. This vulnerability allows remote attackers to carry out denial-of-service and local privilege escalation attacks against affected computers and though not confirmed, it may also facilitate remote code-execution with kernel-level privileges.

The issue was publicly released on September 7, 2009, by a researcher named Laurent Gaffié. The researcher published proof-of-concept code and some technical details on the Full Disclosure mailing list. He indicated that the code targets the Microsoft Server Message Block version 2 (SMB v2) protocol implementation in Microsoft Windows Vista and Windows 7 and it could be used to...

Robert Keith | 08 Sep 2009 18:50:03 GMT

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a fairly light month—the vendor is releasing five bulletins covering a total of eight vulnerabilities.

Six of the issues are rated “Critical” and affect DHTML Editing ActiveX control, Windows TCP/IP, Windows Wireless, Windows Media, and JScript. The DHTML, Media, and JScript issues are all familiar client-side vulnerabilities that can allow arbitrary code to run in the context of the currently logged-in user. The TCP/IP issue is a remote code-execution vulnerability that attackers can leverage to gain complete control of a vulnerable computer.

The remaining issues, rated “Important,” are denial-of-service vulnerabilities affecting Windows TCP/IP.

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining...

Takashi Katsuki | 08 Sep 2009 13:12:49 GMT

Because PDF-related threats are on the increase in the wild, my colleagues and I have been focusing on the investigation into new ways to stop these threats. The majority of PDF-related exploits can be categorized into two areas.

The first method involves camouflaging the PDF file structure, and the second involves obfuscating the enclosed JavaScript. With the former type of threat, filters (such as an ASCIIHexDecode filter) are employed to change the file content to confuse antivirus engines and disable the use of signature detections. With the latter, it encrypts or obfuscates the exploit code injected into the PDF file, thereby making the exploit code impossible to differentiate from the clean JavaScript.

Between these two types of exploit, the vast majority of threats that are out in the wild are of the obfuscated JavaScript variety. That’s because it’s difficult to change the PDF file while adhering to the PDF file format, thus limiting the actions...

Symantec Security Response | 01 Sep 2009 15:55:02 GMT

A new zero-day exploit that affects Microsoft Internet Information Services (IIS) was posted on Milw0rm yesterday. According to the posting the exploit works on both IIS 5.0 and 6.0, on the FTP module.

We performed some analysis and testing in our lab with the proof-of-concept code that was provided, and we successfully executed arbitrary code remotely on IIS 5.0. Yet, our results with IIS 6.0 were less than conclusive. What this essentially means is that malicious code can be run on the exploited server; however, there are certain conditions that need to be met for remote execution to happen. First of all, only IIS 5.0 and 6.0 are affected, which consequently means that only Windows 2000 and Windows Server 2003 are affected. Second, write access to the FTP server is needed. This can be either through an anonymous account or a valid user account. The proof of concept targets an anonymous account with write permissions; however, we have validated that any account with...

Shunichi Imano | 26 Aug 2009 00:16:31 GMT

Symantec Security Response has found a new threat that spreads through, which is a very popular Social Networking Site in China ala Facebook. The threat comes in a form of a Flash video, which pretends to be a famous Pink Floyd promotional video clip "Wish you were here."

Viewing the Flash video results in concealed JavaScript being executed while the video is playing.

imagebrowser image

The video is hosted on a legitimate site. The threat exploits an authentication cookie of a currently logged-in user in order to send out the same link (for the Flash file) to users on the Friends list.

imagebrowser image

We detect this malicious XSS threat as Js.Frienren.

Robert Keith | 11 Aug 2009 19:22:45 GMT

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a fairly heavy month—the vendor is releasing nine bulletins covering a total of 19 vulnerabilities.



Fifteen of the issues are rated “Critical” and affect Active Template Library (ATL), Office Web Components, Remote Desktop Connection, WINS, and Windows AVI file handling. The ATL issues are a continuation of the vulnerabilities addressed in the out-of-band bulletins Microsoft released last month. The two WINS issues, primarily affecting Enterprise...

Liam O Murchu | 31 Jul 2009 20:20:49 GMT

Some of my colleagues from Symantec and I attended Black Hat in Las Vegas this past week. Wednesday was the first day of talks and there were some very interesting topics discussed. For me, the highlights were the following talks:

• “Stoned Boot Kit,” by Peter Kleissner
• “Using Guided Missiles in Drive-Bys: Automatic browser fingerprinting and exploitation with Metasploit,” by Egypt
• “Attacking Interoperability,” by Mark Dowd, Ryan Smith, and David Dewey

The papers for these presentations are available on the Black Hat website, but I did manage to talk to most of the presenters and get their views on various topics. In this post I’ll talk about the “Using Guided Missiles in Drive-Bys” and follow up with info on the other talks in later posts.

In his presentation “Using Guided Missiles in Drive-Bys,” James Lee (a....

Patrick Fitzgerald | 22 Jul 2009 18:04:10 GMT

Recently we came into possession of an Adobe Acrobat PDF file that upon opening drops and executes a malicious binary. It was quite clear that this PDF was exploiting some vulnerability in order to drop its payload. And, during the analysis it soon became apparent that this vulnerability was not one we had seen in the wild before. What was even more surprising was that this vulnerability affects Adobe Flash—not Adobe Reader as we initially suspected.

An issue in Adobe Flash is more serious. Most vulnerabilities are confined to one technology; for example, a vulnerability may affect a particular browser or a particular operating system, but it is rare for a vulnerability to span multiple platforms and products. This is not the case with Flash. Flash exists in all popular browsers and is also available in PDF documents. It is also largely operating system independent; therefore, the threat posed by this issue is not to be taken lightly. Flash has become an integral part...

Hon Lau | 16 Jul 2009 16:44:43 GMT

Web browsers have been having a real torrid time of late, it seems the only people showing them any great attention these days are those looking for new 0-day vulnerabilities. Two weeks ago we blogged about the Microsoft Video Streaming ActiveX control vulnerability (Microsoft Windows 'MPEG2TuneRequest' ActiveX Control Remote Code Execution Vulnerability – BID 35558) that can be exploited through mostly the older but still widely used versions of Internet Explorer 6 and 7. That vulnerability was quite widely used by malware in the attack involving a Trojan named Downloader.Fostrem. The Trojan In turn downloads various other bits and pieces of malware that we detected as...