Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts tagged with Vulnerabilities & Exploits
Showing posts in English
Working PoC for MS12-020 Spotted in the Wild
Symantec Security Response | 16 Mar 2012 15:14:44 GMT | 0 comments

A warning against a critical vulnerability in the Remote Desktop Protocol (RDP) was posted by Microsoft on Tuesday, March 13. A patch to close this security hole was released on the same day as part of the regular MS Patch Tuesday release: Microsoft Remote Desktop Protocol CVE-2012-0002 Remote Code Execution Vulnerability (BID 52353).

As RDP listens on a TCP port, this vulnerability can be triggered remotely and could lead to code execution. Hackers are eager to develop an exploit. Security Response can confirm that a Proof of Concept (PoC) resulting in a denial-of-service condition for MS12-020 has been published. Symantec has released IPS signature 25610 (Attack: Microsoft RDP CVE-2012-0002 3) to block attempts to exploit the vulnerability.

...

Read more
Microsoft Patch Tuesday - March 2012
Robert Keith | 13 Mar 2012 19:08:03 GMT | 0 comments

Hello, welcome to this month’s blog on the Microsoft patch release. This is a smaller month—the vendor is releasing six bulletins covering a total of seven vulnerabilities.

Only one of this month's issues is rated ‘Critical’ and it affects the Remote Desktop Protocol. The remaining issues affect the Windows kernel, DNS Server, Expression, Visual Studio, and Windows.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s summary of the March releases can be found here:
...

Read more
Microsoft Patch Tuesday - February 2012
Robert Keith | 14 Feb 2012 19:40:31 GMT | 0 comments

Hello, welcome to this month’s blog on the Microsoft patch release. This is a larger month—the vendor is releasing 9 bulletins covering a total of 21 vulnerabilities.

Six of this month's issues are rated ‘Critical’ and they affect Internet Explorer, .NET, Windows, and GDI. The remaining issues affect Internet Explorer, Windows, Visio, and SharePoint.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s summary of the February releases can be found here:
...

Read more
MIDI exploit in the wild
Shunichi Imano | 27 Jan 2012 13:06:53 GMT | 0 comments

Symantec Security Response is aware of in-the-wild malware exploiting the Microsoft Windows Media Player 'winmm.dll' MIDI File Parsing Remote Buffer Overflow Vulnerability (BID 51292). Microsoft has already issued a patch against this vulnerability in the monthly patch release this January. Applying the patch is strongly recommended.

There are several components involved in this live attack:

  • a.exe
  • baby.mid
  • i.js
  • mp.html

Symantec products detect mp.html and i.js as Trojan.Malscript. The vulnerable baby.mid file is detected as Trojan Horse and the end-result file, a.exe, is flagged as Downloader.Darkmegi....

Read more
Microsoft Patch Tuesday - January 2012
Robert Keith | 10 Jan 2012 22:11:27 GMT | 0 comments

Hello, welcome to this month’s blog on the Microsoft patch release. This is a smaller month—the vendor is releasing seven bulletins covering a total of eight vulnerabilities.

Only one of this month's issues is rated 'Critical' and it affects Windows Media. The remaining issues affect Windows, the kernel, and Microsoft’s Anti-Cross Site Scripting library.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s summary of the January releases can be found here:
...

Read more
Microsoft Patch Tuesday - December 2011
Robert Keith | 13 Dec 2011 20:31:11 GMT | 0 comments

Hello, welcome to this month’s blog on the Microsoft patch release. This is an average month—the vendor is releasing 13 bulletins covering a total of 19 vulnerabilities.

Three of this month's issues are rated ‘Critical’ and they affect Media Player, Microsoft Time ActiveX control, and the public issue regarding TrueType fonts (currently being exploited by Duqu malware). The remaining issues affect Windows, the kernel, Internet Explorer, Active Directory, Word, Excel, PowerPoint, Active Directory, Publisher, and Office.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter...
Read more
Microsoft Patch Tuesday - November 2011
Robert Keith | 08 Nov 2011 22:48:11 GMT | 0 comments

Hello, welcome to this month’s blog on the Microsoft patch release. This is a small month—the vendor is releasing four bulletins covering a total of four vulnerabilities.

Only one of this month's issues is rated ‘Critical’ and it affects the Windows TCP/IP stack. It potentially can be exploited to completely compromise an affected computer. The remaining issues affect Active Directory, Windows Mail, and Windows kernel-mode drivers.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s...

Read more
Korean Office Software Exploited
Symantec Security Response | 06 Nov 2011 14:57:38 GMT | 0 comments

In late September 2011, it was reported that a previously unknown and un-patched vulnerability in Hancom Office (a word processing software predominantly used in Korea) was exploited in the wild. We often hear of new exploits targeting software used worldwide and while these incidents tend to grab all the attention, we also encounter instances of regional software, which often have a limited user base becoming an exploit target. One example of a similar regional software that was also exploited in malware attacks is Ichitaro - a word processing software mostly used in government organizations and their associates in Japan. 

In this case, we managed to track down a couple of malware samples that exploited the reported vulnerability in the Hancom products. The samples are in document files (file extension .hwp) and an exploit attempt is made when the document is opened on a machine installed with vulnerable...
Read more
Duqu: Status Updates Including Installer with Zero-Day Exploit Found
Vikram Thakur | 01 Nov 2011 17:03:57 GMT | 0 comments

The group that initially discovered the original Duqu binaries, CrySyS, has since located an installer for the Duqu threat. Thus far, no-one had been able to recover the installer for the threat and therefore no-one had any idea how Duqu was initially infecting systems. Fortunately, an installer has recently been recovered due to the great work done by the team at CrySyS.

The installer file is a Microsoft Word document (.doc) that exploits a previously unknown kernel vulnerability that allows code execution. We contacted Microsoft regarding the vulnerability and they're working diligently towards issuing a patch and advisory. When the file is opened, malicious code executes and installs the main Duqu binaries. The chart below explains how the exploit in the Word document file eventually leads to the installation of Duqu.

 

...

Read more
The True Face of Urchin
Karthikeyan Kasiviswanathan | 26 Oct 2011 18:01:04 GMT | 0 comments

In recent days, we have seen blogs about a specific type of Mass Injection campaign. We take this opportunity to publish our findings in this blog.

This particular campaign has already picked up pace and it is infecting a lot of innocent users out there. It all starts with a script that is injected into certain sites. The script itself points to one particular site: “http://[REMOVED]/urchin.js”. Throughout this blog, we will see the different exploits that this particular campaign uses in order to install malicious files on to a compromised computer.

Upon visiting a site with the injected script, the user is redirected to a malicious site. A subsequent redirection takes the user to a site that contains an obfuscated script. When the script is decoded, it reveals an embedded iFrame tag. Below is an example of the de-obfuscated iFrame tag embedded in the site.

...

Read more