Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Vulnerabilities & Exploits
Showing posts in English
Robert Keith | 09 Oct 2007 07:00:00 GMT | 0 comments

Hello, and welcome once again to themonthly Microsoft patch roundup. This month’s release is relativelylight, with six bulletins available addressing a total of ninevulnerabilities.

1. Vulnerability in Kodak Image Viewer Could Allow Remote Code Execution (KB923810)

CVE-2007-2217, BID 25909
Microsoft Windows Kodak Image Viewer Remote Code Execution Vulnerability
(MS Rating: Critical; Symantec Urgency Rating: 7)

This is a client-side, remote code execution vulnerability in theKodak Image Viewer when viewing specially crafted image files. Anattacker can exploit this issue to execute arbitrary code in thecontext of the victim running the affected application. A victim wouldneed to view a malicious image to trigger this vulnerability.

Windows XP and Windows 2003 installations are only vulnerable if they were upgraded from Windows 2000.

Affected Products:
Windows 2000 Server SP4; Windows XP SP2; and Windows Server...

Patrick Fitzgerald | 03 Oct 2007 07:00:00 GMT | 0 comments

Wireless Equivalency Protocol (WEP) has been one of the hottesttopics in Irish news over the last few days. One of the leadingproviders of DSL in Ireland has supplied users with wireless routersprotected using WEP. What made this newsworthy is that it has emergedthat the WEP keys used to encrypt the network traffic and to controlaccess to a private network were generated using the (Service SetIdentifier) SSID. The algorithm used to generate the encryption keyshas been analyzed and a tool is freely available which allows anyonewithin range of the router to trespass on a wireless network that hasbeen secured using the default settings.

The DSL provider and media reports are advising customers that ifthey change their WEP keys, they will be safe from any trespassers ormalicious attackers trying to get onto their network. While it is truechanging the default WEP settings will mitigate this particular attackit will not make your wireless network secure.

WEP is a flawed...

Aaron Adams | 25 Sep 2007 07:00:00 GMT | 0 comments

As little as three years ago, the concept of remote kernelexploitation remained arcane for most people in the security industryand was believed in some circles to be practically impossible, mostlydue to reliability issues. However, things in the security realm changequickly. Reliable exploit techniques come and go, new securitymechanisms are introduced, and arcane exploitation concepts arerevisited. Sometimes an exploitation concept that was once brushed offas too unreliable is reconsidered, bringing it again into focus as auseful and feasible attack vector.

Kernel vulnerabilities themselves are nothing new, of course. Theexploitation of local kernel flaws has been a popular pastime for manyresearchers and hackers over the years, and in many cases these flawswere shown to be exploited just as reliably as a local flaw in userlandsoftware. However, being local to the system has its advantages; thelevel of interactivity with the system and the data that is availablemake for...

David McKinney | 19 Sep 2007 07:00:00 GMT | 0 comments

Volume XII of the Internet Security Threat Report (ISTR)is now out. In this report, we discuss how attackers have been usingtrusted Web sites as a means of reaching their victims. This trend is,in part, facilitated by something that we call “site-specificvulnerabilities”, which are vulnerabilities that are limited to aparticular Web site or service. These vulnerabilities are typicallypresent in the proprietary Web-based applications that drive theservices provided by the site.

What initially tipped us off to the increasing prevalence ofsite-specific vulnerabilities was actually a drop in the proportion ofWeb application vulnerabilities. In this report, we observed that 61percent of vulnerabilities affected Web applications, which is a dropfrom the 66 percent in the previous report. (Our discussion of Webapplication vulnerabilities includes only those Web applications...

Chen Yu | 13 Sep 2007 07:00:00 GMT | 0 comments

It has recently been discovered thatBaoFeng Storm, a movie player written in Chinese and widely used inChinese-speaking countries, contains multiple buffer-overflowvulnerabilies, some of which are being actively exploited. Thevulnerabilities are related to the ActiveX control used by the softwareand a vulnerable computer simply needs to browse a Web site, whichcontains exploit code, to be compromised. Successful exploitation thenallows remote execution of arbitrary code in the context of theapplication using the ActiveX control (in this case Internet Explorer)and allows the attacker to take full control of the compromisedcomputer. Failed exploit attempts may lead to denial-of-serviceconditions, possibly resulting in the browser crashing.

The vulnerabilities have been confirmed in version 2.7.9.8 and betaversion 2.7.9.9, although other versions may also be affected, and atthe time of this writing the vulnerabilities remain unpatched. SecurityFocus have also...

Ben Greenbaum | 11 Sep 2007 07:00:00 GMT | 0 comments

Hello, and welcome to this month’s blog on the Microsoft patchreleases. September is a light month, with only 4 releases, eachresolving one issue.

Which is the most critical of these vulnerabilities? Well, itdepends on who you ask. Microsoft lists the issue in the Agent ActiveXcontrol as the only ‘Critical’ update this month, however ourcalculations have resulted in a higher urgency rating for the MSN /Live Messenger issue. Both vulnerabilities grant a remote attacker theability to run arbitrary code on the target machine if the target userperforms a specific action (clicks on a link or accepts an incomingmessage). Microsoft may have rated the ActiveX issue higher because anon-vulnerable upgrade to Messenger has been available for some time.However, we rate the issue in MSN Messenger/Live Messenger higher, dueto the availability of public proof-of-concept code known to work on atleast one platform. From the perspective of an affected user, theknowledge that they could have...

Ollie Whitehouse | 27 Aug 2007 07:00:00 GMT | 0 comments

Recently I bought a NAS (Network Attached Storage) solution for hometo manage backups for the ever increasing number of storage devices weall seem to be accumulating. I did as most people would and selected aconsumer solution from a well-known brand. The brand name on the box,as is not unusual in this day and age, was not the actual developer ofthe underlying reference design. Instead the system was developed by athird-party, including the controller and remote management software,which was subsequently modified to support some proprietary LEDs andgave the company license to slap their logo on it by the name on thebox.

Anyway, this solution was built using GPL software components(Linux, Lighttpd and Perl among others); the vendor and original OEMabided by this license and released all the code on their site(including configurations). I did some digging around and was somewhatdismayed to discover that this product had a number of significantsecurity issues. These...

Shunichi Imano | 18 Aug 2007 07:00:00 GMT | 0 comments

We have in the past repeatedly warned thatfree things on the internet do not always come cost free. And today, wehave to make a kind reminder as we came across a new example.

Security Response received a file with a .tgz file extension, whichexploits a new unknown vulnerability in a free Japanese decompress tool"Lhaz v1.33". The file is detected as Trojan.Lazdropper.

After a successful exploit attempt, Trojan.Lazdropper drops two files, both detected as Backdoor.Trojan,onto the infected computer. As Backdoor.Trojan opens a back door tocommunicate with the author for further actions, it is obvious thatpurpose behind...

Amado Hidalgo | 17 Aug 2007 07:00:00 GMT | 0 comments

Yesterday, we analyzed a sample of a new Trojan, called Infostealer.Monstres,which was attempting to access the online recruitment Web site,Monster.com. It was also uploading data to a remote server. When weaccessed this remote server, we found over 1.6 million entries withpersonal information belonging to several hundred thousand people. Wewere very surprised that this low profile Trojan could have attacked somany people, so we decided to investigate how the data could have beenobtained.

Interestingly, only connections to the hiring.monster.com andrecruiter.monster.com subdomains were being made. These subdomainsbelong to the “Monster for employers” only site, the section used byrecruiters and human resources personnel to search for potentialcandidates, post jobs to Monster, et cetera. This site requires recruiters to log in to view information on...

Parveen Vashishtha | 16 Aug 2007 07:00:00 GMT | 0 comments

In our previous analysis we discussed ‘What is Mpack and how it works.’ We had reviewed MPackversion 0.84 in our previous blog; this time we will compare it with an updated version, MPack v 0.91.

1. The exploits include the existing ones present in v0.84. The list of exploits is present at the end of this blog.

2. There have been some changes to the management and reporting interface. A new file, admin.php, is introduced and stats.php has been removed.

The developers of the toolkit have provided admin.php for secure control and configuration of the Mpack installation. The Mpack owner can set username and password protection by using settings.php. There have been changes in the user interface, cosmetic changes such as better styles used to view, and a copyright logo: (c) 2007 DreamCoders– Logo.

MPack...