Video Screencast Help
Security Response
Showing posts tagged with Vulnerabilities & Exploits
Showing posts in English
Chen Yu | 13 Sep 2007 07:00:00 GMT | 0 comments

It has recently been discovered thatBaoFeng Storm, a movie player written in Chinese and widely used inChinese-speaking countries, contains multiple buffer-overflowvulnerabilies, some of which are being actively exploited. Thevulnerabilities are related to the ActiveX control used by the softwareand a vulnerable computer simply needs to browse a Web site, whichcontains exploit code, to be compromised. Successful exploitation thenallows remote execution of arbitrary code in the context of theapplication using the ActiveX control (in this case Internet Explorer)and allows the attacker to take full control of the compromisedcomputer. Failed exploit attempts may lead to denial-of-serviceconditions, possibly resulting in the browser crashing.

The vulnerabilities have been confirmed in version and betaversion, although other versions may also be affected, and atthe time of this writing the vulnerabilities remain unpatched. SecurityFocus have also...

Ben Greenbaum | 11 Sep 2007 07:00:00 GMT | 0 comments

Hello, and welcome to this month’s blog on the Microsoft patchreleases. September is a light month, with only 4 releases, eachresolving one issue.

Which is the most critical of these vulnerabilities? Well, itdepends on who you ask. Microsoft lists the issue in the Agent ActiveXcontrol as the only ‘Critical’ update this month, however ourcalculations have resulted in a higher urgency rating for the MSN /Live Messenger issue. Both vulnerabilities grant a remote attacker theability to run arbitrary code on the target machine if the target userperforms a specific action (clicks on a link or accepts an incomingmessage). Microsoft may have rated the ActiveX issue higher because anon-vulnerable upgrade to Messenger has been available for some time.However, we rate the issue in MSN Messenger/Live Messenger higher, dueto the availability of public proof-of-concept code known to work on atleast one platform. From the perspective of an affected user, theknowledge that they could have...

Ollie Whitehouse | 27 Aug 2007 07:00:00 GMT | 0 comments

Recently I bought a NAS (Network Attached Storage) solution for hometo manage backups for the ever increasing number of storage devices weall seem to be accumulating. I did as most people would and selected aconsumer solution from a well-known brand. The brand name on the box,as is not unusual in this day and age, was not the actual developer ofthe underlying reference design. Instead the system was developed by athird-party, including the controller and remote management software,which was subsequently modified to support some proprietary LEDs andgave the company license to slap their logo on it by the name on thebox.

Anyway, this solution was built using GPL software components(Linux, Lighttpd and Perl among others); the vendor and original OEMabided by this license and released all the code on their site(including configurations). I did some digging around and was somewhatdismayed to discover that this product had a number of significantsecurity issues. These...

Shunichi Imano | 18 Aug 2007 07:00:00 GMT | 0 comments

We have in the past repeatedly warned thatfree things on the internet do not always come cost free. And today, wehave to make a kind reminder as we came across a new example.

Security Response received a file with a .tgz file extension, whichexploits a new unknown vulnerability in a free Japanese decompress tool"Lhaz v1.33". The file is detected as Trojan.Lazdropper.

After a successful exploit attempt, Trojan.Lazdropper drops two files, both detected as Backdoor.Trojan,onto the infected computer. As Backdoor.Trojan opens a back door tocommunicate with the author for further actions, it is obvious thatpurpose behind...

Amado Hidalgo | 17 Aug 2007 07:00:00 GMT | 0 comments

Yesterday, we analyzed a sample of a new Trojan, called Infostealer.Monstres,which was attempting to access the online recruitment Web site, It was also uploading data to a remote server. When weaccessed this remote server, we found over 1.6 million entries withpersonal information belonging to several hundred thousand people. Wewere very surprised that this low profile Trojan could have attacked somany people, so we decided to investigate how the data could have beenobtained.

Interestingly, only connections to the subdomains were being made. These subdomainsbelong to the “Monster for employers” only site, the section used byrecruiters and human resources personnel to search for potentialcandidates, post jobs to Monster, et cetera. This site requires recruiters to log in to view information on...

Parveen Vashishtha | 16 Aug 2007 07:00:00 GMT | 0 comments

In our previous analysis we discussed ‘What is Mpack and how it works.’ We had reviewed MPackversion 0.84 in our previous blog; this time we will compare it with an updated version, MPack v 0.91.

1. The exploits include the existing ones present in v0.84. The list of exploits is present at the end of this blog.

2. There have been some changes to the management and reporting interface. A new file, admin.php, is introduced and stats.php has been removed.

The developers of the toolkit have provided admin.php for secure control and configuration of the Mpack installation. The Mpack owner can set username and password protection by using settings.php. There have been changes in the user interface, cosmetic changes such as better styles used to view, and a copyright logo: (c) 2007 DreamCoders– Logo.


Brian Ewell | 03 Aug 2007 07:00:00 GMT | 0 comments

Symantec has observed active exploitationof a potential 0-day vulnerability in Xunlei Web Thunder. Thisvulnerability has been assigned BID 25192. This vulnerability is closely related to a previously discovered Xunlei vulnerability identified as BID 24552. Exploitation of this new vulnerability may result in arbitrary download of malicious files onto the compromised computer.

Symantec has observed an instance in which a copy of W32.Bratsters was downloaded. In addition to this malware detection, the IPS signature HTTP XunLei WebThunder ActiveX Download also detects the attempted exploitation.


Nicolas Falliere | 01 Aug 2007 07:00:00 GMT | 0 comments

A proof-of-concept code exploiting newly discovered XSSvulnerabilities for the latest version of Wordpress (2.2.1) was postedtoday on a security blog.

The researcher unveiled seven vulnerabilities, cross-site scripting(XSS) or SQL injections, whose consequences range from benign toserious, the critical ones potentially leading to blog compromising. Inhis haste to show his skills, this person also released aproof-of-concept (PoC) code exploiting one of these vulnerabilities.

The PoC in itself, as explained, is supposedly not malicious, and isdesigned to raise awareness and patch vulnerable versions of theWordPress publishing platform. In a few words, here’s how it works:

  • A WordPress administrator browses the “Comments manager” in the administration panel
  • She clicks a link, which redirects to the PoC author’s Web page.This page checks the referrer, to see whether it might originate from alogged-on WordPress administrator (the URL would contain...
Masaki Suenaga | 30 Jul 2007 07:00:00 GMT | 0 comments

Some file formats are more vulnerable toexploits than others. Document and spreadsheet programs, for example,are often exploited, possibly as much because of their prevalence ondesktops as from any other reason. That said, updating them is ofteneasier precisely because of their widespread use, since updates areoften automatic or are otherwise easily obtained.

Less pervasive programs, though, are often harder to keep current. Aprime example of this is the archive format, with extensions such, .rar, etc. There are a wide number of different programsavailable for different platforms; more importantly, they havehistorically been quite vulnerable to exploits.

When security vendors discuss a newly-identified vulnerability in aprogram, there is always the hope that users have the latest version orthat they will quickly upgrade. As we all know, though, the reality isquite different. Even at the enterprise level, employees of any givencompany are often using...

Darren Kemp | 23 Jul 2007 07:00:00 GMT | 0 comments

Attacks targeting vulnerabilities in the Java Runtime Environmentare anything but new. Several researchers have previously visited thistopic and the results have been some fantastic research. However, inrecent weeks the DeepSight Threat Analyst Team has been investigatingseveral Java issues resulting from a notable increase invulnerabilities reported affecting the Java Runtime Environment and itsassociated components.

The threat landscape has seen a dramatic increase in attackstargeting client-side vulnerabilities in recent years. Vulnerabilitieshave been exposed in a variety of applications including media players,Web browsers, ActiveX controls and mail clients, to name just a few.The ubiquitous nature of the Java Runtime Environment makes it a primecandidate for attackers. With this in mind, it is not surprising to seemuch of the preliminary research into exploitation of environments likethe Java Virtual Machine manifest itself both in recently disclosedvulnerabilities...