Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Vulnerabilities & Exploits
Showing posts in English
Brian Ewell | 03 Aug 2007 07:00:00 GMT | 0 comments

Symantec has observed active exploitationof a potential 0-day vulnerability in Xunlei Web Thunder. Thisvulnerability has been assigned BID 25192. This vulnerability is closely related to a previously discovered Xunlei vulnerability identified as BID 24552. Exploitation of this new vulnerability may result in arbitrary download of malicious files onto the compromised computer.

Symantec has observed an instance in which a copy of W32.Bratsters was downloaded. In addition to this malware detection, the IPS signature HTTP XunLei WebThunder ActiveX Download also detects the attempted exploitation.

...

Nicolas Falliere | 01 Aug 2007 07:00:00 GMT | 0 comments

A proof-of-concept code exploiting newly discovered XSSvulnerabilities for the latest version of Wordpress (2.2.1) was postedtoday on a security blog.

The researcher unveiled seven vulnerabilities, cross-site scripting(XSS) or SQL injections, whose consequences range from benign toserious, the critical ones potentially leading to blog compromising. Inhis haste to show his skills, this person also released aproof-of-concept (PoC) code exploiting one of these vulnerabilities.

The PoC in itself, as explained, is supposedly not malicious, and isdesigned to raise awareness and patch vulnerable versions of theWordPress publishing platform. In a few words, here’s how it works:

  • A WordPress administrator browses the “Comments manager” in the administration panel
  • She clicks a link, which redirects to the PoC author’s Web page.This page checks the referrer, to see whether it might originate from alogged-on WordPress administrator (the URL would contain...
Masaki Suenaga | 30 Jul 2007 07:00:00 GMT | 0 comments

Some file formats are more vulnerable toexploits than others. Document and spreadsheet programs, for example,are often exploited, possibly as much because of their prevalence ondesktops as from any other reason. That said, updating them is ofteneasier precisely because of their widespread use, since updates areoften automatic or are otherwise easily obtained.

Less pervasive programs, though, are often harder to keep current. Aprime example of this is the archive format, with extensions such as.zip, .rar, etc. There are a wide number of different programsavailable for different platforms; more importantly, they havehistorically been quite vulnerable to exploits.

When security vendors discuss a newly-identified vulnerability in aprogram, there is always the hope that users have the latest version orthat they will quickly upgrade. As we all know, though, the reality isquite different. Even at the enterprise level, employees of any givencompany are often using...

Darren Kemp | 23 Jul 2007 07:00:00 GMT | 0 comments

Attacks targeting vulnerabilities in the Java Runtime Environmentare anything but new. Several researchers have previously visited thistopic and the results have been some fantastic research. However, inrecent weeks the DeepSight Threat Analyst Team has been investigatingseveral Java issues resulting from a notable increase invulnerabilities reported affecting the Java Runtime Environment and itsassociated components.

The threat landscape has seen a dramatic increase in attackstargeting client-side vulnerabilities in recent years. Vulnerabilitieshave been exposed in a variety of applications including media players,Web browsers, ActiveX controls and mail clients, to name just a few.The ubiquitous nature of the Java Runtime Environment makes it a primecandidate for attackers. With this in mind, it is not surprising to seemuch of the preliminary research into exploitation of environments likethe Java Virtual Machine manifest itself both in recently disclosedvulnerabilities...

Liam O Murchu | 20 Jul 2007 07:00:00 GMT | 0 comments

There have been lot of rumours and discussions about the recent Adobe Flash Player Remote Code Execution vulnerability.The most interesting thing is that it is a cross-platformvulnerability. Due to the fact that Flash can run in different browsersand on many different platforms, the discovery of this onevulnerability could leave all those operating systems and devices thatare Flash-enabled open (e.g., including some advanced smartphones) tothe attack.

The vulnerability has already been tested on Windows, Apple Mac, andsome Linux distributions, but many other devices that are Flash-enabledcould be affected by the problem too. For example, we verified that theNintendo Wii gaming console is also affected. Wii has an Internetchannel that runs a special version of the Opera browser with Flash,and yes… we verified that it is affected by the problem too! The Wiiconsole completely hangs while...

Jim Hoagland | 10 Jul 2007 07:00:00 GMT | 0 comments

Symantec Security Advisory SYMSA-2007-005[1]is now available. This covers a Teredo-related vulnerability in theVista version of Windows Firewall (BID 24779, CVE-2007-3038). (To beclear, this vulnerability is not connected to any of the nine Vistaissues I discussed in my last blog[2].)

Last fall, when Ollie Whitehouse[3] was analyzing whatTCP ports were open over a Teredo interface in a freshly installedWindows Vista RC2, he discovered that port 5357 was open over Teredo.We thought this odd since there is no functional reason this port,which corresponds to Web Services on Devices (WSD)[4], should beremotely accessible. When the release version of Vista becameavailable, we verified that this port was still open. (Details on...

Eric Chien | 05 Jul 2007 07:00:00 GMT | 0 comments

The MPack toolkit has received a fair amount of media attention causing it to become oneof the most desired Web browser exploit toolkits in the undergroundhacker scene. The original author was selling the MPack toolkit for$1000 USD, including a year of free support, and additional exploitmodules for around $100 USD.

However, considering the toolkit is written in a script language, itis easy to redistribute and modify. The toolkit is being sold by othersnow for as low as $150 USD. That is a whopping 85% off. Talk aboutclearance sale. The sellers likely didn't even need to buy itthemselves, but rather probably found some of the multiple Web sitesthat did not employ standard Web site protections, allowing them todownload the whole kit for free.

With the toolkit available in the underground scene and evenavailable to almost anyone for a mere...

Nicolas Falliere | 25 Jun 2007 07:00:00 GMT | 0 comments

Though the discovery of Microsoft Officezero-day exploits has dropped dramatically in the last six months, newfile format exploits are still being discovered (and exploited)regularly. After .zip and .rar file exploits, the latest archive formatvulnerability affects the Lhaca archiver and its LZH compressionsupport. While not very well known in the US and Europe, Lhaca appearsto be a popular archive tool in Japan, as is the compression format LZH.

On Friday, June 22nd, one of our Japanese customers submitted an.lzh file. The file in question, after quick analysis, raised immediatesuspicion. It contained several NOP-sleds, shell code-like code blocks,decryptors, and an encoded executable in the archive itself! All theingredients required by file format exploit recipes. The difficulty inthis case is finding the application that could be vulnerable. Cheersto Masaki Suenaga in Security Response, Japan for doing the initialanalysis and finding out that...

Amado Hidalgo | 21 Jun 2007 07:00:00 GMT | 0 comments

In the past few days, much has been written about MPack and the mass hacking of legitimate web sitesby inserting hidden iframes. These iframes had the purpose ofredirecting web surfers to malicious sites, which served exploits andeventually infected the computer of the unsuspected visitors.

We have created a little movie to help you understand the wholeprocess. So without further ado, Symantec Security Response presents… MPack, The...

Pukhraj Singh | 21 Jun 2007 07:00:00 GMT | 0 comments

Recently, a DeepSight honeypot was compromised by a rogue Web site that served a variety of malicious scripts to users. From the dozens of Web sites that we investigate everyday, what makes this case special is the fact that this is the first detected instance of in-the-wild exploitation of Microsoft Internet Explorer Speech API 4 COM Object Instantiation Buffer Overflow Vulnerability (BID 24426).This exploit appears to be a derivation of the publicly available exploit released at milw0rm.com. The vulnerability lies in the way two COM objects in the Speech API 4, namely Windows DirectSpeechSynthesisModule (XVoice.dll, EEE78591-FE22-11D0-8BEF-0060081841DE ) and DirectSpeechRecognition Module (XListen.dll,4E3D9D1F-0C63-11D1-8BFB-0060081841DE), handle certain user input. The malicious attacker can instantiate these COM objects via Internet Explorer, and pass overly long arguments to certain routines....