Video Screencast Help
Security Response
Showing posts tagged with Vulnerabilities & Exploits
Showing posts in English
Liam O Murchu | 20 Jul 2007 07:00:00 GMT | 0 comments

There have been lot of rumours and discussions about the recent Adobe Flash Player Remote Code Execution vulnerability.The most interesting thing is that it is a cross-platformvulnerability. Due to the fact that Flash can run in different browsersand on many different platforms, the discovery of this onevulnerability could leave all those operating systems and devices thatare Flash-enabled open (e.g., including some advanced smartphones) tothe attack.

The vulnerability has already been tested on Windows, Apple Mac, andsome Linux distributions, but many other devices that are Flash-enabledcould be affected by the problem too. For example, we verified that theNintendo Wii gaming console is also affected. Wii has an Internetchannel that runs a special version of the Opera browser with Flash,and yes… we verified that it is affected by the problem too! The Wiiconsole completely hangs while...

Jim Hoagland | 10 Jul 2007 07:00:00 GMT | 0 comments

Symantec Security Advisory SYMSA-2007-005[1]is now available. This covers a Teredo-related vulnerability in theVista version of Windows Firewall (BID 24779, CVE-2007-3038). (To beclear, this vulnerability is not connected to any of the nine Vistaissues I discussed in my last blog[2].)

Last fall, when Ollie Whitehouse[3] was analyzing whatTCP ports were open over a Teredo interface in a freshly installedWindows Vista RC2, he discovered that port 5357 was open over Teredo.We thought this odd since there is no functional reason this port,which corresponds to Web Services on Devices (WSD)[4], should beremotely accessible. When the release version of Vista becameavailable, we verified that this port was still open. (Details on...

Eric Chien | 05 Jul 2007 07:00:00 GMT | 0 comments

The MPack toolkit has received a fair amount of media attention causing it to become oneof the most desired Web browser exploit toolkits in the undergroundhacker scene. The original author was selling the MPack toolkit for$1000 USD, including a year of free support, and additional exploitmodules for around $100 USD.

However, considering the toolkit is written in a script language, itis easy to redistribute and modify. The toolkit is being sold by othersnow for as low as $150 USD. That is a whopping 85% off. Talk aboutclearance sale. The sellers likely didn't even need to buy itthemselves, but rather probably found some of the multiple Web sitesthat did not employ standard Web site protections, allowing them todownload the whole kit for free.

With the toolkit available in the underground scene and evenavailable to almost anyone for a mere...

Nicolas Falliere | 25 Jun 2007 07:00:00 GMT | 0 comments

Though the discovery of Microsoft Officezero-day exploits has dropped dramatically in the last six months, newfile format exploits are still being discovered (and exploited)regularly. After .zip and .rar file exploits, the latest archive formatvulnerability affects the Lhaca archiver and its LZH compressionsupport. While not very well known in the US and Europe, Lhaca appearsto be a popular archive tool in Japan, as is the compression format LZH.

On Friday, June 22nd, one of our Japanese customers submitted an.lzh file. The file in question, after quick analysis, raised immediatesuspicion. It contained several NOP-sleds, shell code-like code blocks,decryptors, and an encoded executable in the archive itself! All theingredients required by file format exploit recipes. The difficulty inthis case is finding the application that could be vulnerable. Cheersto Masaki Suenaga in Security Response, Japan for doing the initialanalysis and finding out that...

Amado Hidalgo | 21 Jun 2007 07:00:00 GMT | 0 comments

In the past few days, much has been written about MPack and the mass hacking of legitimate web sitesby inserting hidden iframes. These iframes had the purpose ofredirecting web surfers to malicious sites, which served exploits andeventually infected the computer of the unsuspected visitors.

We have created a little movie to help you understand the wholeprocess. So without further ado, Symantec Security Response presents… MPack, The...

Pukhraj Singh | 21 Jun 2007 07:00:00 GMT | 0 comments

Recently, a DeepSight honeypot was compromised by a rogue Web site that served a variety of malicious scripts to users. From the dozens of Web sites that we investigate everyday, what makes this case special is the fact that this is the first detected instance of in-the-wild exploitation of Microsoft Internet Explorer Speech API 4 COM Object Instantiation Buffer Overflow Vulnerability (BID 24426).This exploit appears to be a derivation of the publicly available exploit released at The vulnerability lies in the way two COM objects in the Speech API 4, namely Windows DirectSpeechSynthesisModule (XVoice.dll, EEE78591-FE22-11D0-8BEF-0060081841DE ) and DirectSpeechRecognition Module (XListen.dll,4E3D9D1F-0C63-11D1-8BFB-0060081841DE), handle certain user input. The malicious attacker can instantiate these COM objects via Internet Explorer, and pass overly long arguments to certain routines....

Amado Hidalgo | 19 Jun 2007 07:00:00 GMT | 0 comments

You always thought that by staying clear ofthe dark alleys of the Internet and visiting only “reputable” websites,you would be safe from attacks and dubious content. I am afraid that isnot enough. My colleagues Elia Florio and Hon Lau reported recently (here and here)about legitimate sites that had been compromised to include a maliciousIFRAME that, without your knowledge, redirects you to a site servingexploits.

As Elia mentioned, thousands of sites (mostly Italian, but withseveral other nationalities included) were compromised. We were puzzledas to how the MPack gang had managed to hack so many sites in a shortperiod of time, and how they could inject the malicious iframe soquickly.

The MPack gang...

Elia Florio | 18 Jun 2007 07:00:00 GMT | 0 comments

When SkyLined released in 2004 one of the first proof-of-conceptexploits introducing the “Heap Spraying” technique, he commented [1]his code in this way:

“The JavaScript creates a large amount of heap-blocksfilled with 0x0D byte nopslides followed by the shellcode. This is tomake sure [0x0D0D0D0D] == 0x0D0D0D0D. It's not the most efficient thingin the world but it works like a charm for most IE bugs.”

Well, it was not the most efficient thing in the world, but it hasbeen proven to work so well that it actually is the mostcopied-and-pasted piece of code used to exploit many of the InternetExplorer vulnerabilities discovered since 2004.
So, I was surprised to come across an exploit in the wild that uses adifferent heap manipulation technique. The malicious code was hosted ona Russian domain (hxxp://crun[REMOVED].info) and was part of one of thetypical web attacker toolkits developed by Eastern European gangs. Thecode exploited...

Eric Chien | 15 Jun 2007 07:00:00 GMT | 0 comments

Just hours after Apple released Safari for Windows and I wrote about the potential for associated exploits, multiple exploits have been released. This currently includes:

Apple Safari for Windows Protocol Handler Command Injection Vulnerability (BID 24434)
Apple Safari for Windows Unspecified Denial of Service Vulnerability (BID 24431)
Apple Safari for Windows Unspecified Remote Code Execution and Denial of Service Vulnerabilities (BID 24433)

Details on the first one have already been released publicly and theother two have been reportedly disclosed to Apple. We have not...

Elia Florio | 15 Jun 2007 07:00:00 GMT | 0 comments

We verified a report of a large-scale web attack on going in Italy at the moment. The attack is similar to what we described in our previous blog; it just uses a new different final domain which runs the hostile exploits of Mpack 0.86 kit.

The gang behind the attack had successfully compromised the homepagesof hundreds of legitimate Italian websites. We checked many of them andwe verified that they include now a malicious IFRAME (detected asTrojan.Mpkit!html) which redirects to the same bad IP address. The listof compromised sites is huge and from Mpack statistics this attack isworking efficiently (the...