Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Vulnerabilities & Exploits
Showing posts in English
Pukhraj Singh | 21 Jun 2007 07:00:00 GMT | 0 comments

Recently, a DeepSight honeypot was compromised by a rogue Web site that served a variety of malicious scripts to users. From the dozens of Web sites that we investigate everyday, what makes this case special is the fact that this is the first detected instance of in-the-wild exploitation of Microsoft Internet Explorer Speech API 4 COM Object Instantiation Buffer Overflow Vulnerability (BID 24426).This exploit appears to be a derivation of the publicly available exploit released at The vulnerability lies in the way two COM objects in the Speech API 4, namely Windows DirectSpeechSynthesisModule (XVoice.dll, EEE78591-FE22-11D0-8BEF-0060081841DE ) and DirectSpeechRecognition Module (XListen.dll,4E3D9D1F-0C63-11D1-8BFB-0060081841DE), handle certain user input. The malicious attacker can instantiate these COM objects via Internet Explorer, and pass overly long arguments to certain routines....

Amado Hidalgo | 19 Jun 2007 07:00:00 GMT | 0 comments

You always thought that by staying clear ofthe dark alleys of the Internet and visiting only “reputable” websites,you would be safe from attacks and dubious content. I am afraid that isnot enough. My colleagues Elia Florio and Hon Lau reported recently (here and here)about legitimate sites that had been compromised to include a maliciousIFRAME that, without your knowledge, redirects you to a site servingexploits.

As Elia mentioned, thousands of sites (mostly Italian, but withseveral other nationalities included) were compromised. We were puzzledas to how the MPack gang had managed to hack so many sites in a shortperiod of time, and how they could inject the malicious iframe soquickly.

The MPack gang...

Elia Florio | 18 Jun 2007 07:00:00 GMT | 0 comments

When SkyLined released in 2004 one of the first proof-of-conceptexploits introducing the “Heap Spraying” technique, he commented [1]his code in this way:

“The JavaScript creates a large amount of heap-blocksfilled with 0x0D byte nopslides followed by the shellcode. This is tomake sure [0x0D0D0D0D] == 0x0D0D0D0D. It's not the most efficient thingin the world but it works like a charm for most IE bugs.”

Well, it was not the most efficient thing in the world, but it hasbeen proven to work so well that it actually is the mostcopied-and-pasted piece of code used to exploit many of the InternetExplorer vulnerabilities discovered since 2004.
So, I was surprised to come across an exploit in the wild that uses adifferent heap manipulation technique. The malicious code was hosted ona Russian domain (hxxp://crun[REMOVED].info) and was part of one of thetypical web attacker toolkits developed by Eastern European gangs. Thecode exploited...

Eric Chien | 15 Jun 2007 07:00:00 GMT | 0 comments

Just hours after Apple released Safari for Windows and I wrote about the potential for associated exploits, multiple exploits have been released. This currently includes:

Apple Safari for Windows Protocol Handler Command Injection Vulnerability (BID 24434)
Apple Safari for Windows Unspecified Denial of Service Vulnerability (BID 24431)
Apple Safari for Windows Unspecified Remote Code Execution and Denial of Service Vulnerabilities (BID 24433)

Details on the first one have already been released publicly and theother two have been reportedly disclosed to Apple. We have not...

Elia Florio | 15 Jun 2007 07:00:00 GMT | 0 comments

We verified a report of a large-scale web attack on going in Italy at the moment. The attack is similar to what we described in our previous blog; it just uses a new different final domain which runs the hostile exploits of Mpack 0.86 kit.

The gang behind the attack had successfully compromised the homepagesof hundreds of legitimate Italian websites. We checked many of them andwe verified that they include now a malicious IFRAME (detected asTrojan.Mpkit!html) which redirects to the same bad IP address. The listof compromised sites is huge and from Mpack statistics this attack isworking efficiently (the...

Greg Ahmad | 13 Jun 2007 07:00:00 GMT | 0 comments

On April 27, 2007, various Internet resources from the Republic of Estonia came under a series of DDOS or distributed denial of service attacks.According to claims by Estonian government officials and media, theattacks originated in Russia and followed a dispute between thegovernment and ethnic Russians over the relocation of a Soviet warmemorial from the Estonian capital of Tallinn. The attacks targetedwebsites belonging to government ministries, banks, media, politicalparties and businesses.

Though DDOS attacks against various networks have taken place onnumerous occasions in the past, the particularly interesting aspect ofthese attacks was that they appear to be...

Ben Greenbaum | 12 Jun 2007 07:00:00 GMT | 0 comments

Hello again... this month's update contains 6 advisories with atotal of 15 patched vulnerabilities. Major apps for this month wereonce again IE and Outlook/Windows Mail, coming in with 6 and 4 patchedvulnerabilities respectively. This month we also see updates forfile-based attack vectors against Visio, remotely exploitablevulnerabilities in both a dev library and a security package patched,and a fairly low profile information disclosure vulnerability in Vistadealt with.
As usual details are given below in order of descending urgency. Happypatching, and we'll be back for another round next month...

MS07-034; KB929123
Cumulative Security Update for Outlook Express and Windows Mail

This release addresses four issues in Windows Mail (vista) andOutlook...

Yazan Gable | 08 Jun 2007 07:00:00 GMT | 0 comments

A couple of extremely critical vulnerabilities were discovered anddisclosed in Yahoo! Messenger two days ago, on June 6th. Late lastnight and early this morning, exploits were released to take advantageof these issues. At the time of the release, Yahoo had not yet patchedthe issues, so Yahoo! Messenger users were at significant risk of beingattacked.

The two vulnerabilities are both buffer overflows in the ActiveXcontrol that handles Yahoo’s Webcam functionality [1][2]. Due to theexploits being released publicly, anyone can carry out an attack bypersuading a user into following a link to a malicious file.

Fortunately, Yahoo has released an update to their Yahoo! Messengerproduct to resolve this issue. The latest version of the software,version 8.1, is reportedly not vulnerable. Users should update as soonas possible to reduce their exposure to potential attacks.

[1] http://www....

Hon Lau | 27 May 2007 07:00:00 GMT | 0 comments

A nasty piece of malware was sent our way this weekend that we are detecting as Trojan.Mpkit!html and Downloader.This malware is yet another malware distribution and attack kit in thesame vein as other kits, such as WebAttacker. This kit, called MPack,is a professionally written collection of PHP software componentsdesigned to be hosted and run from a PHP server with a databasebackend. It is sold by a Russian gang and comes ready to install on aPHP server, and it also comes complete with a collection of exploitmodules to be used out of the box.

How it infects computers

Once the server is installed and running, all the owner has to do isto start generating some web browser traffic to it. They can do this byvarious...

Ron Bowes | 25 May 2007 07:00:00 GMT | 0 comments

The Internet is home to billions of computers, all of which performthe jobs they have been programmed to do. Each of these computers has ahard drive and RAM. It’s a rare case that either is completely full. Abillion computers, each with a couple spare megabytes, works out to afew terabytes in a very conservative estimate.

There are several ways that this space can be harnessed to varyingdegrees, depending on what the ultimate goal of an attacker is. A tinybit of RAM on a large number of computers can be used to store secretdata that an attacker wants to hide, while a lot of information can bestored on some servers at the risk of being found and removed.Harnessing this space is often referred to as "parasitic storage."

One parasitic storage technique, called "juggling," can be used forextremely sensitive or illegal information. The goal for the attackeris to ensure that the complete body of information is never on theircomputer all at once, but that part of it is...