Video Screencast Help
Security Response
Showing posts tagged with Vulnerabilities & Exploits
Showing posts in English
Liam O Murchu | 08 May 2007 07:00:00 GMT | 0 comments

No, I’m not talking about typing 53704 intoyour calculator and turning it upside down! I’m referring to theincreasing popularity of inserting links to exploits into legitimateHTML pages in an attempt to infect users who visit the affected page,multiplying the effectiveness of the original infection. I’ll outlinebelow the steps used in one such attack that we recently received inour lab.

In this case the malicious links were added by hand after the Web server had been hacked. However, W32.Fujacks and W32.Fubalcause similar techniques to the ones discussed here to automaticallyinfect asp, aspx, htm, html, php and jsp files residing on the infectedmachine in order to spread themselves further. Infostealer.Lingling wasalso distributed...

Ben Greenbaum | 08 May 2007 07:00:00 GMT | 0 comments

May proves to be a busy month for Windowsadministrators as we received information on no less than 21vulnerabilities being addressed in this month's 7 patches. If youhappen to be responsible for any DNS servers running on Server 2000,2003 Server or SBS, you will most likely want to skip to the last oneand work your way up. For the rest of us, we'll start with the IEissues and continue from there:

MS07-027; 931768 Cumulative Security Update for Internet Explorer
This is the seemingly monthly cumulative patch for IE issues. Sixdistinct issues are addressed in IE this month, as well as two issuesin third-party ActiveX controls. Note that these two are only mentionedas footnotes in the advisory and therefore do not have their ownUrgency Ratings from Microsoft...

Robert Keith | 03 May 2007 07:00:00 GMT | 0 comments

In a recent staff meeting, someone mentioned that one of ourcompetitors was trying to steal our customers. In this or any otherbusiness, that should not come as too much of a shock. However, thecompetitor’s critique seemed to focus on trivial, nit-picky thingsrather than on what makes our products and services really stand out inthe field.

My role as part of Symantec’s DeepSight Research Team is to scourthe Internet for information related to known and as-yet unpublishedvulnerabilities in software and hardware. The information comes frommany sources, including Bugtraq,Full-Disclosure, independent researchers, and of course directly fromvendors themselves. We correlate and document these pieces ofinformation, then publish them as BIDs (Bugtraq IDs) available in thepublic repository at Security Focus and distributed...

Nicolas Falliere | 27 Apr 2007 07:00:00 GMT | 0 comments

A few days ago, we received yet anothersubmission containing a strange Animated Cursor file. Thisvulnerability made quite some noise, and though we thought it washandled by now, this file was definitely not the usual ANI exploit…

An ANI file follows the RIFF standard, with a few exceptions. It isa collection of data chunks, all having the same format of "header |size | data". Therefore, spotting malicious files attempting to exploitthe vulnerability should be easy. But is it? For the human eye, it is.For a heuristic detection, in spite of what was said before, it is not.Despite the supposedly easy structure of the Animated Cursor file,Microsoft’s implementation of its parser is quite loose.

First, invalid chunks will get properly parsed. Though not affectingthe ANI file itself, such chunks should not be encountered in cursorfiles, but the ANI parser just allows and skips them. Fair enough, ourdetections can handle that as well. Attackers, after a few days of‘...

Peter Ferrie | 17 Apr 2007 07:00:00 GMT | 0 comments

A few days ago, a postto a vulnerability discussion mailing list included a demonstration ofa heap corruption in Windows .hlp files' "bm" section. .hlp files areWinHelp-format Help files, a primitive version of .chm, or CompiledHelp Module-format help files. The "bm" section, or the Bitmap-formatgraphics section, is the part of the .hlp file that contains graphics(icons, pictures, etc.). The poster had discovered the vulnerability byusing a fuzzer to insert random data into the file. However, it seemsthat he did not understand why this vulnerability works.

After digging into the issue, it appeared to me that the filetargets the same vulnerability that was last attacked in December of2004, the WinHelp Phrase Heap Overflow.However, after a careful review, I realized that this...

Shunichi Imano | 16 Apr 2007 07:00:00 GMT | 0 comments

It has been reported that a worm that exploits the Microsoft Windows Domain Name Server Service Remote Procedure Call Interface Vulnerability is in the wild. Symantec Security Response has obtained a sample of the worm and we detect the threat as W32.Rinbot.BC.

We have seen an increase in activity over TCP port 1025 as a result ofW32.Rinbot.BC scanning the port in search of vulnerable computers.W32.Rinbot.BC is the first worm that exploits the Microsoft DNSvulnerability and the exploit code was only made public a few days ago.If you have not done so already, Symantec suggests that you block TCPport 1025 in order to avoid the attack.

Blaster, Sasser, W32.Rinbot.BC
We have observed that the time taken from exploit code...

Vikram Thakur | 14 Apr 2007 07:00:00 GMT | 0 comments

Right at the heel of Microsoft releasing its slew of patches, another vulnerability has been released. Microsoft didn't delay getting into action, releasing an advisoryfor it almost immediately. This time, the vulnerability lies within theDomain Name System (DNS) Server Service affecting the server line ofMicrosoft's operating systems. The vulnerability allows the attacker torun code remotely in the security context of DNS Server Service, whichby default is SYSTEM.

Symantec Security Response have analyzed a sample of the proof-of-concept code and have released Bloodhound.Exploit.136signatures to detect threats that utilize this vulnerability. Thisdetection is...

Hon Lau | 12 Apr 2007 07:00:00 GMT | 0 comments

Just in time to coincide with MicrosoftTuesday Patches, another new vulnerability is released to the world.This time the vulnerability was found in Windows Help (.hlp) files.This flaw enables an attacker to make use of a heap overflow in orderto achieve arbitrary code execution.

Symantec Security Response have analyzed a sample of the proof-of-concept code and have released the Bloodhound.Exploit.135 detection to proactively detect potential threats that utilize the vulnerability.

At this point we have not seen this vulnerability actively exploitedin the wild, but since there is no vendor-supplied patch available, wewould urge that users continue to remain vigilant, keep your securityproducts up to date, follow safe computing guidelines and...

David McKinney | 10 Apr 2007 07:00:00 GMT | 0 comments

Microsoft Patch Tuesday: April 2007

April was unique for Microsoft because it consisted of two MicrosoftTuesdays. Last week, we saw the release of patches for the .ANIzero-day vulnerability. This patch was consistent with Microsoft’spolicy of releasing out-of-band security patches (in other words,patches on days other than patch Tuesday) for vulnerabilities that areexperiencing widespread exploitation in the wild. From my experience,if the issue is significant enough to merit third-party patches fromDetermina, ZERT, etc., then in all likelihood Microsoft will do anout-of-band security patch release for the vulnerability.

Today Microsoft released an additional five security bulletins. Fourof the bulletins affect Microsoft Windows and the one affects MicrosoftContent Management Server.

• MS07-018 Vulnerabilities in Microsoft Content Management Server Could Allow Remote Code Execution (KB925939)

This bulletin addresses two...

Joji Hamada | 07 Apr 2007 07:00:00 GMT | 0 comments

In Japan, April is the first month of the fiscal year and is alsothe time of year when large numbers of high school and collegegraduates join the workforce. These new hires usually go though intensetraining in the first few months at their respective companies beforebeing assigned to their new posts. Well, these companies had betterplan to quickly take them through a crash course on security inaddition to the normal training, because there is new targeted attackthat takes advantage of a zero-day vulnerability in Justsytem'sIchitaro, the word processing program most widely used in Japan.

The attack – a specially crafted Justsystem Ichitaro document employing the zero-day exploit, which Symantec detects as Trojan.Tarodrop.C,allows a Trojan horse to be dropped onto the target computer. Thedropped Trojan horse then takes over and drops a downloader Trojan...