Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Vulnerabilities & Exploits
Showing posts in English
Ollie Whitehouse | 30 Dec 2006 08:00:00 GMT | 0 comments

Collin Mulliner gave an updated version of his presentation at 23C3 in Berlin titled ‘Advanced Attacks Against PocketPC Phones’ (we originally blogged about it in August). As I previouslymentioned, one of the vulnerabilities he discussed had, to myknowledge, still not been patched. Well Collin confirmed this in hispresentation and also released a working exploit for the...

Vincent Weafer | 28 Dec 2006 08:00:00 GMT | 0 comments

The two most common questions I hear around this time of year are:what do you think the biggest trend of the year was and what do youthink the biggest threat next year will be. After outlining a year in review, let’s spend a little time on what we may expect to see in the next 12 months.

Obviously, the debut of a new operating system brings with it newfeatures for both the research community and malicious code authors toscrutinize. It’s simple to expect that we’ll see new attack attempts onMicrosoft Vista. What’s more interesting are trends we’re likely to seethat don’t even touch the physical hard drive of a computer. Web 2.0technologies have already begun to capture attacker interest andmotivation. As adoption continues to grow and dependence on these Webapplications increases, the impact and frequency of these issues willrise.

Consider the...

John McDonald | 22 Dec 2006 08:00:00 GMT | 0 comments

A vulnerability has been discovered in theway the Windows Client/Server Runtime Server Subsystem (CSRSS)processes a type of system message referred to as the HardErrormessage, reportedly allowing a logged on user to execute arbitrary codein the CSRSS.EXE process and elevate their privileges to SYSTEM level.The vulnerable code is present in the new Vista operating system, aswell as Windows 2000, XP and 2003.

When certain events occur within the operating system, a HardErrormessage is sent to CSRSS containing the caption and text of a messagebox to be displayed in order to notify the user of a critical systemerror. The HardError message is handled by a function in WINSRV.DLLwhich returns pointers to the caption and text of the message box. Ifthe caption or text parameters are prefixed with certain characters,the function erroneously frees the buffer holding the text and returnsa pointer to freed memory. After the message box is closed by the user,the same buffer is then...

Robert Keith | 20 Dec 2006 08:00:00 GMT | 0 comments

December 9, 2006, marks the day when long standing contributor to the PHP Security Response Team, Stefan Esser, retired.He has stated a few reasons for this latest move, primarily focusing on(in his opinion) the lack of response from his fellow colleagues and anextended delay in the patching of known vulnerabilities. Possiblyanother example of how some individuals or groups may choose to view “responsible disclosure.”

Over the years, SecurityFocus has reported on multiple vulnerabilities affecting PHP, such as BIDs 20879 (PHP HTMLEntities HTMLSpecialChars Buffer Overflow Vulnerabilities), 19582 (PHP Multiple Input...

Amado Hidalgo | 14 Dec 2006 08:00:00 GMT | 0 comments

I’d like to try and clarify the confusionthat has surrounded the publishing and reporting of three MicrosoftWord vulnerabilities in the last few days. The bad news is that thereare actually three different vulnerabilities in the wild. Inchronological order, this is the breakdown of these threevulnerabilities.

Vulnerability #1
BID 21451: Microsoft Word Unspecified Remote Code Execution Vulnerability (CVE-2006-5994).
This vulnerability was first reported by Microsoft on December 6 via their Security Advisory 929433. Symantec Security Response created a heuristic detection (Bloodhound.Exploit.106) for this vulnerability that yielded some...

Amado Hidalgo | 13 Dec 2006 08:00:00 GMT | 0 comments

MS Word is under scrutiny again this month.We have some new and interesting details about the vulnerabilityreported by Microsoft on December 5 (referenced by CVE-2006-5994). Thestory shows how the road from a simple bug to a working exploit isshort and sometimes unpredictable.

This morning we analyzed some new samples that had been detected as Bloodhound.Exploit.106, which is a new heuristic detection released yesterday for the Microsoft Word zero-day vulnerability (described in Microsoft Security Advisory 929433). Among the submissions received from our customers we found a Word file that turned out to be a little gem.

We found a malicious Word document that was written in Portuguese and added detection for it as...

Ben Greenbaum | 12 Dec 2006 08:00:00 GMT | 0 comments

All aboard! Welcome to another ride on themonthly Microsoft patch train. We’ve got quite a few stops this monthand most are client-side vulnerabilities, meaning that an end user hasto take specific actions (typically by obtaining and then openinghostile content). Unless otherwise stated, the privilege granted to theattacker for all of the below vulnerabilities is the privilege level ofthe victim user. Most were publicly disclosed for the first time today,but the exceptions are noted. They are listed below in the order ofmost to least critical for the fabled “typical” network.

Vulnerability in SNMP Could Allow Remote Code Execution MS06-074 / KB926247

This vulnerability seems almost old-fashioned in the modern securitylandscape – a common buffer overflow...

Symantec Security Response | 11 Dec 2006 08:00:00 GMT | 0 comments

Microsoft have announced they are investigating yet another zero-dayvulnerability, apparently unrelated to the December 5 MicrosoftSecurity Advisory 929433. According to their investigations, Word 2000,Word 2002, Word 2003 and the Word Viewer 2003 are affected, but Word2007 is not affected by the vulnerability. They also report that thevulnerability is being exploited on a very limited and targeted basis.Symantec Security Response is monitoring the situation and will respondappropriately once further information is available. As always,standard best practices apply in this situation and caution should beexercised when dealing with unsolicited attachments from both unknownsources, as well as from trusted sources.

Chintan Trivedi | 07 Dec 2006 08:00:00 GMT | 0 comments

"A browser" – that’s all we were led tobelieve the next generation would need to create office applications orengineering applications. Now, the focus on security has begun todivert in that direction. Statistics from the first half of 2006 showedthat 69 percent of exploitable vulnerabilities were from Webapplications. Web application vulnerabilities usually get mixed up withserver vulnerabilities, although the two are distinctly different. Webdevelopers who design Web sites are not usually security gurus. Thedevelopers will often leave behind various security holes in the Webapplication because of bad coding practices and a lack of securityreviews.

On one hand, there are many security experts around the world whofuzz Web servers with variations in order find another zero-day. Theend result is that the gap between popular Web servers and exploitablevulnerabilities within them is increasing. It has been a long timesince we have seen a completely exploitable security...

Symantec Security Response | 06 Dec 2006 08:00:00 GMT | 0 comments

On December 5, 2006, Microsoft announcedthey were investigating reports of the exploitation of a zero-dayvulnerability in Microsoft Word (described in Microsoft Security Advisory 929433).There is very little information available regarding the technicaldetails of this new vulnerability. Symantec Security Response ismonitoring the situation and will respond appropriately once furtherinformation is known.

At this time, Security Response has seen various malware binarieswhich may be related to the limited reports noted by Microsoft. Thesefiles are detected as "Downloader" by LiveUpdate virus definitions,version 12/6/2006 rev. 16. At least one known downloaded file isdetected as Backdoor.HackDefender, using Rapid Release virusdefinitions, version 12/6/2006 rev. 25.

The standard best practices apply in this situation and as such,caution should be exercised when...