Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts tagged with Vulnerabilities & Exploits
Showing posts in English
Microsoft Patch Tuesday - October 2011
Robert Keith | 11 Oct 2011 21:26:32 GMT | 0 comments

Hello and welcome to this month’s blog on the Microsoft patch release. This is an average month — the vendor is releasing 8 bulletins covering a total of 23 vulnerabilities.

Nine of the issues are rated ‘Critical’ and they affect Internet Explorer, .NET, and Silverlight. The remaining issues are rated ‘Important’ and affect Windows, the kernel, Forefront Unified Access Gateway, and Host Integration Server. Of note this month: all Internet Explorer issues being patched are rated ‘Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all...
Read more
Microsoft Patch Tuesday - September 2011
Robert Keith | 13 Sep 2011 20:02:22 GMT | 0 comments

Hello and welcome to this month’s blog regarding the Microsoft patch release. This is a smaller month in terms of patches—the vendor has released five bulletins covering a total of 15 vulnerabilities.

This month, all of the issues are rated “Important” and they affect Windows, Office, Excel, and SharePoint. Of note this month are the Office and Excel issues, which can be exploited to execute arbitrary code if a user opens a specially malformed file.

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining functionality.
- Avoid handling files from unknown or questionable sources.
- Never visit sites of unknown or questionable integrity.
- Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s summary of...

Read more
Microsoft Patch Tuesday - July 2011
Robert Keith | 12 Jul 2011 20:34:50 GMT | 0 comments

Hello and welcome to this month’s blog on Microsoft’s patch releases. This is an average month—the vendor is releasing four bulletins covering a total of 22 vulnerabilities.

Only one of the issues is rated ‘Critical’ and it affects the Microsoft Bluetooth Stack. An attacker in physical proximity to a vulnerable computer can exploit this issue for a complete compromise. The remaining issues, all rated “Important,” include a patch for a previously public issue in Microsoft Visio, and multiple local issues in the Client/Server Runtime Subsystem (CSRSS) and Windows kernel-mode drivers.

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining functionality.
- Avoid handling files from unknown or questionable sources.
- Never visit sites of unknown or questionable integrity....

Read more
A Malware Anniversary to Remember
Liam O Murchu | 11 Jul 2011 14:15:33 GMT | 0 comments

Once in a while, a piece of malware will come along that grabs headlines. Rarer is malware that is talked about around the water cooler (at places other than Symantec). But the rarest of all is malware that actually makes history. It is for just such a piece of malware that we observe the one year anniversary this month.

Roughly around this time one year ago, a Belarusian computer security company reported finding malicious code designed to exploit a new Microsoft Windows vulnerability, dubbed the .LNK vulnerability. Little did they know this malware would change the world.

The fact that the malware exploited a zero-day vulnerability is significant, but certainly not history making. So, what made this malware so special? After the initial discovery, Symantec’s in-depth analysis of this particular malware ensued. Thousands of man hours analyzing 500 kilobytes of code later, the .LNK vulnerability was shown to be just the tip of the iceberg, and a very dangerous...

Read more
Inside a Back Door Attack
John McDonald | 29 Jun 2011 11:21:58 GMT | 0 comments

A colleague of mine recently wrote about one of the June “Microsoft Tuesday” vulnerabilities being exploited in the wild. Because we're a bit like that, we decided to allow the exploit to compromise one of our honeypot computers so we could observe what happened.

The exploit first came to our attention by way of email messages that were initially sent to a customer and then passed on to us for investigation. These messages were sent from an account hosted on a popular webmail service, contained very bad grammar, and were purportedly sent by a Chinese university student. The emails either asked for advice on a particular topic, or thanked the recipient for a recent presentation and included a question related to that presentation. The emails included a link to a Chinese restaurant and the destination Web page contained the exploit for an Internet Explorer 8 vulnerability:...

Read more
A Retrospective "TOuR" of Backdoor.Bifrose
Cathal Mullaney | 20 Jun 2011 18:05:30 GMT | 0 comments

Backdoor.Bifrose first came to our attention in 2004. It is a remote administration backdoor tool that allows unauthorized access to a compromised computer. Once installed, the malware has a range of capabilities, including:  running processes, opening windows, opening a remote shell, stealing system information (such as passwords, and video game serial numbers), generating screen captures, and capturing video from a webcam, among other functionality. While Bifrose has been analyzed in the past, one of the more interesting features of the Trojan has been neglected or overlooked in most write-ups and analysis of the malware: its optional use of the Tor network. Tor, from the overview on their site:

“Is a network of virtual...

Read more
Exploit for June MS Tuesday Vulnerability in the Wild
Joji Hamada | 17 Jun 2011 08:09:27 GMT | 0 comments

Symantec Security Response has confirmed that the Microsoft Internet Explorer Time Element Uninitialized Memory Remote Code Execution Vulnerability is being exploited in the wild. The vulnerability affects Internet Explorer versions 6, 7, and 8; however, the exploit we have acquired seems to only affect version 8. Microsoft has already released patches as part of the MS Tuesday release on June 14, so Symantec advises all users to install the patch. So far, we have only seen limited attacks taking advantage of this vulnerability and believe that the exploit is only being carried out in targeted attacks at present.

We have been able to confirm the existence of one such attack that involves a compromised website hosting content for a neighborhood restaurant. It appears that a duplicate of the top page of the website was either hacked to...

Read more
Microsoft Patch Tuesday - June 2011
Robert Keith | 14 Jun 2011 22:11:25 GMT | 0 comments

Hello and welcome to this month’s blog on the Microsoft patch release. This is fairly busy month —the vendor is releasing 16 bulletins covering a total of 34 vulnerabilities.
 
Fifteen of the issues are rated ‘Critical’ and they affect Internet Explorer, .NET, Windows kernel-mode drivers, OLE Automation, Distributed File System, SMB Client, and the Threat Management Gateway Firewall. A remote attacker may be able to exploit these issues to execute arbitrary code; this may aid in a user-level and/or possibly a complete compromise of a vulnerable computer.

 As always, customers are advised to follow these security best practices:
 

  • Install vendor patches as soon as they are available;
  • Run all software with the least privileges required while still maintaining functionality;
  • Avoid handling files from unknown or questionable sources;
  • Never visit sites of unknown or questionable...
Read more
Backdoor.Tidserv and x64
Mircea Ciubotariu | 06 May 2011 07:21:10 GMT | 0 comments

On April 12, 2011, KB2506014 was released to address a vulnerability affecting Windows Vista and later operating systems running on the AMD64 platform. Malware was exploiting the vulnerability to load unsigned drivers and stay resident in kernel mode.

Backdoor.Tidserv (a.k.a. TDL4) is one such threat that is patching operating systems’ loader files on-the-fly in order to ensure that its advanced rootkit capabilities work. As may be expected, Tidserv attempted to work around the KB2506014 patch, as noted in the following code snippets taken from the ldr16 entry of the threat’s encrypted file system:


 
Here, the hooked int13 (the 16-bit disk operations interrupt) attempts to identify the moment when the operating...

Read more
Vulnerabilities Abound in 2010
David McKinney | 06 Apr 2011 07:00:20 GMT | 0 comments

Volume 16 of the Symantec Internet Security Threat Report covers trends in the Internet security threat landscape during 2010. It has been an interesting year, to say the least. We saw vulnerabilities implicated in major events such as the Trojan.Hydraq Incident, the Stuxnet attacks, and numerous zero-day attacks.

Here are some highlights:

-          In terms of the sheer number of new vulnerabilities discovered, 2010 was a record year. At the time of writing, we documented 6,253 new vulnerabilities over the year.

-          The rise in vulnerabilities was influenced by an increase in the number of new vendors that were affected by vulnerabilities in 2010. In 2010, Symantec documented 1,914 new vendors that were impacted by vulnerabilities, compared to 734 new vendors in 2009.

-    ...

Read more