Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Vulnerabilities & Exploits
Showing posts in English
Symantec Security Response | 29 Sep 2006 07:00:00 GMT | 0 comments

Update: On September 30,2006, Symantec Security Response received reports that theWebViewFolderIcon ActiveX control vulnerability is being activelyexploited in the wild.

Shortly following the out-of-band patch for the VML vulnerabilityearlier this week, Microsoft is releasing yet another out-of bandadvisory. The latest advisory, released today (September 29, 2006),addresses an ActiveX vulnerability in Microsoft Windows.

The vulnerability is a buffer overflow in the MicrosoftWebViewFolderIcon ActiveX control, which, if successfully exploited,will allow an attacker to perform remote code execution on the victimmachine. Failed attempts would likely result in browser crashes.Proof-of-concept exploit code is available publicly.

In order to carry out an attack, the attacker would need to employsome form of social engineering (such as emails, instant messages, orbanner ads) and try to convince potential victims to click on linksthat would lead...

Hon Lau | 28 Sep 2006 07:00:00 GMT | 0 comments

This year will probably go down in historyas the year of Microsoft Office vulnerabilities. Never before have weseen such a high level of activity around the discovery andexploitation of vulnerabilities in the Microsoft Office applicationsuite. Ever since the uncovering of a series of vulnerabilities acrossthe range of Microsoft Office applications in early March of this year,we have seen a considerable pickup in activity. We have been receivinga steady stream of new malicious code that uses zero-day exploits forone or more of the applications that make up this suite. Just toreinforce this point, on September 27, 2006, we received samples of newmalware that uses yet another Microsoft PowerPoint zero-dayvulnerability. We have added detection for this new Trojan as Trojan.PPDropper.F.

“Why the sudden interest in Office applications?” some might ask.Well...

Amado Hidalgo | 20 Sep 2006 07:00:00 GMT | 0 comments

The trend of new exploits being releasedimmediately after Microsoft's Patch Tuesday is continuing (we arestarting to call it "exploit week"). Symantec Security Response haveconfirmed a new Internet Explorer zero-day vulnerability today. It wasfirst reported by Sunbelt Software. Security Response is rating it as critical because an exploit for this vulnerability is already in-the-wild.

Wehave confirmed that this exploit takes advantage of a bug in VML(vector markup language, which is an XML language used to producevector graphics) to overflow a buffer and inject shell code. Theexploit then downloads and installs multiple security risks, such as spyware, on the compromised machine.

An interesting feature of the Web sites hosting themalicious...

Symantec Security Response | 19 Sep 2006 07:00:00 GMT | 0 comments

Symantec Security Response is aware of anexploit currently running in the wild on a vulnerability in MicrosoftPowerPoint. The exploit targets Chinese language versions of Office2000 running on Chinese language versions of Windows XP. Thus far, thisattack is not widespread and there is no reason to believe it willbecome more prevalent, based on our experience with similar attacksthis year. This is a continuation of the trend (which we have beentracking throughout this year) toward exploiting vulnerabilities inMicrosoft Office applications in order to install malware—mainlyTrojans.

It is not currently known if other languages or versions areaffected by the underlying vulnerability. Symantec has releasedantivirus definitions that detect this threat as Trojan.PPDropper. Allof the normal advice applies here (i.e., don't open attachments frompeople you don't know or are not expecting them from and keep yourantivirus and security solutions up to date).


Symantec Security Response | 14 Sep 2006 07:00:00 GMT | 0 comments

Just days after Microsoft's September PatchTuesday announcement, Security Response has confirmed that there is anew Internet Explorer zero-day vulnerability. Because this is anunpatched vulnerability with proof-of-concept exploit code available,Symantec Security Response is considering this to be rated as"critical". The vulnerability itself was announced by XSec.

Uponfurther analysis, we have determined that the vulnerability is, infact, a buffer overflow related to how Internet Explorer tries toinstantiate a certain DirectionAnimation COM object as an ActiveXcontrol. At this point, we believe that successful exploitation of thisvulnerabilitiy may allow an attacker to execute remote code on thecompromised system.

There is no patch available from Microsoft for this particularzero-day exploit, as of yet. In order to provide proactive protectionto our customers against malicious attacks that attempt to leverage thevulnerability, Symantec Security Response is...

Hon Lau | 03 Sep 2006 07:00:00 GMT | 0 comments

In recent months there has been a lot ofactivity around the discovery and exploitation of vulnerabilities inthe Microsoft Office 2003 suite of applications. This activity led tothe discovery of a large number of vulnerabilities in Microsoft Word,PowerPoint, and Excel; many of which were incorporated into newTrojans, such as the Trojan.PPDropper and Trojan.MDropper families. Asa result, Microsoft has spent a fair amount time and effort in patchingsecurity vulnerabilities in its Office 2003 suite.

In thepast couple of days, we have seen samples of a Trojan that exploits apreviously unknown vulnerability in Microsoft's Office applications.This time, it is in Microsoft Word 2000 running on Windows 2000. ThisTrojan (detected by Symantec products as Trojan.MDropper.Q)takes advantage of the vulnerability to drop another file onto thetarget computer....

Eric Chien | 24 Aug 2006 07:00:00 GMT | 0 comments

Over the last few weeks we've been trackingattacks coming from These attacks have actually beenhappening for a few months now, but the number of reports has recentlyescalated. In particular, a variety of Italian blogs and message boardshave been spammed with links to hundreds of different URLs over thelast week. These URLs all eventually point to and after anextensive trail of code downloading other code, one ends up infectedwith LinkOptimizer, which dials a high-cost phone number and then displays advertisements when browsing the Internet.

Whenyou visit one of these malicious links, it eventually loads a page that determines which browser you are using. If you areusing Internet Explorer, it attempts to exploit a Internet Explorervulnerability. The exploit has changed over time, but is currently...

Eric Chien | 23 Aug 2006 07:00:00 GMT | 0 comments

We've been watching Wargbot for the past week to monitor its activities. As noted in our previous blog entry, Wargbot was being used to send spam. I wanted to provide some statistics and anecdotes on Wargbot's activities.

As part of our standard intelligence gathering, we monitor a varietyof botnets. Usually, these botnets don't stay up too long because ISPsrespond to our shutdown notices, but servers related to Wargbot havebeen up for a week already and have been quite active. In particular,Wargbot downloads Backdoor.Ranky, which converts the infected machineinto a proxy for spam. Since the spam started coming through, we'veseen tens of thousands of spam messages being pumped through ourhoneypot; we actually take all of these spam messages and redirect themto the Symantec Email Security Group. The Email Security Group thenverifies that...

Symantec Security Response | 22 Aug 2006 07:00:00 GMT | 0 comments

Over the last few days there's been a lotof buzz about whether or not there is a new zero-day vulnerability inthe Microsoft PowerPoint application being exploited. Some peoplethought that the exploit was a spin-off from the recently announcedPowerPoint vulnerability in MS06-048 (in August). However, whatSymantec Security Response has determined is that the exploit is infact based on Microsoft Office vulnerabilities disclosed in MS06-012,which was announced back in March of this year.

Uponanalysis of samples related to this particular exploit in question, wediscovered that it is related to Trojan.PPDropper, which we've haddetection for since August 17, 2006. This file then drops a downloaderthat will download Keylogger.Trojan from two separate addresses (we'vehad detection for the downloader and Keylogger.Trojan since August 12,2006).

Symantec has also determined that the exploit occurs just as youclose a PowerPoint document, which is typical of MS06-012 exploits...

John Canavan | 16 Aug 2006 07:00:00 GMT | 0 comments

In recent months, we have seen a number of zero-day Microsoft Officeexploits used to drop Trojan horses on affected systems. The release ofthe exploits had been timed so that when Microsoft released theirpatches, a zero-day exploit surfaced the next day. The timing of thesereleases was noted by Symantec Security Response and it was speculatedthat the people behind these exploits had discovered multiplevulnerabilities in Microsoft Office and were holding back on releasingthem, in order to maximize the time-to-patch for each of their finds.

Today,we have seen another targeted attack on a document editing suite;however, this time around it is Justsystem's Ichitaro. Ichitaro is aword processing program widely used in Japan.

The malicious document uses a unicode stack overflow to execute itscode on the system, dropping and executing a Trojan horse namedBackdoor.Papi. When run, Backdoor.Papi copies itself to the %system%directory, creates a service named CAPAPI, and drops...