Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Vulnerabilities & Exploits
Showing posts in English
Eric Chien | 09 Oct 2006 07:00:00 GMT | 0 comments

Over the weekend, the Google blog was hacked and someone made a fake post stating Google was discontinuing their Click-To-Call service. A few weeks ago, Randy Charles Morin's blog was reportedly hacked using a new unknown and unpatched exploit by Jason Schramm known as the Host Overflow Application eXception.

Now,some people are putting one and one together and assuming Google's blogwas hacked via the unpatched Host Overflow Application eXception. Theproblem? The Host Overflow Application eXception appears to be a HOAX(follow the capital letters). Jason followed up with a post to his blogwith a supposed patch. The patch itself...

Symantec Security Response | 29 Sep 2006 07:00:00 GMT | 0 comments

Update: On September 30,2006, Symantec Security Response received reports that theWebViewFolderIcon ActiveX control vulnerability is being activelyexploited in the wild.

Shortly following the out-of-band patch for the VML vulnerabilityearlier this week, Microsoft is releasing yet another out-of bandadvisory. The latest advisory, released today (September 29, 2006),addresses an ActiveX vulnerability in Microsoft Windows.

The vulnerability is a buffer overflow in the MicrosoftWebViewFolderIcon ActiveX control, which, if successfully exploited,will allow an attacker to perform remote code execution on the victimmachine. Failed attempts would likely result in browser crashes.Proof-of-concept exploit code is available publicly.

In order to carry out an attack, the attacker would need to employsome form of social engineering (such as emails, instant messages, orbanner ads) and try to convince potential victims to click on linksthat would lead...

Hon Lau | 28 Sep 2006 07:00:00 GMT | 0 comments

This year will probably go down in historyas the year of Microsoft Office vulnerabilities. Never before have weseen such a high level of activity around the discovery andexploitation of vulnerabilities in the Microsoft Office applicationsuite. Ever since the uncovering of a series of vulnerabilities acrossthe range of Microsoft Office applications in early March of this year,we have seen a considerable pickup in activity. We have been receivinga steady stream of new malicious code that uses zero-day exploits forone or more of the applications that make up this suite. Just toreinforce this point, on September 27, 2006, we received samples of newmalware that uses yet another Microsoft PowerPoint zero-dayvulnerability. We have added detection for this new Trojan as Trojan.PPDropper.F.

“Why the sudden interest in Office applications?” some might ask.Well...

Amado Hidalgo | 20 Sep 2006 07:00:00 GMT | 0 comments

The trend of new exploits being releasedimmediately after Microsoft's Patch Tuesday is continuing (we arestarting to call it "exploit week"). Symantec Security Response haveconfirmed a new Internet Explorer zero-day vulnerability today. It wasfirst reported by Sunbelt Software. Security Response is rating it as critical because an exploit for this vulnerability is already in-the-wild.

Wehave confirmed that this exploit takes advantage of a bug in VML(vector markup language, which is an XML language used to producevector graphics) to overflow a buffer and inject shell code. Theexploit then downloads and installs multiple security risks, such as spyware, on the compromised machine.

An interesting feature of the Web sites hosting themalicious...

Symantec Security Response | 19 Sep 2006 07:00:00 GMT | 0 comments

Symantec Security Response is aware of anexploit currently running in the wild on a vulnerability in MicrosoftPowerPoint. The exploit targets Chinese language versions of Office2000 running on Chinese language versions of Windows XP. Thus far, thisattack is not widespread and there is no reason to believe it willbecome more prevalent, based on our experience with similar attacksthis year. This is a continuation of the trend (which we have beentracking throughout this year) toward exploiting vulnerabilities inMicrosoft Office applications in order to install malware—mainlyTrojans.

It is not currently known if other languages or versions areaffected by the underlying vulnerability. Symantec has releasedantivirus definitions that detect this threat as Trojan.PPDropper. Allof the normal advice applies here (i.e., don't open attachments frompeople you don't know or are not expecting them from and keep yourantivirus and security solutions up to date).


Symantec Security Response | 14 Sep 2006 07:00:00 GMT | 0 comments

Just days after Microsoft's September PatchTuesday announcement, Security Response has confirmed that there is anew Internet Explorer zero-day vulnerability. Because this is anunpatched vulnerability with proof-of-concept exploit code available,Symantec Security Response is considering this to be rated as"critical". The vulnerability itself was announced by XSec.

Uponfurther analysis, we have determined that the vulnerability is, infact, a buffer overflow related to how Internet Explorer tries toinstantiate a certain DirectionAnimation COM object as an ActiveXcontrol. At this point, we believe that successful exploitation of thisvulnerabilitiy may allow an attacker to execute remote code on thecompromised system.

There is no patch available from Microsoft for this particularzero-day exploit, as of yet. In order to provide proactive protectionto our customers against malicious attacks that attempt to leverage thevulnerability, Symantec Security Response is...

Hon Lau | 03 Sep 2006 07:00:00 GMT | 0 comments

In recent months there has been a lot ofactivity around the discovery and exploitation of vulnerabilities inthe Microsoft Office 2003 suite of applications. This activity led tothe discovery of a large number of vulnerabilities in Microsoft Word,PowerPoint, and Excel; many of which were incorporated into newTrojans, such as the Trojan.PPDropper and Trojan.MDropper families. Asa result, Microsoft has spent a fair amount time and effort in patchingsecurity vulnerabilities in its Office 2003 suite.

In thepast couple of days, we have seen samples of a Trojan that exploits apreviously unknown vulnerability in Microsoft's Office applications.This time, it is in Microsoft Word 2000 running on Windows 2000. ThisTrojan (detected by Symantec products as Trojan.MDropper.Q)takes advantage of the vulnerability to drop another file onto thetarget computer....

Eric Chien | 24 Aug 2006 07:00:00 GMT | 0 comments

Over the last few weeks we've been trackingattacks coming from These attacks have actually beenhappening for a few months now, but the number of reports has recentlyescalated. In particular, a variety of Italian blogs and message boardshave been spammed with links to hundreds of different URLs over thelast week. These URLs all eventually point to and after anextensive trail of code downloading other code, one ends up infectedwith LinkOptimizer, which dials a high-cost phone number and then displays advertisements when browsing the Internet.

Whenyou visit one of these malicious links, it eventually loads a page that determines which browser you are using. If you areusing Internet Explorer, it attempts to exploit a Internet Explorervulnerability. The exploit has changed over time, but is currently...

Eric Chien | 23 Aug 2006 07:00:00 GMT | 0 comments

We've been watching Wargbot for the past week to monitor its activities. As noted in our previous blog entry, Wargbot was being used to send spam. I wanted to provide some statistics and anecdotes on Wargbot's activities.

As part of our standard intelligence gathering, we monitor a varietyof botnets. Usually, these botnets don't stay up too long because ISPsrespond to our shutdown notices, but servers related to Wargbot havebeen up for a week already and have been quite active. In particular,Wargbot downloads Backdoor.Ranky, which converts the infected machineinto a proxy for spam. Since the spam started coming through, we'veseen tens of thousands of spam messages being pumped through ourhoneypot; we actually take all of these spam messages and redirect themto the Symantec Email Security Group. The Email Security Group thenverifies that...

Symantec Security Response | 22 Aug 2006 07:00:00 GMT | 0 comments

Over the last few days there's been a lotof buzz about whether or not there is a new zero-day vulnerability inthe Microsoft PowerPoint application being exploited. Some peoplethought that the exploit was a spin-off from the recently announcedPowerPoint vulnerability in MS06-048 (in August). However, whatSymantec Security Response has determined is that the exploit is infact based on Microsoft Office vulnerabilities disclosed in MS06-012,which was announced back in March of this year.

Uponanalysis of samples related to this particular exploit in question, wediscovered that it is related to Trojan.PPDropper, which we've haddetection for since August 17, 2006. This file then drops a downloaderthat will download Keylogger.Trojan from two separate addresses (we'vehad detection for the downloader and Keylogger.Trojan since August 12,2006).

Symantec has also determined that the exploit occurs just as youclose a PowerPoint document, which is typical of MS06-012 exploits...