Video Screencast Help
Security Response
Showing posts tagged with Vulnerabilities & Exploits
Showing posts in English
Symantec Security Response | 14 Sep 2006 07:00:00 GMT | 0 comments

Just days after Microsoft's September PatchTuesday announcement, Security Response has confirmed that there is anew Internet Explorer zero-day vulnerability. Because this is anunpatched vulnerability with proof-of-concept exploit code available,Symantec Security Response is considering this to be rated as"critical". The vulnerability itself was announced by XSec.

Uponfurther analysis, we have determined that the vulnerability is, infact, a buffer overflow related to how Internet Explorer tries toinstantiate a certain DirectionAnimation COM object as an ActiveXcontrol. At this point, we believe that successful exploitation of thisvulnerabilitiy may allow an attacker to execute remote code on thecompromised system.

There is no patch available from Microsoft for this particularzero-day exploit, as of yet. In order to provide proactive protectionto our customers against malicious attacks that attempt to leverage thevulnerability, Symantec Security Response is...

Hon Lau | 03 Sep 2006 07:00:00 GMT | 0 comments

In recent months there has been a lot ofactivity around the discovery and exploitation of vulnerabilities inthe Microsoft Office 2003 suite of applications. This activity led tothe discovery of a large number of vulnerabilities in Microsoft Word,PowerPoint, and Excel; many of which were incorporated into newTrojans, such as the Trojan.PPDropper and Trojan.MDropper families. Asa result, Microsoft has spent a fair amount time and effort in patchingsecurity vulnerabilities in its Office 2003 suite.

In thepast couple of days, we have seen samples of a Trojan that exploits apreviously unknown vulnerability in Microsoft's Office applications.This time, it is in Microsoft Word 2000 running on Windows 2000. ThisTrojan (detected by Symantec products as Trojan.MDropper.Q)takes advantage of the vulnerability to drop another file onto thetarget computer....

Eric Chien | 24 Aug 2006 07:00:00 GMT | 0 comments

Over the last few weeks we've been trackingattacks coming from Gromozon.com. These attacks have actually beenhappening for a few months now, but the number of reports has recentlyescalated. In particular, a variety of Italian blogs and message boardshave been spammed with links to hundreds of different URLs over thelast week. These URLs all eventually point to gromozon.com and after anextensive trail of code downloading other code, one ends up infectedwith LinkOptimizer, which dials a high-cost phone number and then displays advertisements when browsing the Internet.

Whenyou visit one of these malicious links, it eventually loads a page fromgromozon.com that determines which browser you are using. If you areusing Internet Explorer, it attempts to exploit a Internet Explorervulnerability. The exploit has changed over time, but is currently...

Eric Chien | 23 Aug 2006 07:00:00 GMT | 0 comments

We've been watching Wargbot for the past week to monitor its activities. As noted in our previous blog entry, Wargbot was being used to send spam. I wanted to provide some statistics and anecdotes on Wargbot's activities.

As part of our standard intelligence gathering, we monitor a varietyof botnets. Usually, these botnets don't stay up too long because ISPsrespond to our shutdown notices, but servers related to Wargbot havebeen up for a week already and have been quite active. In particular,Wargbot downloads Backdoor.Ranky, which converts the infected machineinto a proxy for spam. Since the spam started coming through, we'veseen tens of thousands of spam messages being pumped through ourhoneypot; we actually take all of these spam messages and redirect themto the Symantec Email Security Group. The Email Security Group thenverifies that...

Symantec Security Response | 22 Aug 2006 07:00:00 GMT | 0 comments

Over the last few days there's been a lotof buzz about whether or not there is a new zero-day vulnerability inthe Microsoft PowerPoint application being exploited. Some peoplethought that the exploit was a spin-off from the recently announcedPowerPoint vulnerability in MS06-048 (in August). However, whatSymantec Security Response has determined is that the exploit is infact based on Microsoft Office vulnerabilities disclosed in MS06-012,which was announced back in March of this year.

Uponanalysis of samples related to this particular exploit in question, wediscovered that it is related to Trojan.PPDropper, which we've haddetection for since August 17, 2006. This file then drops a downloaderthat will download Keylogger.Trojan from two separate addresses (we'vehad detection for the downloader and Keylogger.Trojan since August 12,2006).

Symantec has also determined that the exploit occurs just as youclose a PowerPoint document, which is typical of MS06-012 exploits...

John Canavan | 16 Aug 2006 07:00:00 GMT | 0 comments

In recent months, we have seen a number of zero-day Microsoft Officeexploits used to drop Trojan horses on affected systems. The release ofthe exploits had been timed so that when Microsoft released theirpatches, a zero-day exploit surfaced the next day. The timing of thesereleases was noted by Symantec Security Response and it was speculatedthat the people behind these exploits had discovered multiplevulnerabilities in Microsoft Office and were holding back on releasingthem, in order to maximize the time-to-patch for each of their finds.

Today,we have seen another targeted attack on a document editing suite;however, this time around it is Justsystem's Ichitaro. Ichitaro is aword processing program widely used in Japan.

The malicious document uses a unicode stack overflow to execute itscode on the system, dropping and executing a Trojan horse namedBackdoor.Papi. When run, Backdoor.Papi copies itself to the %system%directory, creates a service named CAPAPI, and drops...

Symantec Security Response | 14 Aug 2006 07:00:00 GMT | 0 comments

In an earlier blog regardingMicrosoft’s recent vulnerability announcement, MS06-040 (Server servicevulnerability) was discussed, along with how this issue would beexploitable for worm-based attacks. Although there were samples ofproof-of-concept exploits released last week, it was pretty quiet onthis front, until now. We have now seen our first real, in-the-wildstyle attack leveraging MS06-040.

Here's what we know so far:
• On August 12, 2006 Symantec Security Response detected a new exploitbased on MS06-040, dubbed W32.Wargbot. This is a network-aware wormthat leverages the described vulnerability to spread itself onvulnerable machines. Once on the compromised machine, W32.Wargbot thenproceeds to open an IRC backdoor.
• In response to this new attack, Symantec has released AV signaturesspecific to W32.Wargbot; however,...

Robert Keith | 11 Aug 2006 07:00:00 GMT | 0 comments

As a vulnerability analyst, I need togather as much information as I can on new or existing vulnerabilities.Part of my job is to scour vendor security sites, public disclosurelists, and other security-related sites looking for security-relatedinformation. In the process I often come across messages, emails, orblog entries etc. that are, to me at least, quite amusing. Typically,these messages tend to be from application authors declaring that theirapplication “can’t have vulnerabilities” or, that “it just isn’tpossible”. The arguments are often made that the programmer is eithertoo reputable, or the software that they’ve developed has check uponcheck, making it impossible for the application to havevulnerabilities. Of course, no one wants to hear that something theyhave created has bugs or security holes, but more often than not,unfortunately it does. More likely, the case isn’t that the applicationis not vulnerable, but the author themselves may not understand...

Symantec Security Response | 09 Aug 2006 07:00:00 GMT | 0 comments

Guess what time it is (again)? Yep—it’sthat time of the month when our friends at Microsoft open a bit oftheir kimono in the interest of "community service”. For Star DateAugust 8, 2006, Microsoft presents us with a cornucopia of issues: 23vulnerabilities spread over 12 bulletins, to be exact.

Manyof the items disclosed are rated "critical" by Microsoft and I couldn'tagree more. Some of the items carrying a critical rating are highlyexploitable and the most severe of them all is contained in theMS06-040 bulletin entitled "Vulnerability in Server Service Could AllowRemote Code Execution”. The bulletin speaks to a buffer overflowcondition (in the "Server" service, which is used for sharing resourcesbetween Windows machines) that may occur if specially crafted RPCmessages are sent to vulnerable machines. If successfully exploited, anattacker can take complete control over the affected system.

Worse yet, do you remember the worms of yore in the not too distantpast?...

Ollie Whitehouse | 08 Aug 2006 07:00:00 GMT | 0 comments

I posted a blog in May thatspoke about the potential for remote code execution on Windows CEdevices and the problems involved with patching. I also alluded to someresearch Symantec had been doing at the time. Well, at DefCon this pastweekend, Collin Mulliner demonstrated a remote code execution flaw viaMMS on Windows CE.

Collin's slides showhow he used a malformed MMS message to achieve arbitrary code executionon a device, simply by having a user view the message. This isobviously of great concern; Windows Mobile devices are becoming moreand more prevalent and the substantial challenges with patchingcontinue to exist.

At the end of 2005, the Symantec Advanced Threat Research teamperformed a detailed attack...