Video Screencast Help
Security Response
Showing posts tagged with Vulnerabilities & Exploits
Showing posts in English
Symantec Security Response | 09 Aug 2006 07:00:00 GMT | 0 comments

Guess what time it is (again)? Yep—it’sthat time of the month when our friends at Microsoft open a bit oftheir kimono in the interest of "community service”. For Star DateAugust 8, 2006, Microsoft presents us with a cornucopia of issues: 23vulnerabilities spread over 12 bulletins, to be exact.

Manyof the items disclosed are rated "critical" by Microsoft and I couldn'tagree more. Some of the items carrying a critical rating are highlyexploitable and the most severe of them all is contained in theMS06-040 bulletin entitled "Vulnerability in Server Service Could AllowRemote Code Execution”. The bulletin speaks to a buffer overflowcondition (in the "Server" service, which is used for sharing resourcesbetween Windows machines) that may occur if specially crafted RPCmessages are sent to vulnerable machines. If successfully exploited, anattacker can take complete control over the affected system.

Worse yet, do you remember the worms of yore in the not too distantpast?...

Ollie Whitehouse | 08 Aug 2006 07:00:00 GMT | 0 comments

I posted a blog in May thatspoke about the potential for remote code execution on Windows CEdevices and the problems involved with patching. I also alluded to someresearch Symantec had been doing at the time. Well, at DefCon this pastweekend, Collin Mulliner demonstrated a remote code execution flaw viaMMS on Windows CE.

Collin's slides showhow he used a malformed MMS message to achieve arbitrary code executionon a device, simply by having a user view the message. This isobviously of great concern; Windows Mobile devices are becoming moreand more prevalent and the substantial challenges with patchingcontinue to exist.

At the end of 2005, the Symantec Advanced Threat Research teamperformed a detailed attack...

Ben Greenbaum | 27 Jul 2006 07:00:00 GMT | 0 comments

Many years ago, almost all vulnerabilitieswere a “zero-day” style in some respect. Vendors did not, for the mostpart, talk about security defects in their products and in fact,several chose not to address them at all. Information about ways tobreak into systems remained primarily in the hands of the attackers.Things began to change in the mid-90s, when the discussion of securitybugs became more widespread. Vendors started to participate moreactively in the dissemination of protective information with the goalof enabling their customers to defend their digital assets. Variouscommunities sprouted up to facilitate this discussion, vendors set upsecurity-alert mailing lists and Web sites, and the general awarenesslevel of computer security was raised substantially. During this timethere were, of course, those who still chose to keep vulnerabilityinformation to themselves for their own purposes, but the overalldiscussion of these issues was open and frank. Flaws were discovered,...

Ollie Whitehouse | 19 Jul 2006 07:00:00 GMT | 0 comments

I wanted to let you know that contrary tosome beliefs, there are still Lotus Notes users out there. During acursory look at Notes around the end of 2004 (just after @stake was bought by Symantec) I had identified a denial of service (DoS) condition that could be triggered via SMTP (the advisory was released last month). I wanted to take a few moments to discuss some of the details around this vulnerability.

Ihad originally identified the bug using SMTP as the injection vector.However, during Symantec's patching process (I was fortunate enough towork with our team that focuses on Notes issues) we identified thatNotes RPC could also be used as a vector. What is the result? Well,even if you patch the edge (peripheral) Lotus servers, as soon as asuitably malformed message hits a vulnerable server deep...

Eric Chien | 18 Jul 2006 07:00:00 GMT | 0 comments

The recent Yahoo! Mail worm, JS.Yamanner@m, is symptomatic of our increased usage and reliance on Webapplications. This past weekend we saw a similar attack, but this timeit was on the MySpace social networking site. Web applications are justas vulnerable to certain exploits, and even more so in some cases. Inparticular, services that allow people to author and post content underthe service domain must always neuter any active content such asJavascript. MySpace fails to do so, allowing an attacker toautomatically hijack any user's MySpace page as soon as they visit aninfected MySpace page.

The attack works by using anembedded Shockwave Flash file. The MySpace site allows members to postembedded content, such as movies and Shockwave Flash files, via an HTML“embed” tag. Shockwave Flash files can contain scripting that is simplya variant of JavaScript (known as Action...

Elia Florio | 17 Jul 2006 07:00:00 GMT | 0 comments

Just a day after Microsoft released theirJuly security bulletins, a new PowerPoint zero-day vulnerability wasdiscovered as part of a targeted and limited attack. It was Tuesday,July 12th, and it was Microsoft’s "patch day". On July 11th, Microsofthad released seven new security bulletins aspart of the standard security life cycle. The following bulletins arerated as “critical” and affect the Microsoft Office suite, which isquickly becoming the next most popular platform exploited by attackers:
• MS06-037 - Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (917285)
• MS06-038 - Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (917284)
• MS06-039 - Vulnerabilities in Microsoft Office Filters Could Allow Remote Code Execution (915384)

Inaddition, the MS06-037 patch was long awaited because it fixes...

Symantec Security Response | 14 Jul 2006 07:00:00 GMT | 0 comments

Well, it seems that things will never get too boring around here inSymantec Security Response. There is a new, in-the-wild threat runningaround on the Internet that is exploiting a previously undisclosedvulnerability in Microsoft PowerPoint.

In particular,attackers can create specially crafted PowerPoint files to exploit thevulnerability. These files can then be special delivered to yourcomputer via your Inbox as an attachment, or perhaps placed on Webpages for downloading (like a wolf in sheep’s clothing). All you haveto do is open the file—and WHAMMO!—the vulnerability is triggered,potentially allowing the attacker to run his or her code on yourmachine.

At this point in time, we have discovered a Trojan attached to thePowerPoint exploits that we’ve seen in the wild, and made antivirussignatures available for it; the Trojan is detected as Trojan.PPDropper.B....

Ollie Whitehouse | 06 Jul 2006 07:00:00 GMT | 0 comments

HD Moore and the MetaSploit project havegone to town with their toolbox of fuzzers and insight. They haveunleashed a raft of security vulnerabilities on the world, in majorbrowsers across many different platforms, one a day for an entire month(it is now day five of the Month of Browser Bugs as I write this).

WhileI think it's awesome that HD and the project team have made such aconcerted effort to investigate most of the major sub-systems used intoday's browsers (I don't want to detract from their initiative,motivation, or skill) it should be noted they were not the first totake a look at them, thinking that, aside from ActiveX (for a change)they could be fuzzed with high yield results. Similar methods were usedby the illustrious group at Oulu university in 2001,...

David McKinney | 04 Jul 2006 07:00:00 GMT | 0 comments

Cross-site scripting (XSS) is hardly thescourge of the Internet, but at the same time, should it really betrivialized when it affects a widely used service or application?Cross-site scripting (and the broader category of content injectionvulnerabilities) is incredibly prevalent across a wide range ofsoftware, from guestbook programs churned out by weekend warriors, tohousehold names with revenue statements that eclipse the gross nationalproducts of some small countries.

These vulnerabilitiesare so common that most people just wish they would go away. So, if wewant something to go away and we're not willing to expend the time andenergy to develop a real solution, then what alternative do we have? Dowe just pretend that they don't exist? The suggestion is often madethat they aren’t real—nothing to see here—move along.

Some people contend that XSS isn’t a real vulnerability because itcan’t affect security with hosts or end users on its own, or when usedin a product...

Yazan Gable | 27 Jun 2006 07:00:00 GMT | 0 comments

It has been said that the biggest securityproblem for computers and networks is the user. Every black hat worththeir salt knows that the best way to get information from a targetcomputer or network is to manipulate its user or users. The user setsthe password, knows what’s on the computer, and often knows how toconnect to it from outside of the organization. A little socialengineering by an attacker and then blammo!—the user and theirorganization are compromised.

Simple social engineeringcan go a long way, but the existence of certain vulnerabilities canmake the lives of these social-engineering black hats a whole loteasier. Enter the Microsoft HLINK.DLL Link Memory Corruption Vulnerability,which is a critical flaw in the Microsoft Office Excel application.Using this vulnerability, an attacker could take control of a computerby simply downloading the publicly available exploit and...