Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts tagged with Vulnerabilities & Exploits
Showing posts in English
W32.Stuxnet – Commonly Asked Questions
Symantec Security Response | 16 Jul 2010 22:05:04 GMT

Update: The infection figures below were produced using telemetry data generated by Symantec products, and are therefore weighted towards countries with a larger Symantec install base. For more comprehensive and up-to-date infection figures, generated from traffic going directly to W32.Stuxnet command and control servers, please see our blog from July 22 or our W32.Stuxnet whitepaper.

We have received some queries recently regarding the new rootkit threat being called “Tmphider" or "Stuxnet.” This threat, discovered recently, has been garnering some attention due to the fact that it uses a previously unseen technique to spread via USB drives—among other interesting features. We have compiled some of the questions we have been...

Read more
Microsoft Patch Tuesday - July 2010
Robert Keith | 13 Jul 2010 18:06:47 GMT

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a fairly light month—the vendor is releasing four bulletins covering a total of five vulnerabilities.

Four of the issues are rated “Critical” and affect Help and Support Center, Access, and the Canonical Display Driver. The Help and Support Center issue was originally made public on June 10 of this year, and has seen in-the-wild exploit attacks. The remaining issue, rated “Important,” affects Outlook and can be exploited to bypass Outlook’s detection of unsafe file types when dealing with attachments. All of the issues are client-side, and require an attacker to trick a victim into performing some action in order to exploit.

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining functionality.
- Avoid...

Read more
A Zero-day Connection
Security Intel Analysis Team | 14 Jun 2010 22:37:57 GMT

While investigating the malware and shellcode that were associated with the recent Adobe Flash Player, Adobe Reader, and Acrobat 'authplay.dll' Remote Code Execution Vulnerability (BID 40586), we came across some interesting similarities to the malware and shellcode that were used in the Microsoft Internet Explorer 'iepeers.dll' Remote Code Execution Vulnerability (BID 38615) targeted attacks from March 2010.

The first similarity is in the shellcode

The image below is the function-hooking shellcode that was used in the targeted attacks against the Microsoft Internet Explorer 'iepeers.dll' Remote Code Execution Vulnerability in March 2010:

Below is the function-hooking shellcode that was used in the targeted attacks against the Adobe Flash...

Read more
Microsoft Patch Tuesday - May 2010
Robert Keith | 11 May 2010 17:55:51 GMT

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a fairly light month—the vendor is releasing two bulletins covering a total of two vulnerabilities.

Both of the issues are rated “Critical” and affect Windows Mail, Windows Live Mail, Outlook Express, Office, and Visual Basic for Applications (VBA). Both issues are client-side and can result in remote code-execution in the context of the currently logged-in user if an attacker can trick an unsuspecting victim into performing some action.

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining functionality.
- Avoid handling files from unknown or questionable sources.
- Never visit sites of unknown or questionable integrity.
- Block external access at the network perimeter to all key...

Read more
A Rise in Java Vulnerabilities
Greg Ahmad | 30 Apr 2010 12:49:13 GMT

Web browsers are an integral part of home and business computing environments and one of the most popular and ubiquitous applications on computer systems. Due to their popularity, the exploitation of security vulnerabilities in browsers is a common method for attackers to compromise computers. Vulnerabilities in browsers and browser plug-ins facilitate the propagation of malware, as well as aid in other attacks such as fraud and the theft of sensitive information. Not only are these issues used to compromise computers in targeted attacks, but vulnerabilities affecting browser applications are also exploited en masse by malware, bot networks, and exploit toolkits. Nowadays, attacks that take advantage of vulnerabilities in browsers and other associated applications such as browser plug-ins are very common. According the recent Symantec Global...

Read more
“Perfect” Client-Side Vulnerabilities
Adrian Pisarczyk | 27 Apr 2010 12:57:12 GMT

Far gone are the times when truly remote server-side vulnerabilities were the most popular vectors for compromising machines and attacking organizations. More than 93 percent of vulnerabilities exploited in recent years have been client-side security flaws, as discussed in the Symantec Global Internet Security Threat Report. They are used in both targeted attacks and massively widespread drive-by attacks to create botnets. One type of these sorts of vulnerabilities is browser and browser-related issues. In many cases they merely require a victim to follow a single link to become compromised. There is a continuous race between browser developers, vulnerability researchers, and exploit writers. In this year’s Pwn2Own contest at the CanSecWest Applied Security Conference, all of the most popular browsers except Google Chrome were successfully exploited on the first day. The list included Apple...

Read more
Microsoft Patch Tuesday - April 2010
Robert Keith | 13 Apr 2010 18:57:25 GMT

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a fairly busy month—the vendor is releasing 11 bulletins covering a total of 25 vulnerabilities.

Nine of the issues are rated “Critical” and affect SMB client, Media Services, DirectShow, Media Player, and Windows Authenticode Signature Verification. The SMB and Windows Authenticode Signature Verification vulnerabilities have the potential to result in a complete system compromise upon successful exploitation. The remaining issues are rated “Important” and “Moderate” and affect ISATAP, Exchange, VBScript, Publisher, Visio, and the Windows kernel.

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining functionality.
- Avoid handling files from unknown or questionable sources.
- Never visit sites of...

Read more
Pwn2Own 2010: Lessons Learned
Security Intel Analysis Team | 30 Mar 2010 19:25:41 GMT

At the recent Pwn2Own contest held during the CanSecWest 2010 security conference, the Web browser targets were the latest versions of Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and Apple Safari. All of the targeted browser platforms were patched up to date and included the latest anti-exploitation technologies. In spite of this, Peter Vreugdenhil succeeded in leveraging two vulnerabilities in Internet Explorer 8 on Windows 7 64-bit to execute and reliably run arbitrary code, bypassing Microsoft’s latest security defenses. Internet Explorer 8 was not the only browser to fall—Charlie Miller exploited the Safari browser on OSX, and Nils exploited Mozilla Firefox on Windows 7.  

So, why do Web browsers make such good targets for exploit developers? First off, the Web browser handles untrusted and therefore unpredictable data, and this data often passes through several security boundaries before the processing of the data is complete. The Web...

Read more
Beyond the Initial Compromise
Greg Ahmad | 18 Mar 2010 22:25:25 GMT

Over the past few years, targeted attacks against organizations have become increasingly common and have gained notoriety. One of the most well known of these attacks is the recent compromise of Google, Adobe, and many other companies as part of the Trojan.Hydraq or the “Operation Aurora” incident. This particular attack involved organized and well-resourced cyber criminals who used a zero-day memory-corruption exploit for Microsoft Internet Explorer as an attack vector to deliver a malicious payload, known by the name of Trojan.Hydraq. The attackers behind this operation targeted various organizations and sent messages using the spear phishing technique, which makes email messages look like they come from a trusted source, thereby increasing the chance of victims following links or opening attachments. Once the vulnerability was successfully exploited and the Hydraq malware...

Read more
Zero-Day Attack on IE6 – JS.Sykipot Doesn’t Spare Retired Software
Andrea Lelli | 10 Mar 2010 22:11:15 GMT

Internet Explorer 6 may have taken its path to retirement but it still remains a good target for exploits, as we can see from JS.Sykipot. This zero-day was found on March 8th and it exploits a vulnerability in some Internet Explorer versions (CVE-2010-0806 , BID 38615) that can lead to remote code execution. Upon successful exploitation, JS.Sykipot will download and run Backdoor.Sykipot, which is a back door capable of communicating with its control server to receive and run several commands.

In my tests, the exploit worked successfully on IE6...

Read more