Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Vulnerabilities & Exploits
Showing posts in English
Security Intel Analysis Team | 14 Jun 2010 22:37:57 GMT

While investigating the malware and shellcode that were associated with the recent Adobe Flash Player, Adobe Reader, and Acrobat 'authplay.dll' Remote Code Execution Vulnerability (BID 40586), we came across some interesting similarities to the malware and shellcode that were used in the Microsoft Internet Explorer 'iepeers.dll' Remote Code Execution Vulnerability (BID 38615) targeted attacks from March 2010.

The first similarity is in the shellcode

The image below is the function-hooking shellcode that was used in the targeted attacks against the Microsoft Internet Explorer 'iepeers.dll' Remote Code Execution Vulnerability in March 2010:

Below is the function-hooking shellcode that was used in the targeted attacks...

Robert Keith | 11 May 2010 17:55:51 GMT

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a fairly light month—the vendor is releasing two bulletins covering a total of two vulnerabilities.

Both of the issues are rated “Critical” and affect Windows Mail, Windows Live Mail, Outlook Express, Office, and Visual Basic for Applications (VBA). Both issues are client-side and can result in remote code-execution in the context of the currently logged-in user if an attacker can trick an unsuspecting victim into performing some action.

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining functionality.
- Avoid handling files from unknown or questionable sources.
- Never visit sites of unknown or questionable integrity.
- Block external access at the network perimeter to all key...

Greg Ahmad | 30 Apr 2010 12:49:13 GMT

Web browsers are an integral part of home and business computing environments and one of the most popular and ubiquitous applications on computer systems. Due to their popularity, the exploitation of security vulnerabilities in browsers is a common method for attackers to compromise computers. Vulnerabilities in browsers and browser plug-ins facilitate the propagation of malware, as well as aid in other attacks such as fraud and the theft of sensitive information. Not only are these issues used to compromise computers in targeted attacks, but vulnerabilities affecting browser applications are also exploited en masse by malware, bot networks, and exploit toolkits. Nowadays, attacks that take advantage of vulnerabilities in browsers and other associated applications such as browser plug-ins are very common. According the recent Symantec Global...

Adrian Pisarczyk | 27 Apr 2010 12:57:12 GMT

Far gone are the times when truly remote server-side vulnerabilities were the most popular vectors for compromising machines and attacking organizations. More than 93 percent of vulnerabilities exploited in recent years have been client-side security flaws, as discussed in the Symantec Global Internet Security Threat Report. They are used in both targeted attacks and massively widespread drive-by attacks to create botnets. One type of these sorts of vulnerabilities is browser and browser-related issues. In many cases they merely require a victim to follow a single link to become compromised. There is a continuous race between browser developers, vulnerability researchers, and exploit writers. In this year’s Pwn2Own contest at the CanSecWest Applied Security Conference, all of the most popular browsers except Google Chrome were successfully exploited on the first day. The list included Apple...

Robert Keith | 13 Apr 2010 18:57:25 GMT

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a fairly busy month—the vendor is releasing 11 bulletins covering a total of 25 vulnerabilities.

Nine of the issues are rated “Critical” and affect SMB client, Media Services, DirectShow, Media Player, and Windows Authenticode Signature Verification. The SMB and Windows Authenticode Signature Verification vulnerabilities have the potential to result in a complete system compromise upon successful exploitation. The remaining issues are rated “Important” and “Moderate” and affect ISATAP, Exchange, VBScript, Publisher, Visio, and the Windows kernel.

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining functionality.
- Avoid handling files from unknown or questionable sources.
- Never visit sites of...

Security Intel Analysis Team | 30 Mar 2010 19:25:41 GMT

At the recent Pwn2Own contest held during the CanSecWest 2010 security conference, the Web browser targets were the latest versions of Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and Apple Safari. All of the targeted browser platforms were patched up to date and included the latest anti-exploitation technologies. In spite of this, Peter Vreugdenhil succeeded in leveraging two vulnerabilities in Internet Explorer 8 on Windows 7 64-bit to execute and reliably run arbitrary code, bypassing Microsoft’s latest security defenses. Internet Explorer 8 was not the only browser to fall—Charlie Miller exploited the Safari browser on OSX, and Nils exploited Mozilla Firefox on Windows 7.  

So, why do Web browsers make such good targets for exploit developers? First off, the Web browser handles untrusted and therefore unpredictable data, and this data often passes through several security boundaries before the processing of the data is complete. The Web...

Greg Ahmad | 18 Mar 2010 22:25:25 GMT

Over the past few years, targeted attacks against organizations have become increasingly common and have gained notoriety. One of the most well known of these attacks is the recent compromise of Google, Adobe, and many other companies as part of the Trojan.Hydraq or the “Operation Aurora” incident. This particular attack involved organized and well-resourced cyber criminals who used a zero-day memory-corruption exploit for Microsoft Internet Explorer as an attack vector to deliver a malicious payload, known by the name of Trojan.Hydraq. The attackers behind this operation targeted various organizations and sent messages using the spear phishing technique, which makes email messages look like they come from a trusted source, thereby increasing the chance of victims following links or opening attachments. Once the vulnerability was successfully exploited and the Hydraq malware...

Andrea Lelli | 10 Mar 2010 22:11:15 GMT

Internet Explorer 6 may have taken its path to retirement but it still remains a good target for exploits, as we can see from JS.Sykipot. This zero-day was found on March 8th and it exploits a vulnerability in some Internet Explorer versions (CVE-2010-0806 , BID 38615) that can lead to remote code execution. Upon successful exploitation, JS.Sykipot will download and run Backdoor.Sykipot, which is a back door capable of communicating with its control server to receive and run several commands.

In my tests, the...

Robert Keith | 09 Mar 2010 21:17:52 GMT

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a fairly quiet month—the vendor is releasing two bulletins covering a total of eight vulnerabilities.

All of the issues are rated “Important” this month: seven affecting Office/Excel and one affecting Movie Maker and Producer. All of the issues are file-based remote code-execution vulnerabilities in the context of the currently logged-in user.

Microsoft also released a security advisory (981374) today regarding a publicly disclosed vulnerability affecting Internet Explorer 6 and 7. Limited, targeted attacks exploiting this issue have been detected in the wild.

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining functionality....

Mircea Ciubotariu | 13 Feb 2010 01:17:40 GMT

In the past, viruses and computer threats were created simply for the sake of it. Sometimes these threats would wipe your hard drive clean—just to let you know you’d been owned. This is not the case anymore; nowadays most of the threats we see are profit-oriented and try to keep a very low profile so that they aren't easily detectable by security software.

Backdoor.Tidserv does a very good job in that sense, especially with the latest version (TDL3), which uses an advanced rootkit technology to hide its presence on a system by infecting one of the low-level kernel drivers and then covering its tracks. While the rootkit is active there is no easy way to detect the infection, and because it goes so deep into the kernel, most users cannot see anything wrong in the system.

Most of the time the driver chosen by Tidserv to be infected is “atapi.sys,” but...