Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts tagged with Vulnerabilities & Exploits
Showing posts in English
Microsoft Patch Tuesday - June 2009
Robert Keith | 09 Jun 2009 20:41:41 GMT | 0 comments

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a very heavy month—the vendor is releasing 10 bulletins covering a total of 31 vulnerabilities, which is the largest number of vulnerabilities covered in a single "Patch Tuesday" since Microsoft started the monthly patch program.

A video of Symantec Security Response’s John Harrison discussing the vulnerabilities addressed this month can be viewed here: http://www.youtube.com/watch?v=-X51L07fk48

Seventeen of the issues are rated “Critical” and affect Office, Print Spooler, Excel, Word, Internet Explorer, and Active Directory. The more severe of the two Active Directory issues can be remotely exploited to gain complete access to a vulnerable computer. In most cases, the remaining “Critical” issues require some sort of user interaction to trigger (e.g. visiting a...

Read more
Microsoft Patch Tuesday for May 2009
Robert Keith | 12 May 2009 18:58:57 GMT | 0 comments

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a light, yet moderate month—the vendor is releasing one bulletin covering a total of 14 vulnerabilities. This is the first time we've seen a single bulletin cover so many vulnerabilities since Microsoft started the monthly patch program.

All the issues are remote code-execution vulnerabilities in PowerPoint, and Microsoft has rated 11 of them “Critical.” For any of these issues to be triggered, a victim must open a specially crafted file with a vulnerable version of PowerPoint.

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining functionality.
- Avoid handling files from unknown or questionable sources.

Microsoft’s summary of the May releases can be found here:

...

Read more
Microsoft's Patch Tuesday - April 2009
Robert Keith | 14 Apr 2009 19:16:49 GMT | 0 comments

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a fairly heavy month—the vendor is releasing eight bulletins covering a total of 21 vulnerabilities. Two of these issues are covered in more than one bulletin: CVE-2008-2540 in MS09-015 and MS09-014, and CVE-2009-0550 in MS09-013 and MS09-014.

Ten of the issues, rated “Critical,” are remote code-execution vulnerabilities affecting WordPad, Word, DirectX, Windows HTTP services, Internet Explorer, and Excel. The remaining issues, rated “Important” and “Moderate,” affect Windows, Internet Explorer, ISA Server, WordPad, and Windows HTTP services. Nearly all of the bulletins this month address issues that were previously disclosed or are variants of those issues.

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.
- Block external access at the...

Read more
Yet Another PDF Vulnerability Exploited—Collab.getIcon
Sean Hittel | 09 Apr 2009 20:57:45 GMT | 0 comments

First the CollectEmailInfo vulnerability was exploited in the wild, then the util.printf vulnerability, followed by JBIG2, and Foxit. With the level of obfuscation of the exploits often used, distinguishing each vulnerability in the wild has become a problem. An in-the-wild exploit against the Adobe Reader Collab.getIcon vulnerability (described in BID 34169) was discovered on April 5. Adobe has already updated Reader to patch this...

Read more
Foxit PDF Reader is Being Exploited in the Wild—So Now Where Do We Go?
Sean Hittel | 23 Mar 2009 22:48:01 GMT | 0 comments

Last year when Adobe Acrobat was being exploited in the wild, some were calling for people to switch their PDF reader software as a defense against the exploits targeting Acrobat Reader. While application diversity can enhance an individual's ability to withstand broadcast attacks, it is important to consider that any alternative software still needs to be maintained, and consideration needs to be given as to how security systems handle this software. If a replacement application is not handled well by perimeter systems, has security been improved by the replacement?

Today's Web attack toolkit operators are often content with only a small percentage of success with their attacks. This often means that they are deploying any and every functional exploit they can get their hands on without regard for how successful it may be. Thinking that one can simply move to software that is not currently being exploited is not a good long term solution. In the long term, moving...

Read more
New Ichitaro Vulnerability Right on Cue
John McDonald | 17 Mar 2009 10:14:48 GMT | 0 comments

Well, it's that time of year again. April is the first month of the fiscal year in Japan, and a time when people look forward to the breath-taking beauty of cherry blossoms—known as sakura in Japan—slowly covering the country from end to end for an all-too-brief few weeks. Unfortunately it also seems to be a time malicious code authors in the Land of the Rising Sun see as opportune to do some of their dirty work. In this case, that misuse of perfectly good time resulted in the release of an exploit for a new Ichitaro vulnerability.

JustSystems’ Ichitaro is one of the most widely used word processing programs in Japan. On this occasion, a specially crafted Ichitaro word document creates a randomly named .tmp file in the Windows system directory. This .tmp file then drops and opens a legitimate Ichitaro word document, but it also creates a file named “beer80.exe” in the system directory. The .exe file will be unseen by the user and will,...

Read more
Microsoft Patch Tuesday—March 2009
Robert Keith | 10 Mar 2009 18:23:09 GMT | 0 comments

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a fairly light month. The vendor is releasing three bulletins covering a total of eight vulnerabilities. Ben Greenbaum (Sr. Research Manager, Symantec Security Response) discusses these vulnerabilities in a video that can be viewed here.

Of the eight vulnerabilities, only one is rated “Critical”—a remote code-execution vulnerability affecting the Windows kernel. This is a fairly serious issue, because a successful exploit will result in a complete compromise of the affected computer. The remaining issues, all rated “Important”, affect the Windows kernel, SChannel, and Windows WINS and DNS servers.

 

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.
- Block external access...

Read more
Excel Exploited
Patrick Fitzgerald | 24 Feb 2009 17:58:10 GMT | 0 comments

Yesterday, our engineers in Japan noticed the arrival of some unusual submissions from a small number of our customers. All of these submissions contained suspicious Microsoft Office Excel 2007 spreadsheets. Further analysis showed that these files were exploiting a vulnerability in Excel that allowed them to drop and execute a binary onto the file system.

We see this kind of behavior all the time, but as the analysis of the vulnerability progressed it became clear that this vulnerability is one that we had not seen before. It turns out that this vulnerability exists in the old Excel binary .xls format and not the new .xlsx format. Opening the malicious spreadsheet triggers the vulnerability. This causes the shellcode to execute and then drops two files on the system—the malicious binary mentioned earlier and another valid Excel document. The shellcode then executes the dropped file and opens the valid Excel document to mask the fact that Excel has just crashed. This...

Read more
Targeted PDFs Used as Exploits
Patrick Fitzgerald | 20 Feb 2009 14:37:02 GMT | 0 comments

Symantec Security Response has received several PDF files that actively exploit a vulnerability in Adobe Reader. We are continuing to remain in contact with Adobe on this vulnerability in order to ensure the security of our mutual customers.

 

This exploit is currently detected heuristically as Bloodhound.PDF.6 by our products. We have noticed an increase in submissions of similar PDFs using this exploit. So far, these attacks appear to be targeted and not widespread. Symantec is continuing to monitor the vulnerability’s use in the wild.

 

While examining the JavaScript code used for “heap-spraying” in these PDFs, we can see the same comments that show that these separate exploit attempts come from the same source! It seems likely that the people behind this threat are using targeted attacks against...

Read more
Microsoft Patch Tuesday—February 2009
Robert Keith | 10 Feb 2009 21:05:22 GMT | 0 comments

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a fairly light month—the vendor is releasing four bulletins covering a total of eight vulnerabilities.

Of those, three are “Critical” issues affecting Exchange Server and Internet Explorer. We haven’t seen email-based attacks in a while, but the first Exchange Server issue is exactly that. To exploit the issue, an attacker only needs to send an email with a specially crafted attachment and entice an unsuspecting victim into opening the email. The other Exchange issue, rated “Important,” can be remotely exploited to cause an affected server to crash. This could have a significant impact on enterprise users.

We've noticed what appears to be a trend regarding Internet Explorer. The vendor has released a cumulative security bulletin for that product every other month for the past 18 months.

The remaining issues, all rated “Important,...

Read more