Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts tagged with Vulnerabilities & Exploits
Showing posts in English
Excel Exploited
Patrick Fitzgerald | 24 Feb 2009 17:58:10 GMT | 0 comments

Yesterday, our engineers in Japan noticed the arrival of some unusual submissions from a small number of our customers. All of these submissions contained suspicious Microsoft Office Excel 2007 spreadsheets. Further analysis showed that these files were exploiting a vulnerability in Excel that allowed them to drop and execute a binary onto the file system.

We see this kind of behavior all the time, but as the analysis of the vulnerability progressed it became clear that this vulnerability is one that we had not seen before. It turns out that this vulnerability exists in the old Excel binary .xls format and not the new .xlsx format. Opening the malicious spreadsheet triggers the vulnerability. This causes the shellcode to execute and then drops two files on the system—the malicious binary mentioned earlier and another valid Excel document. The shellcode then executes the dropped file and opens the valid Excel document to mask the fact that Excel has just crashed. This...

Read more
Targeted PDFs Used as Exploits
Patrick Fitzgerald | 20 Feb 2009 14:37:02 GMT | 0 comments

Symantec Security Response has received several PDF files that actively exploit a vulnerability in Adobe Reader. We are continuing to remain in contact with Adobe on this vulnerability in order to ensure the security of our mutual customers.

 

This exploit is currently detected heuristically as Bloodhound.PDF.6 by our products. We have noticed an increase in submissions of similar PDFs using this exploit. So far, these attacks appear to be targeted and not widespread. Symantec is continuing to monitor the vulnerability’s use in the wild.

 

While examining the JavaScript code used for “heap-spraying” in these PDFs, we can see the same comments that show that these separate exploit attempts come from the same source! It seems likely that the people behind this threat are using targeted attacks against...

Read more
Microsoft Patch Tuesday—February 2009
Robert Keith | 10 Feb 2009 21:05:22 GMT | 0 comments

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a fairly light month—the vendor is releasing four bulletins covering a total of eight vulnerabilities.

Of those, three are “Critical” issues affecting Exchange Server and Internet Explorer. We haven’t seen email-based attacks in a while, but the first Exchange Server issue is exactly that. To exploit the issue, an attacker only needs to send an email with a specially crafted attachment and entice an unsuspecting victim into opening the email. The other Exchange issue, rated “Important,” can be remotely exploited to cause an affected server to crash. This could have a significant impact on enterprise users.

We've noticed what appears to be a trend regarding Internet Explorer. The vendor has released a cumulative security bulletin for that product every other month for the past 18 months.

The remaining issues, all rated “Important,...

Read more
Unexpected Reality In Search of American Idol
Eric Chien | 02 Feb 2009 21:52:21 GMT | 0 comments

If you were searching the Internet for videos of the American Idol TV show, you might have received a bigger dose of reality than you were expecting. Unfortunately, one of the more popular video link aggregators was hosting infected advertisements on their site. 

Advertising networks are a popular platform with malicious code authors when trying to gain a widespread distribution of their malware. They provide advertising networks with a URL that is supposed to point to their advertisement, but instead of only displaying an ad, they redirect the users to a rogue website. In this case, the advertisement was redirecting Web browsers to a PDF file that was using the Adobe Reader 'util.printf()' JavaScript Function Stack Buffer Overflow Vulnerability to install a malicious executable on the browser’s host system. (Please note that this vulnerability is resolved in Adobe Reader 8.1.3 and...

Read more
Microsoft Patch Tuesday for January 2009
Robert Keith | 13 Jan 2009 19:31:45 GMT | 0 comments

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a light month—the vendor is releasing only one bulletin covering a total of three vulnerabilities affecting Server Message Block (SMB).

Of those issues, two are “Critical” server-side, remotely exploitable code-execution vulnerabilities. These are rather serious issues that may allow remote attackers to completely compromise a vulnerable computer. Given the nature of these issues, developing viable exploits to execute code may prove difficult, but denial-of-service attacks will likely be trivial. The remaining issue, rated “Moderate”, is a remote denial-of-service vulnerability.

As always, customers are advised to follow these security best practices:

-Install vendor patches as soon as they are available.
-Block external access at the network perimeter to specific sites and computers only.
-Run all software with the least privileges...

Read more
2008—Ending With a Bang
Security Intel Analysis Team | 31 Dec 2008 00:07:48 GMT | 0 comments

This has been an interesting year for high-profile vulnerabilities and security research. In 2008, awareness has been raised about a number of high impact, remote code-execution vulnerabilities affecting both server- and client-side applications. Published attacks targeted important protocols used by critical Internet infrastructure. A number of flaws in the implementation of a number of cryptographic implementations have also been made public. In addition to the aforementioned issues, new exploitation techniques were demonstrated that emphasized the growing trend toward application-specific attacks targeting Web technologies. 

Let's begin with a few high-profile memory corruption flaws on the Microsoft Windows front. The year started with a bang, MS08-001, which is a remotely exploitable memory-corruption vulnerability affecting the Microsoft Windows kernel. Then, in October we saw in-the-wild exploitation of a previously undisclosed RPC vulnerability affecting...

Read more
Rise of IE Zero-Day Through SQL Injection
Peter Coogan | 15 Dec 2008 19:08:45 GMT | 0 comments

Since our blog Yes, There’s a Zero-Day Exploit for Internet Explorer Out There was posted in relation to the now known Microsoft Security Advisory (961051) for IE, we have been closely monitoring the
uptake of this vulnerability. Symantec provides the antivirus signature Bloodhound.Exploit.219 and IPS signature 23241 - HTTP MSIE Malformed XML BO to protect users againstthis exploit. To date, since the release of our antivirus signature for this vulnerability, we have observed over 33,000 hits on Symantec customers. Abreakdown of the...

Read more
Protecting Zero-Day
Security Intel Analysis Team | 13 Dec 2008 00:02:41 GMT | 0 comments

Hello, this is Anthony from the Symantec Intelligence Analysis Team. Earlier this week we had the opportunity to analyze an interesting shellcode that is associated with the initial malicious exploit attempts against the Microsoft Internet Explorer XML Handling Remote Code Execution Vulnerability (BID 32721). Currently this vulnerability is not patched and there are several public exploits available to leverage the issue. The vulnerability exists due to a flaw in how Internet Explorer handles XML data bindings. Specially crafted XML can lead to object corruption and code execution. I am not going to go into describing the vulnerability in detail because this has already been done well elsewhere. However, I think that the shellcode is unique enough to warrant some discussion.

When...

Read more
Yes, There’s a Zero-Day Exploit for Internet Explorer Out There
Elia Florio | 10 Dec 2008 17:47:52 GMT | 0 comments

A new and previously unknown vulnerability affecting the Microsoft Internet Explorer 7 browser has been reported, just at the start of the Microsoft “Patch Tuesday” cycle for the month of December. Bad luck, or an intentional strategy by the attackers? It’s not clear at the moment, but the reality is that users around the world started to download and patch their systems just yesterday, while at the same time a new and dangerous exploit surfaced on the Web, trying to infect computers in China and other parts of Asia.

We ran some tests and confirmed that the new vulnerability is, unfortunately, not fixed by the current set of patches released yesterday. The attack is indeed new and it works successfully against a fully patched Windows XP SP3 with Internet Explorer 7, including all recent Microsoft Tuesday patches. Also, Internet Explorer 6 could potentially be affected by the same problem and is therefore only temporarily immune to this initial exploit,...

Read more
Microsoft Patch Tuesday, December 2008
Robert Keith | 09 Dec 2008 21:44:25 GMT | 0 comments

Hello and welcome to this month's blog on the Microsoft patch releases. As far as vulnerability counts go, this is the largest patch release since Microsoft started the "Patch Tuesday" program back in late 2003. The release contains eight bulletins covering 28 vulnerabilities.

Of those issues, 23 are rated "Critical" and affect Word, Outlook, Internet Explorer, Visual Basic ActiveX controls, GDI, Windows Search, and Excel. All of the "Critical" issues this month require some sort of user interaction, whether visiting a Web page that contains malicious content or viewing a malicious file. The remaining issues affect GDI, Windows Search, SharePoint, and Windows Explorer; they range in importance from "Important" to "Moderate."

As always, customers are advised to follow security best practices, including:

-Install vendor patches as soon as they are available
-Block external access at the network perimeter to...

Read more