Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts tagged with Vulnerabilities & Exploits
Showing posts in English
Increase in Exploit Attempts Against MS08-067
Security Intel Analysis Team | 22 Nov 2008 18:13:04 GMT | 0 comments

Microsoft Security bulletin MS08-067 was an out-of-band security update that was released on October 23, 2008, to address a critical remotely exploitable vulnerability that was being exploited in the wild. The Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability that was addressed by the patch affects Windows 2000, XP, Server 2003, Vista, and Server 2008 to varying degrees. Ultimately the issue can be exploited by a remote attacker to install malicious applications on a target computer without the victim’s knowledge.

Microsoft released a detailed matrix describing the risk that this vulnerability presents to different versions of Microsoft Windows. When reading this matrix it becomes clear that this issue is exploitable by an unauthenticated attacker on Windows 2000, Windows...

Read more
Microsoft Patch Tuesday - November 2008
Robert Keith | 11 Nov 2008 19:25:23 GMT | 0 comments

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a light month, with two bulletins covering four vulnerabilities.

The only “Critical” issue this month is a previously public remote-code execution vulnerability (BID 21872) in Microsoft XML Core Services. The remaining three issues are rated “Important” and include two information-disclosure issues affecting XML Core Services and a remote code-execution issue in Server Message Block (SMB).

As always, customers are advised to follow these security best practices:

-Block external access at the network perimeter to specific sites and computers only.
-Avoid sites of questionable or unknown integrity.
-Never open files from unknown or questionable sources.
-Run all software with the least privileges required while still maintaining functionality.

Microsoft’s summary of the November releases can be found here:
...

Read more
Acrobat util.printf() Exploit Detected with Existing IPS Signatures
Sean Hittel | 07 Nov 2008 23:16:59 GMT | 0 comments

It appears that last night, an exploit for the Acrobat util.printf() vulnerability was added to a well known Web attack toolkit. The attack exists as a compressed PDF. Once decompressed, the exploit is encoded with a simple eval()+ concatenation block:

 

--
 
function main() {
 
eval(unescape(""+"%"+"76%61%"+"72%20%7"+
 
..
 
this.closeDoc(true);
}
 
app.setTimeOut("main()", 5000);
 
--

 
This decodes into an exploit for the util.printf() vulnerability:
 


---
 
var sccs = unescape(""+"%"+"u03eb%u"+"eb59%ue805%uf"+"ff8%uffff%u4949%u4949%u494"+ ...);
 ...

Read more
ActiveX File Overwrite/Delete Vulnerabilities - Continued
Parveen Vashishtha | 28 Oct 2008 18:38:25 GMT | 0 comments

In a blog article from last year, I discussed the rise in popularity of exploits using ActiveX overwrite/delete vulnerabilities due to their ease of use. Since that time, we have seen over 100 such vulnerabilities.

Microsoft requires developers of ActiveX controls to mark their controls “not safe for scripting” if they can arbitrarily write or delete files. However, developers not realizing the security implications or the full capabilities of their ActiveX control often fail to do so, allowing unauthorized remote users to arbitrarily write files to disk. In some cases, the ActiveX control does not even need to be installed by the user—as was the case with the Access Snapshot Viewer ActiveX Vulnerability.

Recently we’ve seen a sharp rise in these types...

Read more
MS08-067 Exploited in the Wild
Sean Hittel | 24 Oct 2008 22:32:08 GMT | 0 comments

I am sure by now that many have read about Trojan.Gimmiv exploiting the new MSRPC vulnerability. While we have not seen any evidence of Gimmiv replicating by itself, we analyzed a second component, related to Gimmiv, which is able to exploit the vulnerability patched on Wednesday. Interestingly though, Gimmiv exploits a 2006 vulnerability described in MS06-040 along with its MS08-067 exploit. Because of the way that Gimmiv does this, Symantec IPS definitions circa August 2006 will block this attack.

Because the MS08-067 vulnerability can be exploited without triggering the 2006 IPS signature, we strongly...

Read more
Tracking MS08-067
Symantec Security Response | 23 Oct 2008 23:42:58 GMT | 0 comments

This morning Microsoft released an out-of-band security update -MS08-067 -for a vulnerability in the Server service. This issue is tracked asBugTraq ID 31874. Thisissue affects all supported versions of the Windows operating system.

Theweakness allows an attacker to effectively take complete control of avulnerable system. It is imperative that end users apply the patch fromMicrosoft as soon as possible.

While we haven't seen widespreadexploitation of this issue, there have been reports of a certain file, "n2.exe," being downloaded on compromised computers. This file copiesanother piece of malicious code onto the compromised computer. Symantecproducts already detect both of these files as ...

Read more
Web Attacks Using Microsoft Help and Support Center Viewer
Security Intel Analysis Team | 23 Oct 2008 14:35:13 GMT | 0 comments

The Symantec DeepSight ThreatAnalysis team recently observed an interesting attack developmentrelated to a known vulnerability type. This seemingly new techniqueallows attackers to execute a malicious payload immediately on avictim's system, where in the past they weren't able to achieve instantcode execution by exploiting such vulnerabilities.
 
Publicexamples of this new attack typically employ file-overwrite andfile-download vulnerabilities in ActiveX controls to download amalicious file onto the target machine. In the past, attackers wereable to download files without much difficulty, but until recently theoptions for attackers seeking to have malicious programs executed on avictim's system were limited. In order to execute a malicious file onan affected computer, attackers generally needed to place the file inone of the load points such as the "Startup" directory in MicrosoftWindows, or use social-engineering or other attacks to have the fileexecuted...

Read more
Microsoft Patch Tuesday for October 2008
Robert Keith | 14 Oct 2008 19:02:30 GMT | 0 comments

Hello and welcome to this month’s blog on the Microsoft patch releases. This is another fairly heavy month, with 11 bulletins covering 20 vulnerabilities.

There are 10 critical issues this month affecting Internet Explorer, Excel, Active Directory, and the RPC service of Host Integration Server. All of them are remote code-execution issues, but the issues affecting Host Integration Server and Active Directory do not require any user interaction, making them potentially the worst of the bunch. The remaining issues (rated Important and Moderate) affect Message Queuing Service, Internet Printing Protocol (IPP), Windows Kernel, Ancillary Function Driver, Virtual Address Descriptors (VADs), and Server Message Block (SMB).

As always, customers are advised to follow these security best practices:

-Block external access at the network perimeter to specific sites and computers only.
-Avoid sites of questionable or unknown integrity.
-Never open files...

Read more
Recent Microsoft Vulnerability Exploited in the Wild
Sean Hittel | 15 Sep 2008 19:30:44 GMT | 0 comments

Not surprisingly, attackers are again targeting vulnerabilities from the latest set of Microsoft Security Bulletins. This time around, it is the Microsoft Media Encoder ActiveX overflow patched in MS08-053. This attack chronology is another example of the rapid adoption of public exploits into widely deployed exploit toolkits. The vulnerability was disclosed by Microsoft on Tuesday, September 9. A public exploit was released on September 13 (although the exploit itself is dated September 10). Our honeypots began picking variants of this exploit up in the wild soon thereafter on September 13.
 
The exploits that we have been finding so far are distributed in two major ways. One is that they are simply cleartext. That is, they are not obfuscated in any way, but are effectively the same as the public exploit, with attacker-supplied shellcode substituted for the sample...

Read more
Microsoft Patch Tuesday for September 2008
Robert Keith | 09 Sep 2008 18:01:10 GMT | 0 comments

Hello and welcome to this month's blog on the Microsoft patch releases. This is a relatively light month, with four bulletins covering eight vulnerabilities.
 
All of the vulnerabilities this month are client-side issues rated "critical." Five of the issues affect the GDI+ graphics library; the rest affect Media Player, Microsoft Office, and Media Encoder. All of the issues have the potential to see active exploits, but the GDI+ vulnerabilities have the most avenues of attack and affect the most systems. The OneNote protocol handler vulnerability is fairly trivial to exploit.


As always, customers are advised to follow these security best practices:

-    Avoid sites of questionable or unknown integrity.
-    Never open files from unknown or questionable sources.
-    Run all client software with the least privileges required while still maintaining functionality.

Microsoft's summary of the...

Read more