Video Screencast Help
Security Response
Showing posts tagged with Vulnerabilities & Exploits
Showing posts in English
Security Intel Analysis Team | 13 Dec 2008 00:02:41 GMT | 0 comments

Hello, this is Anthony from the Symantec Intelligence Analysis Team. Earlier this week we had the opportunity to analyze an interesting shellcode that is associated with the initial malicious exploit attempts against the Microsoft Internet Explorer XML Handling Remote Code Execution Vulnerability (BID 32721). Currently this vulnerability is not patched and there are several public exploits available to leverage the issue. The vulnerability exists due to a flaw in how Internet Explorer handles XML data bindings. Specially crafted XML can lead to object corruption and code execution. I am not going to go into describing the vulnerability in detail because this has already been done well elsewhere. However, I think that the shellcode is unique enough to warrant some...

Elia Florio | 10 Dec 2008 17:47:52 GMT | 0 comments

A new and previously unknown vulnerability affecting the Microsoft Internet Explorer 7 browser has been reported, just at the start of the Microsoft “Patch Tuesday” cycle for the month of December. Bad luck, or an intentional strategy by the attackers? It’s not clear at the moment, but the reality is that users around the world started to download and patch their systems just yesterday, while at the same time a new and dangerous exploit surfaced on the Web, trying to infect computers in China and other parts of Asia.

We ran some tests and confirmed that the new vulnerability is, unfortunately, not fixed by the current set of patches released yesterday. The attack is indeed new and it works successfully against a fully patched Windows XP SP3 with Internet Explorer 7, including all recent Microsoft Tuesday patches. Also, Internet Explorer 6 could potentially be affected by the same problem and is therefore only temporarily immune to this initial exploit,...

Robert Keith | 09 Dec 2008 21:44:25 GMT | 0 comments

Hello and welcome to this month's blog on the Microsoft patch releases. As far as vulnerability counts go, this is the largest patch release since Microsoft started the "Patch Tuesday" program back in late 2003. The release contains eight bulletins covering 28 vulnerabilities.

Of those issues, 23 are rated "Critical" and affect Word, Outlook, Internet Explorer, Visual Basic ActiveX controls, GDI, Windows Search, and Excel. All of the "Critical" issues this month require some sort of user interaction, whether visiting a Web page that contains malicious content or viewing a malicious file. The remaining issues affect GDI, Windows Search, SharePoint, and Windows Explorer; they range in importance from "Important" to "Moderate."

As always, customers are advised to follow security best practices, including:

-Install vendor patches as soon as they are available
-Block external access at the network perimeter to...

Security Intel Analysis Team | 22 Nov 2008 18:13:04 GMT | 0 comments

Microsoft Security bulletin MS08-067 was an out-of-band security update that was released on October 23, 2008, to address a critical remotely exploitable vulnerability that was being exploited in the wild. The Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability that was addressed by the patch affects Windows 2000, XP, Server 2003, Vista, and Server 2008 to varying degrees. Ultimately the issue can be exploited by a remote attacker to install malicious applications on a target computer without the victim’s knowledge.

Microsoft released a detailed matrix describing the risk that this vulnerability presents to different versions of Microsoft Windows. When reading this matrix it becomes clear that this issue is exploitable by an unauthenticated...

Robert Keith | 11 Nov 2008 19:25:23 GMT | 0 comments

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a light month, with two bulletins covering four vulnerabilities.

The only “Critical” issue this month is a previously public remote-code execution vulnerability (BID 21872) in Microsoft XML Core Services. The remaining three issues are rated “Important” and include two information-disclosure issues affecting XML Core Services and a remote code-execution issue in Server Message Block (SMB).

As always, customers are advised to follow these security best practices:

-Block external access at the network perimeter to specific sites and computers only.
-Avoid sites of questionable or unknown integrity.
-Never open files from unknown or questionable sources.
-Run all software with the least privileges required while still maintaining functionality.

Microsoft’s summary of the November releases can be found here:
...

Sean Hittel | 07 Nov 2008 23:16:59 GMT | 0 comments

It appears that last night, an exploit for the Acrobat util.printf() vulnerability was added to a well known Web attack toolkit. The attack exists as a compressed PDF. Once decompressed, the exploit is encoded with a simple eval()+ concatenation block:

 

--
 
function main() {
 
eval(unescape(""+"%"+"76%61%"+"72%20%7"+
 
..
 
this.closeDoc(true);
}
 
app.setTimeOut("main()", 5000);
 
--

 
This decodes into an exploit for the util.printf() vulnerability:
 


---
 
var sccs = unescape(""+"%"+"u03eb%u"+"eb59%ue805%uf"+"ff8%uffff%u4949%u4949%u494"+ ...);
...

Parveen Vashishtha | 28 Oct 2008 18:38:25 GMT | 0 comments

In a blog article from last year, I discussed the rise in popularity of exploits using ActiveX overwrite/delete vulnerabilities due to their ease of use. Since that time, we have seen over 100 such vulnerabilities.

Microsoft requires developers of ActiveX controls to mark their controls “not safe for scripting” if they can arbitrarily write or delete files. However, developers not realizing the security implications or the full capabilities of their ActiveX control often fail to do so, allowing unauthorized remote users to arbitrarily write files to disk. In some cases, the ActiveX control does not even need to be installed by the user—as was the case with the Access Snapshot Viewer ActiveX Vulnerability.

Recently we’ve seen a sharp rise in these types...

Sean Hittel | 24 Oct 2008 22:32:08 GMT | 0 comments

I am sure by now that many have read about Trojan.Gimmiv exploiting the new MSRPC vulnerability. While we have not seen any evidence of Gimmiv replicating by itself, we analyzed a second component, related to Gimmiv, which is able to exploit the vulnerability patched on Wednesday. Interestingly though, Gimmiv exploits a 2006 vulnerability described in MS06-040 along with its MS08-067 exploit. Because of the way that Gimmiv does this, Symantec IPS definitions circa August 2006 will block this attack.

Because the MS08-067 vulnerability can be exploited without...

Symantec Security Response | 23 Oct 2008 23:42:58 GMT | 0 comments

This morning Microsoft released an out-of-band security update -MS08-067 -for a vulnerability in the Server service. This issue is tracked asBugTraq ID 31874. Thisissue affects all supported versions of the Windows operating system.

Theweakness allows an attacker to effectively take complete control of avulnerable system. It is imperative that end users apply the patch fromMicrosoft as soon as possible.

While we haven't seen widespreadexploitation of this issue, there have been reports of a certain file, "n2.exe," being downloaded on compromised computers. This file copiesanother piece of malicious code onto the compromised computer. Symantecproducts already detect both of these files as...

Security Intel Analysis Team | 23 Oct 2008 14:35:13 GMT | 0 comments

The Symantec DeepSight ThreatAnalysis team recently observed an interesting attack developmentrelated to a known vulnerability type. This seemingly new techniqueallows attackers to execute a malicious payload immediately on avictim's system, where in the past they weren't able to achieve instantcode execution by exploiting such vulnerabilities.
 
Publicexamples of this new attack typically employ file-overwrite andfile-download vulnerabilities in ActiveX controls to download amalicious file onto the target machine. In the past, attackers wereable to download files without much difficulty, but until recently theoptions for attackers seeking to have malicious programs executed on avictim's system were limited. In order to execute a malicious file onan affected computer, attackers generally needed to place the file inone of the load points such as the "Startup" directory in MicrosoftWindows, or use social-engineering or other attacks to have the fileexecuted...