Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Vulnerabilities & Exploits
Showing posts in English
Eric Chien | 02 Feb 2009 21:52:21 GMT | 0 comments

If you were searching the Internet for videos of the American Idol TV show, you might have received a bigger dose of reality than you were expecting. Unfortunately, one of the more popular video link aggregators was hosting infected advertisements on their site. 

Advertising networks are a popular platform with malicious code authors when trying to gain a widespread distribution of their malware. They provide advertising networks with a URL that is supposed to point to their advertisement, but instead of only displaying an ad, they redirect the users to a rogue website. In this case, the advertisement was redirecting Web browsers to a PDF file that was using the Adobe Reader 'util.printf()' JavaScript Function Stack Buffer Overflow Vulnerability to install a malicious executable on the browser’s host system. (Please note that this vulnerability is resolved in Adobe...

Robert Keith | 13 Jan 2009 19:31:45 GMT | 0 comments

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a light month—the vendor is releasing only one bulletin covering a total of three vulnerabilities affecting Server Message Block (SMB).

Of those issues, two are “Critical” server-side, remotely exploitable code-execution vulnerabilities. These are rather serious issues that may allow remote attackers to completely compromise a vulnerable computer. Given the nature of these issues, developing viable exploits to execute code may prove difficult, but denial-of-service attacks will likely be trivial. The remaining issue, rated “Moderate”, is a remote denial-of-service vulnerability.

As always, customers are advised to follow these security best practices:

-Install vendor patches as soon as they are available.
-Block external access at the network perimeter to specific sites and computers only.
-Run all software with the least privileges...

Security Intel Analysis Team | 31 Dec 2008 00:07:48 GMT | 0 comments

This has been an interesting year for high-profile vulnerabilities and security research. In 2008, awareness has been raised about a number of high impact, remote code-execution vulnerabilities affecting both server- and client-side applications. Published attacks targeted important protocols used by critical Internet infrastructure. A number of flaws in the implementation of a number of cryptographic implementations have also been made public. In addition to the aforementioned issues, new exploitation techniques were demonstrated that emphasized the growing trend toward application-specific attacks targeting Web technologies. 

Let's begin with a few high-profile memory corruption flaws on the Microsoft Windows front. The year started with a bang, MS08-001, which is a remotely exploitable memory-corruption vulnerability affecting the Microsoft Windows kernel. Then, in October we saw in-the-wild exploitation of a previously undisclosed RPC vulnerability affecting...

Peter Coogan | 15 Dec 2008 19:08:45 GMT | 0 comments

Since our blog Yes, There’s a Zero-Day Exploit for Internet Explorer Out There was posted in relation to the now known Microsoft Security Advisory (961051) for IE, we have been closely monitoring the
uptake of this vulnerability. Symantec provides the antivirus signature Bloodhound.Exploit.219 and IPS signature 23241 - HTTP MSIE Malformed XML BO to protect users againstthis exploit. To date, since the release of our antivirus signature for this vulnerability, we have observed over 33,000 hits on...

Security Intel Analysis Team | 13 Dec 2008 00:02:41 GMT | 0 comments

Hello, this is Anthony from the Symantec Intelligence Analysis Team. Earlier this week we had the opportunity to analyze an interesting shellcode that is associated with the initial malicious exploit attempts against the Microsoft Internet Explorer XML Handling Remote Code Execution Vulnerability (BID 32721). Currently this vulnerability is not patched and there are several public exploits available to leverage the issue. The vulnerability exists due to a flaw in how Internet Explorer handles XML data bindings. Specially crafted XML can lead to object corruption and code execution. I am not going to go into describing the vulnerability in detail because this has already been done well elsewhere. However, I think that the shellcode is unique enough to warrant some...

Elia Florio | 10 Dec 2008 17:47:52 GMT | 0 comments

A new and previously unknown vulnerability affecting the Microsoft Internet Explorer 7 browser has been reported, just at the start of the Microsoft “Patch Tuesday” cycle for the month of December. Bad luck, or an intentional strategy by the attackers? It’s not clear at the moment, but the reality is that users around the world started to download and patch their systems just yesterday, while at the same time a new and dangerous exploit surfaced on the Web, trying to infect computers in China and other parts of Asia.

We ran some tests and confirmed that the new vulnerability is, unfortunately, not fixed by the current set of patches released yesterday. The attack is indeed new and it works successfully against a fully patched Windows XP SP3 with Internet Explorer 7, including all recent Microsoft Tuesday patches. Also, Internet Explorer 6 could potentially be affected by the same problem and is therefore only temporarily immune to this initial exploit,...

Robert Keith | 09 Dec 2008 21:44:25 GMT | 0 comments

Hello and welcome to this month's blog on the Microsoft patch releases. As far as vulnerability counts go, this is the largest patch release since Microsoft started the "Patch Tuesday" program back in late 2003. The release contains eight bulletins covering 28 vulnerabilities.

Of those issues, 23 are rated "Critical" and affect Word, Outlook, Internet Explorer, Visual Basic ActiveX controls, GDI, Windows Search, and Excel. All of the "Critical" issues this month require some sort of user interaction, whether visiting a Web page that contains malicious content or viewing a malicious file. The remaining issues affect GDI, Windows Search, SharePoint, and Windows Explorer; they range in importance from "Important" to "Moderate."

As always, customers are advised to follow security best practices, including:

-Install vendor patches as soon as they are available
-Block external access at the network perimeter to...

Security Intel Analysis Team | 22 Nov 2008 18:13:04 GMT | 0 comments

Microsoft Security bulletin MS08-067 was an out-of-band security update that was released on October 23, 2008, to address a critical remotely exploitable vulnerability that was being exploited in the wild. The Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability that was addressed by the patch affects Windows 2000, XP, Server 2003, Vista, and Server 2008 to varying degrees. Ultimately the issue can be exploited by a remote attacker to install malicious applications on a target computer without the victim’s knowledge.

Microsoft released a detailed matrix describing the risk that this vulnerability presents to different versions of Microsoft Windows. When reading this matrix it becomes clear that this issue is exploitable by an unauthenticated...

Robert Keith | 11 Nov 2008 19:25:23 GMT | 0 comments

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a light month, with two bulletins covering four vulnerabilities.

The only “Critical” issue this month is a previously public remote-code execution vulnerability (BID 21872) in Microsoft XML Core Services. The remaining three issues are rated “Important” and include two information-disclosure issues affecting XML Core Services and a remote code-execution issue in Server Message Block (SMB).

As always, customers are advised to follow these security best practices:

-Block external access at the network perimeter to specific sites and computers only.
-Avoid sites of questionable or unknown integrity.
-Never open files from unknown or questionable sources.
-Run all software with the least privileges required while still maintaining functionality.

Microsoft’s summary of the November releases can be found here:
...

Sean Hittel | 07 Nov 2008 23:16:59 GMT | 0 comments

It appears that last night, an exploit for the Acrobat util.printf() vulnerability was added to a well known Web attack toolkit. The attack exists as a compressed PDF. Once decompressed, the exploit is encoded with a simple eval()+ concatenation block:

--
 
function main() {
 
eval(unescape(""+"%"+"76%61%"+"72%20%7"+
 
..
 
this.closeDoc(true);
}
 
app.setTimeOut("main()", 5000);
 
--

 
This decodes into an exploit for the util.printf() vulnerability:
 


---
 
var sccs = unescape(""+"%"+"u03eb%u"+"eb59%ue805%uf"+"ff8%uffff%u4949%u4949%u494"+ ...);
 ...