Video Screencast Help
Security Response
Showing posts tagged with Vulnerabilities & Exploits
Showing posts in English
Elia Florio | 16 Oct 2007 07:00:00 GMT | 0 comments

During the weekend I found an interestingsample exploiting a possibly new and undocumented vulnerability forWindows XP and 2003. The exploit is a local privilege escalationthat allows users with a restricted account to gain a SYSTEM shell withhigher privileges. In my tests the exploit seems to work successfullyagainst a fully patched Windows XP-SP2 and also Windows 2003-SP1. Atthis time, Vista does not seem to be affected by the problem.

(Click for larger image)

We notified Microsoft and they were already aware of this specificissue. The mitigating factor is that the attacker has to be logged onto or have access to the compromised computer with a valid account,since the exploit only works locally. Home...

Orla Cox | 10 Oct 2007 07:00:00 GMT | 0 comments

Today we had an interesting sample shared with us. It was a Microsoft Word document which, when opened, was simply crashing Word. We tried using various combinations of Word versions, patches and languages, and in each case (with the exception of Office 2007) opening the document would cause Word to crash. After taking a closer look, we could see that the document contained shell code and three other pieces of malware. What was interesting about the document was that it wasn't in OLE format, meaning that it wasn't a standard Microsoft Office document.

After some investigation we determined that the document had actually been created using Word for Macintosh. Here you can see the difference between the header in an OLE (Windows) format document compared to that of a Mac format document:


Robert Keith | 09 Oct 2007 07:00:00 GMT | 0 comments

Hello, and welcome once again to themonthly Microsoft patch roundup. This month’s release is relativelylight, with six bulletins available addressing a total of ninevulnerabilities.

1. Vulnerability in Kodak Image Viewer Could Allow Remote Code Execution (KB923810)

CVE-2007-2217, BID 25909
Microsoft Windows Kodak Image Viewer Remote Code Execution Vulnerability
(MS Rating: Critical; Symantec Urgency Rating: 7)

This is a client-side, remote code execution vulnerability in theKodak Image Viewer when viewing specially crafted image files. Anattacker can exploit this issue to execute arbitrary code in thecontext of the victim running the affected application. A victim wouldneed to view a malicious image to trigger this vulnerability.

Windows XP and Windows 2003 installations are only vulnerable if they were upgraded from Windows 2000.

Affected Products:
Windows 2000 Server SP4; Windows XP SP2; and Windows Server...

Patrick Fitzgerald | 03 Oct 2007 07:00:00 GMT | 0 comments

Wireless Equivalency Protocol (WEP) has been one of the hottesttopics in Irish news over the last few days. One of the leadingproviders of DSL in Ireland has supplied users with wireless routersprotected using WEP. What made this newsworthy is that it has emergedthat the WEP keys used to encrypt the network traffic and to controlaccess to a private network were generated using the (Service SetIdentifier) SSID. The algorithm used to generate the encryption keyshas been analyzed and a tool is freely available which allows anyonewithin range of the router to trespass on a wireless network that hasbeen secured using the default settings.

The DSL provider and media reports are advising customers that ifthey change their WEP keys, they will be safe from any trespassers ormalicious attackers trying to get onto their network. While it is truechanging the default WEP settings will mitigate this particular attackit will not make your wireless network secure.

WEP is a flawed...

Aaron Adams | 25 Sep 2007 07:00:00 GMT | 0 comments

As little as three years ago, the concept of remote kernelexploitation remained arcane for most people in the security industryand was believed in some circles to be practically impossible, mostlydue to reliability issues. However, things in the security realm changequickly. Reliable exploit techniques come and go, new securitymechanisms are introduced, and arcane exploitation concepts arerevisited. Sometimes an exploitation concept that was once brushed offas too unreliable is reconsidered, bringing it again into focus as auseful and feasible attack vector.

Kernel vulnerabilities themselves are nothing new, of course. Theexploitation of local kernel flaws has been a popular pastime for manyresearchers and hackers over the years, and in many cases these flawswere shown to be exploited just as reliably as a local flaw in userlandsoftware. However, being local to the system has its advantages; thelevel of interactivity with the system and the data that is availablemake for...

David McKinney | 19 Sep 2007 07:00:00 GMT | 0 comments

Volume XII of the Internet Security Threat Report (ISTR)is now out. In this report, we discuss how attackers have been usingtrusted Web sites as a means of reaching their victims. This trend is,in part, facilitated by something that we call “site-specificvulnerabilities”, which are vulnerabilities that are limited to aparticular Web site or service. These vulnerabilities are typicallypresent in the proprietary Web-based applications that drive theservices provided by the site.

What initially tipped us off to the increasing prevalence ofsite-specific vulnerabilities was actually a drop in the proportion ofWeb application vulnerabilities. In this report, we observed that 61percent of vulnerabilities affected Web applications, which is a dropfrom the 66 percent in the previous report. (Our discussion of Webapplication vulnerabilities includes only those Web applications...

Chen Yu | 13 Sep 2007 07:00:00 GMT | 0 comments

It has recently been discovered thatBaoFeng Storm, a movie player written in Chinese and widely used inChinese-speaking countries, contains multiple buffer-overflowvulnerabilies, some of which are being actively exploited. Thevulnerabilities are related to the ActiveX control used by the softwareand a vulnerable computer simply needs to browse a Web site, whichcontains exploit code, to be compromised. Successful exploitation thenallows remote execution of arbitrary code in the context of theapplication using the ActiveX control (in this case Internet Explorer)and allows the attacker to take full control of the compromisedcomputer. Failed exploit attempts may lead to denial-of-serviceconditions, possibly resulting in the browser crashing.

The vulnerabilities have been confirmed in version and betaversion, although other versions may also be affected, and atthe time of this writing the vulnerabilities remain unpatched. SecurityFocus have also...

Ben Greenbaum | 11 Sep 2007 07:00:00 GMT | 0 comments

Hello, and welcome to this month’s blog on the Microsoft patchreleases. September is a light month, with only 4 releases, eachresolving one issue.

Which is the most critical of these vulnerabilities? Well, itdepends on who you ask. Microsoft lists the issue in the Agent ActiveXcontrol as the only ‘Critical’ update this month, however ourcalculations have resulted in a higher urgency rating for the MSN /Live Messenger issue. Both vulnerabilities grant a remote attacker theability to run arbitrary code on the target machine if the target userperforms a specific action (clicks on a link or accepts an incomingmessage). Microsoft may have rated the ActiveX issue higher because anon-vulnerable upgrade to Messenger has been available for some time.However, we rate the issue in MSN Messenger/Live Messenger higher, dueto the availability of public proof-of-concept code known to work on atleast one platform. From the perspective of an affected user, theknowledge that they could have...

Ollie Whitehouse | 27 Aug 2007 07:00:00 GMT | 0 comments

Recently I bought a NAS (Network Attached Storage) solution for hometo manage backups for the ever increasing number of storage devices weall seem to be accumulating. I did as most people would and selected aconsumer solution from a well-known brand. The brand name on the box,as is not unusual in this day and age, was not the actual developer ofthe underlying reference design. Instead the system was developed by athird-party, including the controller and remote management software,which was subsequently modified to support some proprietary LEDs andgave the company license to slap their logo on it by the name on thebox.

Anyway, this solution was built using GPL software components(Linux, Lighttpd and Perl among others); the vendor and original OEMabided by this license and released all the code on their site(including configurations). I did some digging around and was somewhatdismayed to discover that this product had a number of significantsecurity issues. These...

Shunichi Imano | 18 Aug 2007 07:00:00 GMT | 0 comments

We have in the past repeatedly warned thatfree things on the internet do not always come cost free. And today, wehave to make a kind reminder as we came across a new example.

Security Response received a file with a .tgz file extension, whichexploits a new unknown vulnerability in a free Japanese decompress tool"Lhaz v1.33". The file is detected as Trojan.Lazdropper.

After a successful exploit attempt, Trojan.Lazdropper drops two files, both detected as Backdoor.Trojan,onto the infected computer. As Backdoor.Trojan opens a back door tocommunicate with the author for further actions, it is obvious thatpurpose behind...