Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Vulnerabilities & Exploits
Showing posts in English
Elia Florio | 18 Jun 2007 07:00:00 GMT | 0 comments

When SkyLined released in 2004 one of the first proof-of-conceptexploits introducing the “Heap Spraying” technique, he commented [1]his code in this way:

“The JavaScript creates a large amount of heap-blocksfilled with 0x0D byte nopslides followed by the shellcode. This is tomake sure [0x0D0D0D0D] == 0x0D0D0D0D. It's not the most efficient thingin the world but it works like a charm for most IE bugs.”

Well, it was not the most efficient thing in the world, but it hasbeen proven to work so well that it actually is the mostcopied-and-pasted piece of code used to exploit many of the InternetExplorer vulnerabilities discovered since 2004.
So, I was surprised to come across an exploit in the wild that uses adifferent heap manipulation technique. The malicious code was hosted ona Russian domain (hxxp://crun[REMOVED].info) and was part of one of thetypical web attacker toolkits developed by Eastern European gangs. Thecode exploited...

Eric Chien | 15 Jun 2007 07:00:00 GMT | 0 comments

Just hours after Apple released Safari for Windows and I wrote about the potential for associated exploits, multiple exploits have been released. This currently includes:

Apple Safari for Windows Protocol Handler Command Injection Vulnerability (BID 24434)
Apple Safari for Windows Unspecified Denial of Service Vulnerability (BID 24431)
Apple Safari for Windows Unspecified Remote Code Execution and Denial of Service Vulnerabilities (BID 24433)

Details on the first one have already been released publicly and theother two have been reportedly disclosed to Apple. We have not...

Elia Florio | 15 Jun 2007 07:00:00 GMT | 0 comments

We verified a report of a large-scale web attack on going in Italy at the moment. The attack is similar to what we described in our previous blog; it just uses a new different final domain which runs the hostile exploits of Mpack 0.86 kit.



The gang behind the attack had successfully compromised the homepagesof hundreds of legitimate Italian websites. We checked many of them andwe verified that they include now a malicious IFRAME (detected asTrojan.Mpkit!html) which redirects to the same bad IP address. The listof compromised sites is huge and from Mpack statistics this attack isworking efficiently (the...

Greg Ahmad | 13 Jun 2007 07:00:00 GMT | 0 comments

On April 27, 2007, various Internet resources from the Republic of Estonia came under a series of DDOS or distributed denial of service attacks.According to claims by Estonian government officials and media, theattacks originated in Russia and followed a dispute between thegovernment and ethnic Russians over the relocation of a Soviet warmemorial from the Estonian capital of Tallinn. The attacks targetedwebsites belonging to government ministries, banks, media, politicalparties and businesses.

Though DDOS attacks against various networks have taken place onnumerous occasions in the past, the particularly interesting aspect ofthese attacks was that they appear to be...

Ben Greenbaum | 12 Jun 2007 07:00:00 GMT | 0 comments

Hello again... this month's update contains 6 advisories with atotal of 15 patched vulnerabilities. Major apps for this month wereonce again IE and Outlook/Windows Mail, coming in with 6 and 4 patchedvulnerabilities respectively. This month we also see updates forfile-based attack vectors against Visio, remotely exploitablevulnerabilities in both a dev library and a security package patched,and a fairly low profile information disclosure vulnerability in Vistadealt with.
As usual details are given below in order of descending urgency. Happypatching, and we'll be back for another round next month...

MS07-034; KB929123
Cumulative Security Update for Outlook Express and Windows Mail

This release addresses four issues in Windows Mail (vista) andOutlook...

Yazan Gable | 08 Jun 2007 07:00:00 GMT | 0 comments

A couple of extremely critical vulnerabilities were discovered anddisclosed in Yahoo! Messenger two days ago, on June 6th. Late lastnight and early this morning, exploits were released to take advantageof these issues. At the time of the release, Yahoo had not yet patchedthe issues, so Yahoo! Messenger users were at significant risk of beingattacked.

The two vulnerabilities are both buffer overflows in the ActiveXcontrol that handles Yahoo’s Webcam functionality [1][2]. Due to theexploits being released publicly, anyone can carry out an attack bypersuading a user into following a link to a malicious file.

Fortunately, Yahoo has released an update to their Yahoo! Messengerproduct to resolve this issue. The latest version of the software,version 8.1, is reportedly not vulnerable. Users should update as soonas possible to reduce their exposure to potential attacks.

[1] http://www....

Hon Lau | 27 May 2007 07:00:00 GMT | 0 comments

A nasty piece of malware was sent our way this weekend that we are detecting as Trojan.Mpkit!html and Downloader.This malware is yet another malware distribution and attack kit in thesame vein as other kits, such as WebAttacker. This kit, called MPack,is a professionally written collection of PHP software componentsdesigned to be hosted and run from a PHP server with a databasebackend. It is sold by a Russian gang and comes ready to install on aPHP server, and it also comes complete with a collection of exploitmodules to be used out of the box.


How it infects computers

Once the server is installed and running, all the owner has to do isto start generating some web browser traffic to it. They can do this byvarious...

Ron Bowes | 25 May 2007 07:00:00 GMT | 0 comments

The Internet is home to billions of computers, all of which performthe jobs they have been programmed to do. Each of these computers has ahard drive and RAM. It’s a rare case that either is completely full. Abillion computers, each with a couple spare megabytes, works out to afew terabytes in a very conservative estimate.

There are several ways that this space can be harnessed to varyingdegrees, depending on what the ultimate goal of an attacker is. A tinybit of RAM on a large number of computers can be used to store secretdata that an attacker wants to hide, while a lot of information can bestored on some servers at the risk of being found and removed.Harnessing this space is often referred to as "parasitic storage."

One parasitic storage technique, called "juggling," can be used forextremely sensitive or illegal information. The goal for the attackeris to ensure that the complete body of information is never on theircomputer all at once, but that part of it is...

Liam O Murchu | 08 May 2007 07:00:00 GMT | 0 comments

No, I’m not talking about typing 53704 intoyour calculator and turning it upside down! I’m referring to theincreasing popularity of inserting links to exploits into legitimateHTML pages in an attempt to infect users who visit the affected page,multiplying the effectiveness of the original infection. I’ll outlinebelow the steps used in one such attack that we recently received inour lab.

In this case the malicious links were added by hand after the Web server had been hacked. However, W32.Fujacks and W32.Fubalcause similar techniques to the ones discussed here to automaticallyinfect asp, aspx, htm, html, php and jsp files residing on the infectedmachine in order to spread themselves further. Infostealer.Lingling wasalso distributed...

Ben Greenbaum | 08 May 2007 07:00:00 GMT | 0 comments

May proves to be a busy month for Windowsadministrators as we received information on no less than 21vulnerabilities being addressed in this month's 7 patches. If youhappen to be responsible for any DNS servers running on Server 2000,2003 Server or SBS, you will most likely want to skip to the last oneand work your way up. For the rest of us, we'll start with the IEissues and continue from there:

MS07-027; 931768 Cumulative Security Update for Internet Explorer
This is the seemingly monthly cumulative patch for IE issues. Sixdistinct issues are addressed in IE this month, as well as two issuesin third-party ActiveX controls. Note that these two are only mentionedas footnotes in the advisory and therefore do not have their ownUrgency Ratings from Microsoft...