Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts tagged with Vulnerabilities & Exploits
Showing posts in English
New Vulnerability Found in Citrix Presentation Server Client for Windows
Juniper Security Research | 01 Mar 2007 08:00:00 GMT | 0 comments

This is the first guest blog post from the Juniper Security ResearchLab. We wish to thank our partners at Symantec for allowing us to usethis forum and further show the value in our partnership that was announced last September.

Today marks the first vendor-acknowledged vulnerability that wasfound by a Juniper Security Researcher. The vulnerability was found byKarl Lynn and is a Buffer Overflow in the Citrix Presentation ServerClient for Windows. If successfully exploited, this vulnerability canallow for remote code execution. When exploited, the malicious codewill run in the context of the logged-in user.

We will not be releasing a separate advisory from the vendor releaseand we do strongly recommend that those using this software install thepatch from Citrix. Users of our IDP can rest assure that they areprotected against this vulnerability with our latest signature...

Read more
Where Are All the L4m3rs?
Liam O Murchu | 23 Feb 2007 08:00:00 GMT | 0 comments

Mirror, mirror on the wall, who is the lamest of them all? Theattacker behind this scheme hopes to find out where all the l4m3rs are(his words not mine). In a classic social engineering attack, customershave been reporting that they have received an unusual piece of spamrecently.

The mail is supposedly from a hosting or collocation company and says something along the lines of this:

Dear COMPANYNAME Inc. Valued Members,

Regarding our new security regulations, as a part of our yearlymaintenance we have provided a security guard script in the attachment.

So, to secure your Web sites, please use the attached file and (forUNIX/Linux Based servers) upload the file "guard.php" in:"./public_html"
or (for Windows Based servers which use ASP) upload the file "guard.asp" in: "./wwwroot" in your site.
[instructionsincluded]
Thank you for using our services and products. We look forward to providing you with a unique and high quality...

Read more
Apple's Post-Valentine's Day Security Updates
TWoodward | 22 Feb 2007 08:00:00 GMT | 0 comments

While Microsoft has chosen a scheduled update approach, Apple Inc.releases updates on an "as-needed" basis. While each approach isarguably valid, during Apple's World Wide Developer Conference lastyear, Bud Tribble, VP of Software Technology at Apple addressed whyApple decided on its approach: "There is some controversy in IT shopsasking 'Wouldn’t it be easier if [Apple] could have their securityupdates scheduled on a monthly basis?' We think it’s better to getthose security updates out as soon as we can get them out and not waitfor the next month to roll around."

First out of the gate is "Security Update 2007-002" containing four patches against vulnerabilities discovered during the "Month of Apple Bugs" campaign. (See Aaron Adams' "...

Read more
x86 Fetch-Decode Anomalies
Peter Ferrie | 19 Feb 2007 08:00:00 GMT | 0 comments

A colleague of mine came to see me one morning recently with anunusual result. For reasons that he didn't explain to me (he called it"a secret project"), he had intentionally placed a particular encodingof an invalid instruction near the end of a valid page, next to anunallocated page, then executed that instruction. However, instead ofseeing the expected invalid opcode exception, he was seeing a pagefault. Initially, I thought that it was related to the unexpected LOCKexception bug in Windows that I documented here, but it turned out to be something else entirely.

It turns out that the CPU performs a complete fetch, includingparsing the ModR/M byte, prior to performing any kind of decoding.Thus, because of the instruction encoding that he had used, the CPU wasattempting to retrieve all of the necessary bytes first,before it knew that the...

Read more
Code Reuse Good, SQL-Injection Reuse Bad
Debbie Mazurek | 19 Feb 2007 08:00:00 GMT | 0 comments

One of the most common practices insoftware development is code reuse. Developers use the strategy to savetime and money by reducing redundant tasks and the theory is put intopractice in several popular content management systems available tousers who want to create their own Web presence.

The CMS, or content management system, is a framework that can beused by both experienced and novice developers to produce Web sites forcountless purpose. From blog sites (like this one) to e-commerce sites,for Fortune 500 companies to private individuals, a CMS can makedeveloping content for the Web a whole lot easier.

Many of the popular CMS varieties employ a modular approach thatmakes it easy to construct your own add-ons to suit any purpose you'dlike - searching, FAQ building, file uploading, news posting - the listis exhaustive. In fact, the odds are good that someone else has alreadymade the add-on you seek: they figured out code reuse.

Joomla! and...

Read more
Computer, Initiate Self-Destruct Sequence!
James O'Connor | 16 Feb 2007 08:00:00 GMT | 0 comments

There has been much talk recently about thelaunch of Windows Vista, and one feature in particular: SpeechRecognition. Speech Recognition allows the user to dictate arbitrarytext to the computer (a letter for example) using speech instead of thekeyboard. It also allows the user to carry out normal computing tasksvia a choice of pre-defined commands. There are commands such as"delete that," "press escape key," and "what can I say?" This last oneshows the user what kinds of command they can use in the currentsituation. If Speech Recognition is running, but sleeping, the usersays "start listening" to activate it.

It has been suggested that Speech Recognition could be subverted fornefarious purposes using malicious audio clips. The scenario would beas follows:

• The user is browsing the Web, with Speech Recognition enabled.
• They visit a Web site, with a background audio clip that plays as soon as the site is opened.
• The audio clip contains...

Read more
Microsoft Patch Tuesday: February 2007
Ben Greenbaum | 13 Feb 2007 08:00:00 GMT | 0 comments

Anybody remember when RTF files were just innocent little things?They were like the big brother of the .txt file, or .txt v2, if youwill. Just characters on a screen, but some of them might be differentfonts or colors or sizes – maybe the occasional clipart. Who would haveguessed they are apparently the most hostile files on the Internet thismonth? "When RTFs Go Bad!…" Okay, perhaps I’m exaggerating, but thismonth Microsoft is patching no less than three vulnerabilities, inseparate applications, that can be exploited via malicious RTF filesthat contain OLE objects.

Several of this month’s patches address issues that have beenexploited already in limited-distribution, targeted attacks. Thecombination of target-specific social engineering and privately heldvulnerability information is becoming more and more widely adopted byattackers with political and industrial motivations. While the "newbreed" of cybercriminals wants to cast as wide a net as possible, wecannot forget that...

Read more
Month of Apple Bugs Overview
Aaron Adams | 08 Feb 2007 08:00:00 GMT | 0 comments

The month of January is already over and, accordingly, so is the Month of Apple Bugs(MoAB). As promised, one advisory was released every day of the month,in some cases addressing numerous vulnerabilities in an application.Unlike the Month of Browser Bugs and Month of Kernel Bugs, this time we saw the interesting twist of a parallel group starting a Month of Apple Fixes.This group was responsible for the release of unofficial run-timepatches for the majority of the issues disclosed, with the exception ofthose affecting the kernel.

The classes of vulnerabilities discovered during the MoAB coveredpretty much the whole gamut, including stack and...

Read more
Latest Office Zero-Day Vulnerability
Amado Hidalgo | 07 Feb 2007 08:00:00 GMT | 0 comments

Last week, Microsoft published Security Advisory 932553to warn Windows users of a new vulnerability in Microsoft Office.Security Response has analysed a sample of a malicious Microsoft Excelfile that appears to be exploiting the vulnerability that is hinted atin that Advisory. Fully patched versions of Office 2000, XP, and 2003appear to be vulnerable to this exploit.

Upon opening the malicious Microsoft Excel document, which Symantec now detects as Trojan.Mdropper.Y, it drops a Trojan horse program by using the exploit referenced by CVE-2007-0671 (BID 22383).It proceeds to drop a back door Trojan onto the compromised computer.It then attempts to contact a remote...

Read more
Watch the Exploit: A Targeted Attack Video
Elia Florio | 31 Jan 2007 08:00:00 GMT | 0 comments

We've been getting a lot of requests from people asking what it looks like when your computer is compromised by one of these very limited targeted attacksthat involves any of the recent MS Word zero-day vulnerabilities. Atargeted attack begins with an incoming email that has a .DOC fileattached; a very common event that happens to almost everyone everyday. The email sender looks legitimate (it's spoofed of course!) andthe document name is selected to appeal to the recipient. For example,if the targeted user is an accountant, then the document would looklike a tax certificate or an invoice. For members of governments, itcould appear to be an important communication from a Minister. Forfinance brokers, a stocks analysis and so on...

Targeted attacks are not intended for the masses, so we're nevergoing to see the usual "Very exciting greeting postcard.exe" attachedto those emails. But the big question is: what happens when someoneopens...

Read more