Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.
Security Response
Showing posts tagged with Vulnerabilities & Exploits
Showing posts in English
Nicolas Falliere | 27 Apr 2007 07:00:00 GMT | 0 comments

A few days ago, we received yet anothersubmission containing a strange Animated Cursor file. Thisvulnerability made quite some noise, and though we thought it washandled by now, this file was definitely not the usual ANI exploit…

An ANI file follows the RIFF standard, with a few exceptions. It isa collection of data chunks, all having the same format of "header |size | data". Therefore, spotting malicious files attempting to exploitthe vulnerability should be easy. But is it? For the human eye, it is.For a heuristic detection, in spite of what was said before, it is not.Despite the supposedly easy structure of the Animated Cursor file,Microsoft’s implementation of its parser is quite loose.

First, invalid chunks will get properly parsed. Though not affectingthe ANI file itself, such chunks should not be encountered in cursorfiles, but the ANI parser just allows and skips them. Fair enough, ourdetections can handle that as well. Attackers, after a few days of‘...

Peter Ferrie | 17 Apr 2007 07:00:00 GMT | 0 comments

A few days ago, a postto a vulnerability discussion mailing list included a demonstration ofa heap corruption in Windows .hlp files' "bm" section. .hlp files areWinHelp-format Help files, a primitive version of .chm, or CompiledHelp Module-format help files. The "bm" section, or the Bitmap-formatgraphics section, is the part of the .hlp file that contains graphics(icons, pictures, etc.). The poster had discovered the vulnerability byusing a fuzzer to insert random data into the file. However, it seemsthat he did not understand why this vulnerability works.

After digging into the issue, it appeared to me that the filetargets the same vulnerability that was last attacked in December of2004, the WinHelp Phrase Heap Overflow.However, after a careful review, I realized that this...

Shunichi Imano | 16 Apr 2007 07:00:00 GMT | 0 comments

It has been reported that a worm that exploits the Microsoft Windows Domain Name Server Service Remote Procedure Call Interface Vulnerability is in the wild. Symantec Security Response has obtained a sample of the worm and we detect the threat as W32.Rinbot.BC.

UPDATE
We have seen an increase in activity over TCP port 1025 as a result ofW32.Rinbot.BC scanning the port in search of vulnerable computers.W32.Rinbot.BC is the first worm that exploits the Microsoft DNSvulnerability and the exploit code was only made public a few days ago.If you have not done so already, Symantec suggests that you block TCPport 1025 in order to avoid the attack.

Blaster, Sasser, W32.Rinbot.BC
We have observed that the time taken from exploit code...

Vikram Thakur | 14 Apr 2007 07:00:00 GMT | 0 comments

Right at the heel of Microsoft releasing its slew of patches, another vulnerability has been released. Microsoft didn't delay getting into action, releasing an advisoryfor it almost immediately. This time, the vulnerability lies within theDomain Name System (DNS) Server Service affecting the server line ofMicrosoft's operating systems. The vulnerability allows the attacker torun code remotely in the security context of DNS Server Service, whichby default is SYSTEM.

Symantec Security Response have analyzed a sample of the proof-of-concept code and have released Bloodhound.Exploit.136signatures to detect threats that utilize this vulnerability. Thisdetection is...

Hon Lau | 12 Apr 2007 07:00:00 GMT | 0 comments

Just in time to coincide with MicrosoftTuesday Patches, another new vulnerability is released to the world.This time the vulnerability was found in Windows Help (.hlp) files.This flaw enables an attacker to make use of a heap overflow in orderto achieve arbitrary code execution.

Symantec Security Response have analyzed a sample of the proof-of-concept code and have released the Bloodhound.Exploit.135 detection to proactively detect potential threats that utilize the vulnerability.

At this point we have not seen this vulnerability actively exploitedin the wild, but since there is no vendor-supplied patch available, wewould urge that users continue to remain vigilant, keep your securityproducts up to date, follow safe computing guidelines and...

David McKinney | 10 Apr 2007 07:00:00 GMT | 0 comments

Microsoft Patch Tuesday: April 2007

April was unique for Microsoft because it consisted of two MicrosoftTuesdays. Last week, we saw the release of patches for the .ANIzero-day vulnerability. This patch was consistent with Microsoft’spolicy of releasing out-of-band security patches (in other words,patches on days other than patch Tuesday) for vulnerabilities that areexperiencing widespread exploitation in the wild. From my experience,if the issue is significant enough to merit third-party patches fromDetermina, ZERT, etc., then in all likelihood Microsoft will do anout-of-band security patch release for the vulnerability.

Today Microsoft released an additional five security bulletins. Fourof the bulletins affect Microsoft Windows and the one affects MicrosoftContent Management Server.

• MS07-018 Vulnerabilities in Microsoft Content Management Server Could Allow Remote Code Execution (KB925939)

This bulletin addresses two...

Joji Hamada | 07 Apr 2007 07:00:00 GMT | 0 comments

In Japan, April is the first month of the fiscal year and is alsothe time of year when large numbers of high school and collegegraduates join the workforce. These new hires usually go though intensetraining in the first few months at their respective companies beforebeing assigned to their new posts. Well, these companies had betterplan to quickly take them through a crash course on security inaddition to the normal training, because there is new targeted attackthat takes advantage of a zero-day vulnerability in Justsytem'sIchitaro, the word processing program most widely used in Japan.

The attack – a specially crafted Justsystem Ichitaro document employing the zero-day exploit, which Symantec detects as Trojan.Tarodrop.C,allows a Trojan horse to be dropped onto the target computer. Thedropped Trojan horse then takes over and drops a downloader Trojan...

Symantec Security Response | 06 Apr 2007 07:00:00 GMT | 0 comments

In 2006, Web security expert Jeremiah Grossman came up with aninteresting attack that can be used to read the history of visitors toa Web page using only a simple piece of JavaScript. In February 2007,RSnake came up with a modification of this attack that does not needJavaScript or any other scripting language. This is a rediscovery of an attack discovered by Andrew Clover in 2002.

In the original proof of concept, a Web site was set up with ascript that lists the sites that the user had visited. This was donewas by creating a set of links and looking up the color attribute ofthe link text. If the link was visited, it was rendered in a differentcolor than if the page was not visited. The script goes through each ofthe links, checks the colors and reports back to the owner of the site.

In the new version of this attack, Cascading Style Sheets (CSS) areused to achieve the same...

Elia Florio | 04 Apr 2007 07:00:00 GMT | 0 comments

In these days of “zero-day”, I’ve analyzed many malicious filesexploiting some of the recent MS Office vulnerabilities for Word, Exceland PowerPoint. The "Trojan.Mdropper" and “Trojan.PPDropper” familieshave grown very quickly in the last year, and I was trying to come upwith some numbers by looking at the samples received here in the viruslab.

During my analysis I was surprised by some data about the number of samples picked up for Trojan.Mdropper.X.For most of these attacks the number of samples received for a singlefamily is very low (usually less than five samples), and allows vendorsto speak of “limited targeted attacks”. However for Trojan.Mdropper.Xthe situation was slightly different. The set of Mdropper.X samplesexploiting the same CVE-2006-6456 vulnerability has up to 30 different.doc files at the moment and started to increase quickly in the lastfew months.

There was no evident reason behind these statistics and it seemedobvious to me that...

Jim Hoagland | 03 Apr 2007 07:00:00 GMT | 0 comments

Last week the CVE project issued nine new CVEs for Vista, numberedCVE-2007-1527 through CVE-2007-1535. While these CVEs were directlybased on our findings in Windows Vista Network Attack Surface Analysis[1] report (released as a Symantec Security Response whitepaper on March 7th), they had been requested by a third party. I'll describe each of these in this post.

We don't feel that most of the issues are especially significant.Microsoft reviewed the paper prior to its public release and Symantecwould participate in any warranted responsible disclosure forvulnerabilities.

We regard CVE-2007-1535 asimportant, and it...