Video Screencast Help
Security Response
Showing posts tagged with Vulnerabilities & Exploits
Showing posts in English
Andy Cianciotto | 30 Mar 2007 07:00:00 GMT | 0 comments

Microsoft has released an out-of-band advisory today for a new exploit targeting a vulnerability in the way that Microsoft Windows handles animated cursor (.ani) files.

The vulnerability is caused by insufficient format validation, priorto rendering cursors, animated cursors, and icons. If successfullyexploited, it will allow an attacker to perform remote code executionon the victim machine. In order to carry out an attack, the attackerwould need to convince potential victims to either visit a Web sitethat contains a Web page that is used to exploit the vulnerability, orview a specially crafted email message or email attachment. Theattacker could enable an affected system to execute code once a userhas viewed a malicious Web page, previewed or read a specially craftedmessage, or opened a specially crafted email attachment.

While it is similar to the vulnerability described in...

Ron Bowes | 20 Mar 2007 07:00:00 GMT | 0 comments

The default install of OpenBSD is well known to have one of the mostsecure default installations available. The OpenBSD team hastraditionally enjoyed the luxury of claiming to have only a singleremotely exploitable vulnerability the past 10 years. However, CoreSecurity recently discovered a new vulnerability in the IPv6 stack of OpenBSD. As a result, the OpenBSD project had to change the text on their main page to: “Only two remote holes in the default install, in more than 10 years!”

A buffer overflow may be triggered when a fragmented IPv6 packet isreceived. Although this was originally thought by the vendor to be nomore than a denial of service issue, a proof of concept exploit wasdeveloped, proving that the vulnerability is exploitable. The totaltime elapsed between the vulnerability being initially disclosed...

Stuart Smith | 05 Mar 2007 08:00:00 GMT | 0 comments

Larry Wall once said, “Three great virtues of programming arelaziness, impatience, and hubris.” It appears the authors of aW32.Darksnow have taken this saying to heart. It also appears that theywere too impatient to read the other virtues he lists – diligence,patience, and humility. And they’ve mainly focused on the virtue oflaziness, by trying to find a way to make money using other people’scomputers (and electricity and bandwidth). Specifically, they wanted tomake money using other people’s computers to spoof “impressions” ofadvertising links. Without asking the people, of course. That would betoo much work. And they’d probably say no.

Of course, you can’t just set up a computer, and let a program sitthere and pretend to view Web pages. You’d need a lot of computers toreally make money. And the ad networks are smart enough to figure outthat someone probably isn’t sitting on their computer all dayrefreshing a Web page, so the virus writers couldn’t get any money forthis....

Ollie Whitehouse | 01 Mar 2007 08:00:00 GMT | 0 comments

ASLR (Address Space Layout Randomization) is one of the cornerstones of Windows Vista and its enhanced security posture. ASLR workson the basis that it will move an application and its associated memoryaround, either each time it’s executed or when the host is rebooted,depending on the element concerned. The purpose of this is to hinder aclass of vulnerabilities commonly referred to as memory manipulation vulnerabilitiesby making it difficult for an attacker to know where an application isin memory. This would impede successful exploitation, which relies onfixed memory addresses.

Back in December, I decided to take a brief look at theimplementation of ASLR on Vista. I had seen some findings emerge duringits development, but these really didn’t show if the implementation wasgood, bad, or indifferent. Since my work load was winding down, as Ihad December off, and a tool I had written indicated there might besome problems, I decided to look at this in more detail. My...

Ollie Whitehouse | 01 Mar 2007 08:00:00 GMT | 0 comments

When I started this project, I had one goal in mind – to understandwhich binaries in Windows Vista were not /GS compiled. While this mayseem rather simple on the surface, as I started to dig, it became alittle more complex. That said, my goal was achievable and today I’mhappy to present my findings.

The purpose of my paper "Analysis of GS Protection in Windows Vista"was to show which binaries under a default installation of WindowsVista 32bit RTM were not protected by the Visual Studio 2005 /GScompiler flag. This, in turn, was designed to help Symantec and ourclients understand any exposure, either direct or indirect, which mayresult from this lack of protection.

The abstract for my paper is as follows:

Visual Studio 2002 introduced the Buffer Security Check(GS) option to protect stack variables from overflows that resulted inarbitrary code...

Juniper Security Research | 01 Mar 2007 08:00:00 GMT | 0 comments

This is the first guest blog post from the Juniper Security ResearchLab. We wish to thank our partners at Symantec for allowing us to usethis forum and further show the value in our partnership that was announced last September.

Today marks the first vendor-acknowledged vulnerability that wasfound by a Juniper Security Researcher. The vulnerability was found byKarl Lynn and is a Buffer Overflow in the Citrix Presentation ServerClient for Windows. If successfully exploited, this vulnerability canallow for remote code execution. When exploited, the malicious codewill run in the context of the logged-in user.

We will not be releasing a separate advisory from the vendor releaseand we do strongly recommend that those using this software install thepatch from Citrix. Users of our IDP can rest assure that they areprotected against this vulnerability with our latest...

Liam O Murchu | 23 Feb 2007 08:00:00 GMT | 0 comments

Mirror, mirror on the wall, who is the lamest of them all? Theattacker behind this scheme hopes to find out where all the l4m3rs are(his words not mine). In a classic social engineering attack, customershave been reporting that they have received an unusual piece of spamrecently.

The mail is supposedly from a hosting or collocation company and says something along the lines of this:

Dear COMPANYNAME Inc. Valued Members,

Regarding our new security regulations, as a part of our yearlymaintenance we have provided a security guard script in the attachment.

So, to secure your Web sites, please use the attached file and (forUNIX/Linux Based servers) upload the file "guard.php" in:"./public_html"
or (for Windows Based servers which use ASP) upload the file "guard.asp" in: "./wwwroot" in your site.
[instructionsincluded]
Thank you for using our services and products. We look forward to providing you with a unique and high quality...

TWoodward | 22 Feb 2007 08:00:00 GMT | 0 comments

While Microsoft has chosen a scheduled update approach, Apple Inc.releases updates on an "as-needed" basis. While each approach isarguably valid, during Apple's World Wide Developer Conference lastyear, Bud Tribble, VP of Software Technology at Apple addressed whyApple decided on its approach: "There is some controversy in IT shopsasking 'Wouldn’t it be easier if [Apple] could have their securityupdates scheduled on a monthly basis?' We think it’s better to getthose security updates out as soon as we can get them out and not waitfor the next month to roll around."

First out of the gate is "Security Update 2007-002" containing four patches against vulnerabilities discovered during the "Month of Apple Bugs" campaign. (See Aaron Adams' "...

Peter Ferrie | 19 Feb 2007 08:00:00 GMT | 0 comments

A colleague of mine came to see me one morning recently with anunusual result. For reasons that he didn't explain to me (he called it"a secret project"), he had intentionally placed a particular encodingof an invalid instruction near the end of a valid page, next to anunallocated page, then executed that instruction. However, instead ofseeing the expected invalid opcode exception, he was seeing a pagefault. Initially, I thought that it was related to the unexpected LOCKexception bug in Windows that I documented here, but it turned out to be something else entirely.

It turns out that the CPU performs a complete fetch, includingparsing the ModR/M byte, prior to performing any kind of decoding.Thus, because of the instruction encoding that he had used, the CPU wasattempting to retrieve all of the necessary bytes first,before it knew that the...

Debbie Mazurek | 19 Feb 2007 08:00:00 GMT | 0 comments

One of the most common practices insoftware development is code reuse. Developers use the strategy to savetime and money by reducing redundant tasks and the theory is put intopractice in several popular content management systems available tousers who want to create their own Web presence.

The CMS, or content management system, is a framework that can beused by both experienced and novice developers to produce Web sites forcountless purpose. From blog sites (like this one) to e-commerce sites,for Fortune 500 companies to private individuals, a CMS can makedeveloping content for the Web a whole lot easier.

Many of the popular CMS varieties employ a modular approach thatmakes it easy to construct your own add-ons to suit any purpose you'dlike - searching, FAQ building, file uploading, news posting - the listis exhaustive. In fact, the odds are good that someone else has alreadymade the add-on you seek: they figured out code reuse.

Joomla! and Mambo are two...