Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Vulnerabilities & Exploits
Showing posts in English
Symantec Security Response | 06 Apr 2007 07:00:00 GMT | 0 comments

In 2006, Web security expert Jeremiah Grossman came up with aninteresting attack that can be used to read the history of visitors toa Web page using only a simple piece of JavaScript. In February 2007,RSnake came up with a modification of this attack that does not needJavaScript or any other scripting language. This is a rediscovery of an attack discovered by Andrew Clover in 2002.

In the original proof of concept, a Web site was set up with ascript that lists the sites that the user had visited. This was donewas by creating a set of links and looking up the color attribute ofthe link text. If the link was visited, it was rendered in a differentcolor than if the page was not visited. The script goes through each ofthe links, checks the colors and reports back to the owner of the site.

In the new version of this attack, Cascading Style Sheets (CSS) areused to achieve the same...

Elia Florio | 04 Apr 2007 07:00:00 GMT | 0 comments

In these days of “zero-day”, I’ve analyzed many malicious filesexploiting some of the recent MS Office vulnerabilities for Word, Exceland PowerPoint. The "Trojan.Mdropper" and “Trojan.PPDropper” familieshave grown very quickly in the last year, and I was trying to come upwith some numbers by looking at the samples received here in the viruslab.

During my analysis I was surprised by some data about the number of samples picked up for Trojan.Mdropper.X.For most of these attacks the number of samples received for a singlefamily is very low (usually less than five samples), and allows vendorsto speak of “limited targeted attacks”. However for Trojan.Mdropper.Xthe situation was slightly different. The set of Mdropper.X samplesexploiting the same CVE-2006-6456 vulnerability has up to 30 different.doc files at the moment and started to increase quickly in the lastfew months.

There was no evident reason behind these statistics and it seemedobvious to me that...

Jim Hoagland | 03 Apr 2007 07:00:00 GMT | 0 comments

Last week the CVE project issued nine new CVEs for Vista, numberedCVE-2007-1527 through CVE-2007-1535. While these CVEs were directlybased on our findings in Windows Vista Network Attack Surface Analysis[1] report (released as a Symantec Security Response whitepaper on March 7th), they had been requested by a third party. I'll describe each of these in this post.

We don't feel that most of the issues are especially significant.Microsoft reviewed the paper prior to its public release and Symantecwould participate in any warranted responsible disclosure forvulnerabilities.

We regard CVE-2007-1535 asimportant, and it...

David McKinney | 02 Apr 2007 07:00:00 GMT | 0 comments

As part of the process of compiling the data for Symantec’s Internet Security Threat Report(ISTR), we discuss which metrics are critical to defining trends in thethreat landscape. We are constantly reassessing the validity of certainmetrics and looking for opportunities to create new metrics. Our datacollection capabilities have improved over the years with newacquisitions, new products, and new product features that allow us totrack different types of data. It is a great benefit that Symantec is acompany that has grown with the threat landscape. It is also a matterof internal policy with the ISTR team to rigorously question and debatethe relevance and validity of what we’re reporting on. I’d like to takethis opportunity to reflect a little bit on the process behind thecreation of one of the new metrics for this report – zero-dayvulnerabilities.

ISTR, Volume XI gave me an interesting research project – find thenumber of zero-day vulnerabilities. This seems...

Amado Hidalgo | 01 Apr 2007 07:00:00 GMT | 0 comments

I wish I could have some humorous comment or a joke to mark the day. Unfortunately I have something more serious to write about.

Symantec Security Response has detected a new worm in the wild: W32.Fubalca.It infects executables and HTML-type files, inserting links tomalicious Animated Cursor files, and exploits the currently unpatchedMicrosoft Windows Cursor And Icon ANI Format Handling Remote BufferOverflow Vulnerability (BID 23194) to download further copies of the worm.

The worm infects executables on all drives (including removabledrives), except for the drive that Windows is installed upon (e.g.C:\). As well as exploiting the vulnerability, the worm appears tospread through removable drives and already-mapped network shares.

The malicious Animated...

Andy Cianciotto | 30 Mar 2007 07:00:00 GMT | 0 comments

Microsoft has released an out-of-band advisory today for a new exploit targeting a vulnerability in the way that Microsoft Windows handles animated cursor (.ani) files.

The vulnerability is caused by insufficient format validation, priorto rendering cursors, animated cursors, and icons. If successfullyexploited, it will allow an attacker to perform remote code executionon the victim machine. In order to carry out an attack, the attackerwould need to convince potential victims to either visit a Web sitethat contains a Web page that is used to exploit the vulnerability, orview a specially crafted email message or email attachment. Theattacker could enable an affected system to execute code once a userhas viewed a malicious Web page, previewed or read a specially craftedmessage, or opened a specially crafted email attachment.

While it is similar to the vulnerability described in...

Ron Bowes | 20 Mar 2007 07:00:00 GMT | 0 comments

The default install of OpenBSD is well known to have one of the mostsecure default installations available. The OpenBSD team hastraditionally enjoyed the luxury of claiming to have only a singleremotely exploitable vulnerability the past 10 years. However, CoreSecurity recently discovered a new vulnerability in the IPv6 stack of OpenBSD. As a result, the OpenBSD project had to change the text on their main page to: “Only two remote holes in the default install, in more than 10 years!”

A buffer overflow may be triggered when a fragmented IPv6 packet isreceived. Although this was originally thought by the vendor to be nomore than a denial of service issue, a proof of concept exploit wasdeveloped, proving that the vulnerability is exploitable. The totaltime elapsed between the vulnerability being initially disclosed...

Stuart Smith | 05 Mar 2007 08:00:00 GMT | 0 comments

Larry Wall once said, “Three great virtues of programming arelaziness, impatience, and hubris.” It appears the authors of aW32.Darksnow have taken this saying to heart. It also appears that theywere too impatient to read the other virtues he lists – diligence,patience, and humility. And they’ve mainly focused on the virtue oflaziness, by trying to find a way to make money using other people’scomputers (and electricity and bandwidth). Specifically, they wanted tomake money using other people’s computers to spoof “impressions” ofadvertising links. Without asking the people, of course. That would betoo much work. And they’d probably say no.

Of course, you can’t just set up a computer, and let a program sitthere and pretend to view Web pages. You’d need a lot of computers toreally make money. And the ad networks are smart enough to figure outthat someone probably isn’t sitting on their computer all dayrefreshing a Web page, so the virus writers couldn’t get any money forthis....

Ollie Whitehouse | 01 Mar 2007 08:00:00 GMT | 0 comments

ASLR (Address Space Layout Randomization) is one of the cornerstones of Windows Vista and its enhanced security posture. ASLR workson the basis that it will move an application and its associated memoryaround, either each time it’s executed or when the host is rebooted,depending on the element concerned. The purpose of this is to hinder aclass of vulnerabilities commonly referred to as memory manipulation vulnerabilitiesby making it difficult for an attacker to know where an application isin memory. This would impede successful exploitation, which relies onfixed memory addresses.

Back in December, I decided to take a brief look at theimplementation of ASLR on Vista. I had seen some findings emerge duringits development, but these really didn’t show if the implementation wasgood, bad, or indifferent. Since my work load was winding down, as Ihad December off, and a tool I had written indicated there might besome problems, I decided to look at this in more detail. My...

Ollie Whitehouse | 01 Mar 2007 08:00:00 GMT | 0 comments

When I started this project, I had one goal in mind – to understandwhich binaries in Windows Vista were not /GS compiled. While this mayseem rather simple on the surface, as I started to dig, it became alittle more complex. That said, my goal was achievable and today I’mhappy to present my findings.

The purpose of my paper "Analysis of GS Protection in Windows Vista"was to show which binaries under a default installation of WindowsVista 32bit RTM were not protected by the Visual Studio 2005 /GScompiler flag. This, in turn, was designed to help Symantec and ourclients understand any exposure, either direct or indirect, which mayresult from this lack of protection.

The abstract for my paper is as follows:

Visual Studio 2002 introduced the Buffer Security Check(GS) option to protect stack variables from overflows that resulted inarbitrary code...