Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Emerging Threats
Showing posts in English
Greg Ahmad | 18 Jan 2007 08:00:00 GMT | 0 comments

In my previous post, I talked about the sudden rise in vulnerabilities affecting ActiveX controls. In this post, I would like to talk a bit about the technology behind ActiveX and various steps that may be taken to prevent attacks.

An ActiveX control is essentially an Object Linking and Embedding (OLE) object. OLE allows objects to be shared using Component Object Model (COM) technology, which is a model that permits software components to communicate with each other. Distributed COM (DCOM) is an extension of COM that allows for the sharing of components over a network. ActiveX technology essentially facilitates the functionality of OLE on the World Wide Web. The controls can run on platforms that support COM or DCOM.

According to Microsoft, ActiveX controls must provide an interface named “...

Greg Ahmad | 16 Jan 2007 08:00:00 GMT | 0 comments

The year 2006 saw the rise of numerous security trends such as attacks against social networks, initiatives by researchers to sequentially disclose many flaws in Web browsers and operating system kernels, attacks being used for financial gain, and a dramatic increase in the number of vulnerabilities affecting Web applications. During the last few months of the year, I have noticed another trend that did not receive much attention. There has been a significant increase in the vulnerabilities that affect ActiveX controls. These vulnerabilities can facilitate an assortment of attacks that may simply cause the disclosure of sensitive information to an attacker or, in the worst-case scenario, allow them to execute code to gain unauthorized access to an affected computer.

During the last few years there has been an increase in the number of vulnerabilities affecting ActiveX controls shipped by various vendors. In the year 2001, DeepSight Alert Services reported a single...

Ben Greenbaum | 09 Jan 2007 08:00:00 GMT | 0 comments

Welcome to 2007! Before we get started, I'd like to wish you all a happy, healthy, and safe year from the DeepSight research teams here at Symantec. May all your plans come to fruition, and may all your patches apply smoothly... This month's patch release by Microsoft is a little lighter than previous releases, and lighter even than initially projected by Microsoft themselves. On January 4th, as per their usual policy, they publicly released high-level details of the planned release. The initial advance notification mentioned eight patches. However, the notification was later modified to list only four releases. Included among the delayed releases are fixes for various Word issues. The updates for January that did make the cut cover 10 distinct vulnerabilities, which were primarily file-based, client-side issues in the Office suite.

MS07-001...

TWoodward | 02 Jan 2007 08:00:00 GMT | 0 comments

Although there is no shortage of relevant news regarding the Mac OS X platform, I’m usually faced with more questions than answers when considering ideas for new Macintosh articles or blogs for the Security Response Weblog. Even though Mac OS X has been available in one form or another for about six years (not counting its pre-Apple days as NeXT/OpenStep), its security education and research community is still young and underdeveloped. With Apple’s transition to an all Intel-based architecture and the steadily increasing adoption of Mac OS X by small, medium, and large enterprises, the Mac OS X security research and education landscape is rapidly being forced to grow up.

What follows are a number of important questions to spark further research and discussion on the subject of Mac OS X and security. Please feel free to join the discussion or start a new one on the Focus-Apple SecurityFocus...

Ollie Whitehouse | 30 Dec 2006 08:00:00 GMT | 0 comments

Collin Mulliner gave an updated version of his presentation at 23C3 in Berlin titled ‘Advanced Attacks Against PocketPC Phones’ (we originally blogged about it in August). As I previously mentioned, one of the vulnerabilities he discussed had, to my knowledge, still not been patched. Well Collin confirmed this in his presentation and also released a working exploit for the...

Zulfikar Ramzan | 22 Dec 2006 08:00:00 GMT | 0 comments

This entry continues my blog series on some Symantec phishing data I have recently analyzed. I decided to look at data that relates to how phishing attacks are becoming more targeted. During the periods studied, our data does not support the hypothesis that attackers are going after more and more specialized targets. For the periods studied, our data also indicates that targeted phishing campaigns are outweighed by more scattered ones. Again, it’s important to note that the data is specific to a given period of time, so it’s possible (and perhaps quite likely, given how rapidly the landscape is changing) that outside this time frame the picture could change dramatically.

Let’s consider unique brands first. From June through September, 2006, the Symantec Norton Confidential system recorded 154 distinct brands that were spoofed in a phishing attack. Of these 154 brands, 93 of them were spoofed in a phishing attack that occurred during June; this number jumped...

Zulfikar Ramzan | 21 Dec 2006 08:00:00 GMT | 0 comments

As mentioned in one of my previous blog entries, I’ve been looking at some of the phishing data Symantec collects. As part of this effort, I looked at data associated with a recent Symantec offering called Norton Confidential (this product, which is geared towards providing transaction security, can detect phishing sites, among other things). The Norton Confidential back-end servers collect a tremendous amount of data associated with existing phishing sites.

Within these phishing sites, I decided to look a little more carefully at the distribution of spoofed brands that represent local US banks (for example, credit unions that are local to a specific state). For this purpose I considered a brand to be local if all the branch locations were in a specific state (or in states that directly bordered that state). I specifically...

Robert Keith | 20 Dec 2006 08:00:00 GMT | 0 comments

December 9, 2006, marks the day when long standing contributor to the PHP Security Response Team, Stefan Esser, retired. He has stated a few reasons for this latest move, primarily focusing on (in his opinion) the lack of response from his fellow colleagues and an extended delay in the patching of known vulnerabilities. Possibly another example of how some individuals or groups may choose to view “responsible disclosure.”

Over the years, SecurityFocus has reported on multiple vulnerabilities affecting PHP, such as BIDs 20879 (PHP HTMLEntities HTMLSpecialChars Buffer Overflow Vulnerabilities), 19582 (PHP Multiple Input...

Ben Greenbaum | 12 Dec 2006 08:00:00 GMT | 0 comments

All aboard! Welcome to another ride on the monthly Microsoft patch train. We’ve got quite a few stops this month and most are client-side vulnerabilities, meaning that an end user has to take specific actions (typically by obtaining and then opening hostile content). Unless otherwise stated, the privilege granted to the attacker for all of the below vulnerabilities is the privilege level of the victim user. Most were publicly disclosed for the first time today, but the exceptions are noted. They are listed below in the order of most to least critical for the fabled “typical” network.

Vulnerability in SNMP Could Allow Remote Code Execution MS06-074 / KB926247

This vulnerability seems almost old-fashioned in the modern security landscape – a common buffer...

Chintan Trivedi | 07 Dec 2006 08:00:00 GMT | 0 comments

"A browser" – that’s all we were led to believe the next generation would need to create office applications or engineering applications. Now, the focus on security has begun to divert in that direction. Statistics from the first half of 2006 showed that 69 percent of exploitable vulnerabilities were from Web applications. Web application vulnerabilities usually get mixed up with server vulnerabilities, although the two are distinctly different. Web developers who design Web sites are not usually security gurus. The developers will often leave behind various security holes in the Web application because of bad coding practices and a lack of security reviews.

On one hand, there are many security experts around the world who fuzz Web servers with variations in order find another zero-day. The end result is that the gap between popular Web servers and exploitable vulnerabilities within them is increasing. It has been a long time since we have seen a completely...