Video Screencast Help

Security Response

Showing posts for July of 2006
Showing posts in English
Zulfikar Ramzan | 31 Jul 2006 07:00:00 GMT | 0 comments

URLs often consist of a query string that appears right after the location of the particular file to be accessed. These query strings are used to pass various data parameters to the file. For example, the URL http://www.well-known-site.com/program?query-string would send the parameter “query-string” to the program located at www.well-known-site.com. While query strings in URLs are usually meant for passing data values, enterprising attackers sometimes try to craft special query strings that include actual instructions (i.e., code); if the program processing these strings does not exercise the right precautions, it will fail to make the distinction between data and instructions, and actually end up executing the attacker's code.

Whatever...

Ollie Whitehouse | 28 Jul 2006 07:00:00 GMT | 0 comments

I thought I'd write a blog entry around this, as it seems that it is a question that comes up a lot when speaking to press, operators, enterprises, and users alike. The common question is usually along the lines of: "Why not build security into the network to protect mobile devices?" In this case the “network” could be cellular, WiFi, WiMax, or a hybrid of technologies; “mobile devices” can be cell phones, SmartPhones, PDAs or laptops, among others.

Well, there are two reasons why a network can’t mitigate all the risks involving mobile devices. First, mobile devices today are not always connected via a network that is controlled by just one entity. For example, it is feasible (although in my experience, rare) within GPRS (2.5G) or UMTS (3G) to ensure that a roaming user's traffic never touches the home operator’s Gateway GPRS Support Node (GGSN) when the user is, say, accessing the Internet using a mobile device (this is dependent on the policies of the...

Ben Greenbaum | 27 Jul 2006 07:00:00 GMT | 0 comments

Many years ago, almost all vulnerabilitieswere a “zero-day” style in some respect. Vendors did not, for the mostpart, talk about security defects in their products and in fact,several chose not to address them at all. Information about ways tobreak into systems remained primarily in the hands of the attackers.Things began to change in the mid-90s, when the discussion of securitybugs became more widespread. Vendors started to participate moreactively in the dissemination of protective information with the goalof enabling their customers to defend their digital assets. Variouscommunities sprouted up to facilitate this discussion, vendors set upsecurity-alert mailing lists and Web sites, and the general awarenesslevel of computer security was raised substantially. During this timethere were, of course, those who still chose to keep vulnerabilityinformation to themselves for their own purposes, but the overalldiscussion of these issues was open and frank. Flaws were discovered,...

Candid Wueest | 26 Jul 2006 07:00:00 GMT | 0 comments

Mozilla’s Firefox browser is quite popular and it is often recommended when it comes to the question: What is a safe browser alternative? Unfortunately, this does not necessarily mean that you are not susceptible to browser attacks.

Microsoft Internet Explorer is often hijacked by malware that drops browser helper objects (BHO), which will then be loaded every time the user starts Microsoft Internet Explorer. The BHOs can then manipulate data that is sent to the Internet and (for example) steal passwords or monitor user habits. With the Cross Platform Component Object Model (XPCOM), something similar to a BHO exists on the Mozilla side. It is a framework for developers to create modules that access features of the Gecko engine. For example, Firefox extensions are written with XPCOM and can therefore integrate seamlessly into Firefox.

Of course, it shouldn’t be a big surprise that this technique can also be used with malicious intent. Unwanted extensions that we...

Brian Hernacki | 26 Jul 2006 07:00:00 GMT | 0 comments

Lately, there has been a whole bunch of cities announcing plans for the creation of municipal (“muni”) Wi-Fi networks. From San Francisco and Silicon Valley to New York, Philadelphia, Toronto, and even Paris, this seems to be the hot new thing to...

Symantec Security Response | 24 Jul 2006 07:00:00 GMT | 0 comments

Email is a great way to communicate with a wide audience, and the bad guys know it. We have seen yet another case of spam email that contains malicious code as an attachment. The attachment is a ZIP file (WC2905036.zip -> WC2905036.exe) that contains a Trojan horse program that will create a backdoor on a user's system when executed. This threat is detected as Backdoor.Haxdoor.O. Some variants may be detected as Backdoor.Haxdoor.I.

This Trojan attempts several things: downloads and executes files, logs keystrokes, listens on TCP ports, etc. We have only seen a few minor variants thus far, but one thing to be aware of is that the spam email purports to be from an online retailer that is asking the user to review an attached invoice. We have...

Zulfikar Ramzan | 24 Jul 2006 07:00:00 GMT | 0 comments

Making sure your computer has the latest patches installed is probably one of the most important safe computing practices. Unfortunately, many people outside the security community fail to understand why this is so critical. I can’t think of a better illustration of why this practice is so important than the recent use of MySpace to serve up banner ads that exploit the Windows metafile format (WMF) flaw.

Let me explain what happened. Back in December 2005, a vulnerability was discovered in the way Windows operating systems handled WMF images. If an image was maliciously crafted and you simply viewed it in an unpatched version of Windows, attackers could get your computer to execute any instructions they wanted it to. And, you would have no idea. As you can imagine, such a vulnerability has serious repercussions. Anyone...

Zulfikar Ramzan | 21 Jul 2006 07:00:00 GMT | 0 comments

It seems that there is an increased frequency of attacks where bogus links are placed on otherwise legitimate Web sites; these bogus links consequently send users that click on them to malicious pages. These malicious pages are hosted on a different domain and are built to mimic the legitimate site, and they can prompt a user to enter the username and password combination that would have been used on the original site. The username and password details can then be logged with the intention of future fraudulent use. For lack of a better name, I’ve started using the term "site jacking" to refer to this type of attack. This attack has some resemblance to phishing, except that instead of having a malicious link delivered via email, the link is “presented” on a well known (and even reputable) Web site.

There have been reported site jackings on...

Kaoru Hayashi | 20 Jul 2006 07:00:00 GMT | 0 comments

The number of reports of “Downloader” has been increasing in recent years. Downloader is a small program that downloads another malware or security risk from the Internet. In order to protect your computer from these Downloader programs, we recommend using an updated antivirus product, controlling Internet access for each desktop program, and filtering entrusted domains (by URL or IP address) with a firewall. However, when users or network administrators need to determine which Internet resources are trusted or not, it can become difficult.

In many cases, Downloader will attempt to download other programs from a cheaply run (or even free) Web hosting service. Since domain registration is fairly simple to do and not that expensive, attackers will try to create an attractive Web site using their own domain name in order to gain the trust of visitors to the site....

Ollie Whitehouse | 19 Jul 2006 07:00:00 GMT | 0 comments

I wanted to let you know that contrary tosome beliefs, there are still Lotus Notes users out there. During acursory look at Notes around the end of 2004 (just after @stake was bought by Symantec) I had identified a denial of service (DoS) condition that could be triggered via SMTP (the advisory was released last month). I wanted to take a few moments to discuss some of the details around this vulnerability.

Ihad originally identified the bug using SMTP as the injection vector.However, during Symantec's patching process (I was fortunate enough towork with our team that focuses on Notes issues) we identified thatNotes RPC could also be used as a vector. What is the result? Well,even if you patch the edge (peripheral) Lotus servers, as soon as asuitably malformed message hits a vulnerable server deep...