Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for July of 2006
Showing posts in English
Oliver Friedrichs | 01 Aug 2006 07:00:00 GMT | 0 comments

Following closely on the heels of the release of our first publicly available research paper, I am very pleased to present our second paper: Windows Vista Security Model Analysis. In this paper, we have taken a detailed look at the new user account protection (UAP) and user interface privilege isolation (UIPI) capabilities that form the basis of Vista’s new security model.

From our research paper's abstract:

This paper provides an in-depth technical assessment of the security improvements implemented in Windows Vista, focusing primarily on User Account Protection and User Interface Privilege Isolation. This paper discusses these features and touches on several of their shortcomings. It then demonstrates how it is possible to combine...

Zulfikar Ramzan | 31 Jul 2006 07:00:00 GMT | 0 comments

URLs often consist of a query string that appears right after the location of the particular file to be accessed. These query strings are used to pass various data parameters to the file. For example, the URL would send the parameter “query-string” to the program located at While query strings in URLs are usually meant for passing data values, enterprising attackers sometimes try to craft special query strings that include actual instructions (i.e., code); if the program processing these strings does not exercise the right precautions, it will fail to make the distinction between data and instructions, and actually end up executing the attacker's code.


Ollie Whitehouse | 28 Jul 2006 07:00:00 GMT | 0 comments

I thought I'd write a blog entry around this, as it seems that it is a question that comes up a lot when speaking to press, operators, enterprises, and users alike. The common question is usually along the lines of: "Why not build security into the network to protect mobile devices?" In this case the “network” could be cellular, WiFi, WiMax, or a hybrid of technologies; “mobile devices” can be cell phones, SmartPhones, PDAs or laptops, among others.

Well, there are two reasons why a network can’t mitigate all the risks involving mobile devices. First, mobile devices today are not always connected via a network that is controlled by just one entity. For example, it is feasible (although in my experience, rare) within GPRS (2.5G) or UMTS (3G) to ensure that a roaming user's traffic never touches the home operator’s Gateway GPRS Support Node (GGSN) when the user is, say, accessing the Internet using a mobile device (this is dependent on the policies of the...

Ben Greenbaum | 27 Jul 2006 07:00:00 GMT | 0 comments

Many years ago, almost all vulnerabilitieswere a “zero-day” style in some respect. Vendors did not, for the mostpart, talk about security defects in their products and in fact,several chose not to address them at all. Information about ways tobreak into systems remained primarily in the hands of the attackers.Things began to change in the mid-90s, when the discussion of securitybugs became more widespread. Vendors started to participate moreactively in the dissemination of protective information with the goalof enabling their customers to defend their digital assets. Variouscommunities sprouted up to facilitate this discussion, vendors set upsecurity-alert mailing lists and Web sites, and the general awarenesslevel of computer security was raised substantially. During this timethere were, of course, those who still chose to keep vulnerabilityinformation to themselves for their own purposes, but the overalldiscussion of these issues was open and frank. Flaws were discovered,...

Candid Wueest | 26 Jul 2006 07:00:00 GMT | 0 comments

Mozilla’s Firefox browser is quite popular and it is often recommended when it comes to the question: What is a safe browser alternative? Unfortunately, this does not necessarily mean that you are not susceptible to browser attacks.

Microsoft Internet Explorer is often hijacked by malware that drops browser helper objects (BHO), which will then be loaded every time the user starts Microsoft Internet Explorer. The BHOs can then manipulate data that is sent to the Internet and (for example) steal passwords or monitor user habits. With the Cross Platform Component Object Model (XPCOM), something similar to a BHO exists on the Mozilla side. It is a framework for developers to create modules that access features of the Gecko engine. For example, Firefox extensions are written with XPCOM and can therefore integrate seamlessly into Firefox.

Of course, it shouldn’t be a big surprise that this technique can also be used with malicious intent. Unwanted extensions that we...

Brian Hernacki | 26 Jul 2006 07:00:00 GMT | 0 comments

Lately, there has been a whole bunch of cities announcing plans for the creation of municipal (“muni”) Wi-Fi networks. From San Francisco and Silicon Valley to New York, Philadelphia, Toronto, and even Paris, this seems to be the hot new thing to...

Symantec Security Response | 24 Jul 2006 07:00:00 GMT | 0 comments

Email is a great way to communicate with a wide audience, and the bad guys know it. We have seen yet another case of spam email that contains malicious code as an attachment. The attachment is a ZIP file ( -> WC2905036.exe) that contains a Trojan horse program that will create a backdoor on a user's system when executed. This threat is detected as Backdoor.Haxdoor.O. Some variants may be detected as Backdoor.Haxdoor.I.

This Trojan attempts several things: downloads and executes files, logs keystrokes, listens on TCP ports, etc. We have only seen a few minor variants thus far, but one thing to be aware of is that the spam email purports to be from an online retailer that is asking the user to review an attached invoice. We have...

Zulfikar Ramzan | 24 Jul 2006 07:00:00 GMT | 0 comments

Making sure your computer has the latest patches installed is probably one of the most important safe computing practices. Unfortunately, many people outside the security community fail to understand why this is so critical. I can’t think of a better illustration of why this practice is so important than the recent use of MySpace to serve up banner ads that exploit the Windows metafile format (WMF) flaw.

Let me explain what happened. Back in December 2005, a vulnerability was discovered in the way Windows operating systems handled WMF images. If an image was maliciously crafted and you simply viewed it in an unpatched version of Windows, attackers could get your computer to execute any instructions they wanted it to. And, you would have no idea. As you can imagine, such a vulnerability has serious repercussions. Anyone...

Zulfikar Ramzan | 21 Jul 2006 07:00:00 GMT | 0 comments

It seems that there is an increased frequency of attacks where bogus links are placed on otherwise legitimate Web sites; these bogus links consequently send users that click on them to malicious pages. These malicious pages are hosted on a different domain and are built to mimic the legitimate site, and they can prompt a user to enter the username and password combination that would have been used on the original site. The username and password details can then be logged with the intention of future fraudulent use. For lack of a better name, I’ve started using the term "site jacking" to refer to this type of attack. This attack has some resemblance to phishing, except that instead of having a malicious link delivered via email, the link is “presented” on a well known (and even reputable) Web site.

There have been reported site jackings on...

Kaoru Hayashi | 20 Jul 2006 07:00:00 GMT | 0 comments

The number of reports of “Downloader” has been increasing in recent years. Downloader is a small program that downloads another malware or security risk from the Internet. In order to protect your computer from these Downloader programs, we recommend using an updated antivirus product, controlling Internet access for each desktop program, and filtering entrusted domains (by URL or IP address) with a firewall. However, when users or network administrators need to determine which Internet resources are trusted or not, it can become difficult.

In many cases, Downloader will attempt to download other programs from a cheaply run (or even free) Web hosting service. Since domain registration is fairly simple to do and not that expensive, attackers will try to create an attractive Web site using their own domain name in order to gain the trust of visitors to the site....