Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Robert Keith | 20 Dec 2006 08:00:00 GMT | 0 comments

December 9, 2006, marks the day when long standing contributor to the PHP Security Response Team, Stefan Esser, retired.He has stated a few reasons for this latest move, primarily focusing on(in his opinion) the lack of response from his fellow colleagues and anextended delay in the patching of known vulnerabilities. Possiblyanother example of how some individuals or groups may choose to view “responsible disclosure.”

Over the years, SecurityFocus has reported on multiple vulnerabilities affecting PHP, such as BIDs 20879 (PHP HTMLEntities HTMLSpecialChars Buffer Overflow Vulnerabilities), 19582 (PHP Multiple Input...

Robert Keith | 20 Dec 2006 08:00:00 GMT | 0 comments

December 9, 2006, marks the day when long standing contributor to the PHP Security Response Team, Stefan Esser, retired. He has stated a few reasons for this latest move, primarily focusing on (in his opinion) the lack of response from his fellow colleagues and an extended delay in the patching of known vulnerabilities. Possibly another example of how some individuals or groups may choose to view “responsible disclosure.”

Over the years, SecurityFocus has reported on multiple vulnerabilities affecting PHP, such as BIDs 20879 (PHP HTMLEntities HTMLSpecialChars Buffer Overflow Vulnerabilities), 19582 (PHP Multiple Input...

Robert Keith | 20 Dec 2006 08:00:00 GMT | 0 comments

December 9, 2006, marks the day when long standing contributor to the PHP Security Response Team, Stefan Esser, retired.He has stated a few reasons for this latest move, primarily focusing on(in his opinion) the lack of response from his fellow colleagues and anextended delay in the patching of known vulnerabilities. Possiblyanother example of how some individuals or groups may choose to view “responsible disclosure.”

Over the years, SecurityFocus has reported on multiple vulnerabilities affecting PHP, such as BIDs 20879 (PHP HTMLEntities HTMLSpecialChars Buffer Overflow Vulnerabilities), 19582 (PHP Multiple Input...

Symantec Security Response | 19 Dec 2006 08:00:00 GMT | 0 comments

A new worm has been discovered that targets Skype, the voice-over-IP (VoIP) telephone application. The worm uses the Skype Control API to send text chat messages containing a malicious link to other Skype users. We highlighted the possibility of the Skype API being used as infection vector for malicious code in a blog article in May of this year: http://www.symantec.com/enterprise/security_response/weblog/2006/05/vulnerabilities_of_the_skype_a.html

However, in this case the security measures implemented by Skype have not been bypassed programmatically. Instead, the worm pleads with the user via a pop-up message box to "Allow this program in skype."

skype1.jpeg

On a live system, the user will receive this pop-...

Peter Ferrie | 18 Dec 2006 08:00:00 GMT | 0 comments

SecuriTeam recently ran a Code Cruncher competition. The idea was to create the smallest possible Windows executable file that could download an arbitrary file from the Code Cruncher site.

While the final results are not in yet, one entry at 210 bytes (including the length of the URL) looks set to be the winner. Why? Because it executes entirely from within the PE header. That's right - there is no code outside of the file header, only strings, such as the URL. Even more amazing, those strings are encrypted. The decryptor fits into the PE header, along with the downloader code.

Here's a sanitized version of it (the relevant code and URL have been replaced):

Malware that can travel in one network packet, even smaller than CodeRed...

Ollie Whitehouse | 15 Dec 2006 08:00:00 GMT | 0 comments

Ciao! Back in May, at the Microsoft Embedded Developer Conference in Las Vegas, Microsoft provided a number of presentations on Windows CE 6. The following is a summary of the improvements in Windows CE 6, which either directly or indirectly impact upon the security. The points below are taken from the slide decks of the presentations and are distilled down with some commentary added. It should be noted that it is not currently clear when or if Windows CE 6 will be adopted by the Windows Mobile Group. This entry follows up on the blog regarding Windows CE/Mobile 5, which I posted earlier this week.

From the talk Windows CE 6 Overview by David Kelly & Tim Kiesow of Microsoft, I have taken the following points away:
  • It supports safe SEH for security compliance (/GS)
  • Secure C Run-Time Libraries (Same...
Mimi Hoang | 14 Dec 2006 08:00:00 GMT | 0 comments

Rustock, also known as “Spambot”, is a family of back door programs with advanced user and kernel mode rootkit capabilities. Rustock has constantly been in development since around November, 2005. Rustock is a tough threat to combat because of its approach of combining multiple evasion techniques to remain undetected by commonly used rootkit detectors, such as Rootkit Revealer, IceSword, and BlackLight.

To start with, Rustock is downloaded from remote Web sites that host Web browser exploits and is then installed on unpatched computers. Along with the Rustock threat, a downloader will download other malicious code and even a misleading application, Spy Sheriff.

The second version of Rustock, named Rustock.B, employs even more sophisticated techniques than its predecessor – the original Rustock.A. Its advanced rootkit techniques,...

Amado Hidalgo | 14 Dec 2006 08:00:00 GMT | 0 comments

I’d like to try and clarify the confusionthat has surrounded the publishing and reporting of three MicrosoftWord vulnerabilities in the last few days. The bad news is that thereare actually three different vulnerabilities in the wild. Inchronological order, this is the breakdown of these threevulnerabilities.

Vulnerability #1
BID 21451: Microsoft Word Unspecified Remote Code Execution Vulnerability (CVE-2006-5994).
This vulnerability was first reported by Microsoft on December 6 via their Security Advisory 929433. Symantec Security Response created a heuristic detection (Bloodhound.Exploit.106) for this vulnerability that yielded some...

Amado Hidalgo | 13 Dec 2006 08:00:00 GMT | 0 comments

MS Word is under scrutiny again this month.We have some new and interesting details about the vulnerabilityreported by Microsoft on December 5 (referenced by CVE-2006-5994). Thestory shows how the road from a simple bug to a working exploit isshort and sometimes unpredictable.

This morning we analyzed some new samples that had been detected as Bloodhound.Exploit.106, which is a new heuristic detection released yesterday for the Microsoft Word zero-day vulnerability (described in Microsoft Security Advisory 929433). Among the submissions received from our customers we found a Word file that turned out to be a little gem.

We found a malicious Word document that was written in Portuguese and added detection for it as...

Ben Greenbaum | 12 Dec 2006 08:00:00 GMT | 0 comments

All aboard! Welcome to another ride on themonthly Microsoft patch train. We’ve got quite a few stops this monthand most are client-side vulnerabilities, meaning that an end user hasto take specific actions (typically by obtaining and then openinghostile content). Unless otherwise stated, the privilege granted to theattacker for all of the below vulnerabilities is the privilege level ofthe victim user. Most were publicly disclosed for the first time today,but the exceptions are noted. They are listed below in the order ofmost to least critical for the fabled “typical” network.

Vulnerability in SNMP Could Allow Remote Code Execution MS06-074 / KB926247

This vulnerability seems almost old-fashioned in the modern securitylandscape – a common buffer overflow...