Video Screencast Help
Security Response
Showing posts in English
Jim Hoagland | 10 Jul 2007 07:00:00 GMT | 0 comments

Symantec Security Advisory SYMSA-2007-005[1]is now available. This covers a Teredo-related vulnerability in theVista version of Windows Firewall (BID 24779, CVE-2007-3038). (To beclear, this vulnerability is not connected to any of the nine Vistaissues I discussed in my last blog[2].)

Last fall, when Ollie Whitehouse[3] was analyzing whatTCP ports were open over a Teredo interface in a freshly installedWindows Vista RC2, he discovered that port 5357 was open over Teredo.We thought this odd since there is no functional reason this port,which corresponds to Web Services on Devices (WSD)[4], should beremotely accessible. When the release version of Vista becameavailable, we verified that this port was still open. (Details on...

Jim Hoagland | 10 Jul 2007 07:00:00 GMT | 0 comments

Symantec Security Advisory SYMSA-2007-005[1]is now available. This covers a Teredo-related vulnerability in theVista version of Windows Firewall (BID 24779, CVE-2007-3038). (To beclear, this vulnerability is not connected to any of the nine Vistaissues I discussed in my last blog[2].)

Last fall, when Ollie Whitehouse[3] was analyzing whatTCP ports were open over a Teredo interface in a freshly installedWindows Vista RC2, he discovered that port 5357 was open over Teredo.We thought this odd since there is no functional reason this port,which corresponds to Web Services on Devices (WSD)[4], should beremotely accessible. When the release version of Vista becameavailable, we verified that this port was still open. (Details on...

Ben Greenbaum | 10 Jul 2007 07:00:00 GMT | 0 comments

This month's Microsoft patch releaseincludes six bulletins, addressing 12 vulnerabilities in common clientand server software, including four in a popular developmentenvironment. Topping the heap in terms of urgency is a remotelyexploitable, server side code execution vulnerability in IIS, andthat's where we'll start:

MS07-041;KB939373Vulnerability in Microsoft Internet Information Services Could Allow Remote Code Execution

This bulletin addresses a previously known issue in IIS 5.1 onWindows XP that was reported in late 2005 as a denial-of-serviceproblem. It is now known to be exploitable to run attacker code. IIS isnot running or installed by default on Windows XP.

  • Microsoft Internet Information Server 5.1 DLL Request Remote Code Execution Vulnerability...
  • Eric Chien | 10 Jul 2007 07:00:00 GMT | 0 comments

    Some of us (Ollie Whitehouse, Eduardo Tang, and myself) are happy owners of the iPhone. However, not because we are constantly listening to music or using a pinching motion with our fingers to see pictures zoom and shrink, but because we get to analyze the attack surface. While the iPhone itself will surely evolve via new models, software, and patches, this blog will consist of a rundown of our initial thoughts.

    In the default out-of-the-box configuration for the average user, you can not run code on the device. This makes the platform less risky than other mobile platforms and desktop operating systems like Windows. If you can't run code, you can't run malicious code. Further, the AJAX/Web 2.0 applications that can utilize the phone's services (such as the ability to make calls) normally prompts the user before the action takes place. This prevents automatic dialing and things like SMS worms.

    These factors greatly limit the attack surface. However,...

    Kelly Conley | 09 Jul 2007 07:00:00 GMT | 0 comments

    As image spam continues its decline, the July State of Spam Report highlights more new techniques for delivering spam images, including PDF spam. This is spam that contains no real text in the body of the message (although it may contain word salad), but that has a PDF attachment. When opened, the PDF file is an ad or some other spam message.

    The PDF attachments result in messages that are very large in size. We have been monitoring this throughout the past month, but it has really heated up this past week. So far, we have observed over 25 million messages that were categorized as PDF spam.

    We have seen a few different variants of this type of spam type thus far. The first one is the newsletter variant, in which a PDF attachment is made to resemble a legitimate newsletter. The second variant is one in which the PDF attachment resembles the more familiar images...

    Yazan Gable | 06 Jul 2007 07:00:00 GMT | 0 comments

    Symantec has observed an interesting trendin the world of Internet-based credit card fraud: fraudsters aredonating money to charity. How could this happen? In the world ofcarding, where stolen credit card information is bought and sold,carders need to know if the credit cards they are buying or selling canactually be used. It is sometimes difficult for them to verify thiswithout raising any alarm bells and risking that their cards will beidentified as stolen and disabled. As a consequence, a new trend isappearing.

    Carders attempting to verify that a stolen credit card is legitimateand active have begun donating money to charity. By attempting to paysmall amounts of money to various charities, including well knowncharities such as the Red Cross, carders can determine if a stolencredit card is valid depending on the success or failure of thetransaction.

    There are likely a number of reasons that this method may bebecoming more popular. For instance, bank behavior...

    Sarah Gordon | 06 Jul 2007 07:00:00 GMT | 0 comments

    Steal this book! F@&! the System! Do those phrases bring back any memories? For me, they conjure up images of Chicago’s Old Towne & New York’s Greenwich Village in the late '60s and early '70s. And that seems like a fitting start for a blog entry on computer security because…well, it’s a long story.

    In the 1960s, some rather interesting people gained more than a little attention based on their innate ability to understand how things work and their desire to use that knowledge to help rebel against the perceived “authority system” of the day. One group of such people, the Youth International Party, or yippies as they were more commonly known, was frequently in the news. They were self-proclaimed representatives of the youth of the nation and were...

    Kelly Conley | 05 Jul 2007 07:00:00 GMT | 0 comments

    Who sends greeting cards for the Fourth of July? Apparently spammers. Beware of emails with Fourth of July subject lines such as:

    Subject: Celebrate Your Independence
    Subject: America the Beautiful
    Subject: July 4th Fireworks Show
    Subject: July 4th Family Day
    Subject: 4th Of July Celebration
    Subject: American Pride, On The 4th

    Each message contains a link to the "greeting card". The link in these cases is an exposed IP address, which is a pretty good indicator that it isn’t a greeting card from an established and reputable Ecard service . When clicked, the link delivers a downloader that accesses the Internet and downloads a Trojan onto the computer.

    We've been seeing a lot of generic Ecard spam over the past month and have noted it in previous blogs. What makes this one different is that...

    Eric Chien | 05 Jul 2007 07:00:00 GMT | 0 comments

    The MPack toolkit has received a fair amount of media attention, causing it to become one of the most desired Web browser exploit toolkits in the underground hacker scene. The original author was selling the MPack toolkit for $1,000 USD, including a year of free support, and additional exploit modules for around $100 USD.

    However, considering the toolkit is written in a script language, it is easy to redistribute and modify. The toolkit is being sold by others now for as low as $150 USD. That is a whopping 85% off. Talk about clearance sale. The sellers likely didn't even need to buy it themselves, but rather probably found some of the multiple Web sites that did not employ standard Web site protections, allowing them to download the whole kit for free.

    With the toolkit available in the underground scene and even available to almost...

    Eric Chien | 05 Jul 2007 07:00:00 GMT | 0 comments

    The MPack toolkit has received a fair amount of media attention causing it to become oneof the most desired Web browser exploit toolkits in the undergroundhacker scene. The original author was selling the MPack toolkit for$1000 USD, including a year of free support, and additional exploitmodules for around $100 USD.

    However, considering the toolkit is written in a script language, itis easy to redistribute and modify. The toolkit is being sold by othersnow for as low as $150 USD. That is a whopping 85% off. Talk aboutclearance sale. The sellers likely didn't even need to buy itthemselves, but rather probably found some of the multiple Web sitesthat did not employ standard Web site protections, allowing them todownload the whole kit for free.

    With the toolkit available in the underground scene and evenavailable to almost anyone for a mere...