Video Screencast Help
Security Response
Showing posts in English
Jim Hoagland | 03 Apr 2007 07:00:00 GMT | 0 comments

Last week the CVE project issued nine new CVEs for Vista, numberedCVE-2007-1527 through CVE-2007-1535. While these CVEs were directlybased on our findings in Windows Vista Network Attack Surface Analysis[1] report (released as a Symantec Security Response whitepaper on March 7th), they had been requested by a third party. I'll describe each of these in this post.

We don't feel that most of the issues are especially significant.Microsoft reviewed the paper prior to its public release and Symantecwould participate in any warranted responsible disclosure forvulnerabilities.

We regard CVE-2007-1535 asimportant, and it...

Jim Hoagland | 03 Apr 2007 07:00:00 GMT | 0 comments

Last week the CVE project issued nine newCVEs for Vista, numbered CVE-2007-1527 through CVE-2007-1535. Whilethese CVEs were directly based on our findings in Windows Vista Network Attack Surface Analysis[1] report (released as a Symantec Security Response whitepaper on March 7th), they had been requested by a third party. I'll describe each of these in this post.

We don't feel that most of the issues are especially significant.Microsoft reviewed the paper prior to its public release and Symantecwould participate in any warranted responsible disclosure forvulnerabilities.

We regard CVE-2007-1535 asimportant, and...

David McKinney | 02 Apr 2007 07:00:00 GMT | 0 comments

As part of the process of compiling the data for Symantec’s Internet Security Threat Report(ISTR), we discuss which metrics are critical to defining trends in thethreat landscape. We are constantly reassessing the validity of certainmetrics and looking for opportunities to create new metrics. Our datacollection capabilities have improved over the years with newacquisitions, new products, and new product features that allow us totrack different types of data. It is a great benefit that Symantec is acompany that has grown with the threat landscape. It is also a matterof internal policy with the ISTR team to rigorously question and debatethe relevance and validity of what we’re reporting on. I’d like to takethis opportunity to reflect a little bit on the process behind thecreation of one of the new metrics for this report – zero-dayvulnerabilities.

ISTR, Volume XI gave me an interesting research project – find thenumber of zero-day vulnerabilities. This seems...

David McKinney | 02 Apr 2007 07:00:00 GMT | 0 comments

As part of the process of compiling the data for Symantec’s Internet Security Threat Report(ISTR), we discuss which metrics are critical to defining trends in thethreat landscape. We are constantly reassessing the validity of certainmetrics and looking for opportunities to create new metrics. Our datacollection capabilities have improved over the years with newacquisitions, new products, and new product features that allow us totrack different types of data. It is a great benefit that Symantec is acompany that has grown with the threat landscape. It is also a matterof internal policy with the ISTR team to rigorously question and debatethe relevance and validity of what we’re reporting on. I’d like to takethis opportunity to reflect a little bit on the process behind thecreation of one of the new metrics for this report – zero-dayvulnerabilities.

ISTR, Volume XI gave me an interesting research project – find thenumber of zero-day vulnerabilities. This seems...

Amado Hidalgo | 01 Apr 2007 07:00:00 GMT | 0 comments

I wish I could have some humorous comment or a joke to mark the day. Unfortunately I have something more serious to write about.

Symantec Security Response has detected a new worm in the wild: W32.Fubalca.It infects executables and HTML-type files, inserting links tomalicious Animated Cursor files, and exploits the currently unpatchedMicrosoft Windows Cursor And Icon ANI Format Handling Remote BufferOverflow Vulnerability (BID 23194) to download further copies of the worm.

The worm infects executables on all drives (including removabledrives), except for the drive that Windows is installed upon (e.g.C:\). As well as exploiting the vulnerability, the worm appears tospread through removable drives and already-mapped network shares.

The malicious Animated...

Amado Hidalgo | 01 Apr 2007 07:00:00 GMT | 0 comments

I wish I could have some humorous comment or a joke to mark the day. Unfortunately I have something more serious to write about.

Symantec Security Response has detected a new worm in the wild: W32.Fubalca.It infects executables and HTML-type files, inserting links tomalicious Animated Cursor files, and exploits the currently unpatchedMicrosoft Windows Cursor And Icon ANI Format Handling Remote BufferOverflow Vulnerability (BID 23194) to download further copies of the worm.

The worm infects executables on all drives (including removabledrives), except for the drive that Windows is installed upon (e.g.C:\). As well as exploiting the vulnerability, the worm appears tospread through removable drives and already-mapped network shares.

The malicious Animated...

Andy Cianciotto | 30 Mar 2007 07:00:00 GMT | 0 comments

Microsoft has released an out-of-band advisory today for a new exploit targeting a vulnerability in the way that Microsoft Windows handles animated cursor (.ani) files.

The vulnerability is caused by insufficient format validation, priorto rendering cursors, animated cursors, and icons. If successfullyexploited, it will allow an attacker to perform remote code executionon the victim machine. In order to carry out an attack, the attackerwould need to convince potential victims to either visit a Web sitethat contains a Web page that is used to exploit the vulnerability, orview a specially crafted email message or email attachment. Theattacker could enable an affected system to execute code once a userhas viewed a malicious Web page, previewed or read a specially craftedmessage, or opened a specially crafted email attachment.

While it is similar to the vulnerability described in...

Orla Cox | 29 Mar 2007 07:00:00 GMT | 0 comments

Technologies come and go, but socialengineering remains the most popular technique used to propagatemalware. This tried and trusted method has been around since theLoveletter days, and malware authors don't seem to be giving up on itjust yet. This year we've seen Trojan.Peacommin a number of guises – from videos of current news stories topostcards from loved ones. However, the one "disguise" that we see mostconsistently is in the form of the humble invoice.

Recently, we've seen a spate of malware circulating (in Germany inparticular), masquerading as various invoices. The year started with aspam run of Trojan.Schoeberl.Epurporting to be a bill from German ISP 1&1. Since then, we've seenmalware disguised as bills from a variety of firms such as Ebay...

Hon Lau | 28 Mar 2007 07:00:00 GMT | 0 comments

Following the arrest of Jun Li (creator ofthe W32.Fujacks or "Panda" worm) by the Hubei Police on February 3rd,the police promised to make an example of the virus author. To thatend, the police announced in early February that they were going tohave the virus creator write a program to remove this virus and repairthe damage done by it.

On March 27th we obtained a copy of the removal tool created by Li.Naturally we were curious about the effectiveness of the tool againstthe variants of the threat that were found in the wild.

When the tool is executed, the user is presented with a message from Li himself:

FujacksFixtool.jpg

The message contains an apology and an explanation that he createdthe worm for research. He ends with a warning to beware of futurethreats (from others), and to take the necessary precautions. Li alsoacknowledges that...

David McKinney | 28 Mar 2007 07:00:00 GMT | 0 comments

Google hacking is a well-known phenomenon.It consists of using Google’s advanced operators to search forsensitive files or other security issues in content that Google hasindexed. Various techniques and examples have been developed to findsuch things as password files, web-cam management interfaces, etc.Ultimately, Google hacking has revealed data management issues thatcause sensitive information to be exposed to the public. This is stillan ongoing issue for many organizations.

Of course, Google’s advanced operators were initially intended formore benevolent purposes. I like to think of this as another form ofGoogle hacking. Searching Google without fine-tuning your search termsis like drinking from the fire hose. Many people never bother to learnthe advanced search operators that really let you nail down results.Therefore, I thought I would throw together some examples of how I usethe advanced operators every day to query SecurityFocus.

Explanations of the...