Video Screencast Help
Security Response
Showing posts in English
Ben Greenbaum | 09 Jan 2007 08:00:00 GMT | 0 comments

Welcome to 2007! Before we get started, I'd like to wish you all a happy, healthy, and safe year from the DeepSight research teams here at Symantec. May all your plans come to fruition, and may all your patches apply smoothly... This month's patch release by Microsoft is a little lighter than previous releases, and lighter even than initially projected by Microsoft themselves. On January 4th, as per their usual policy, they publicly released high-level details of the planned release. The initial advance notification mentioned eight patches. However, the notification was later modified to list only four releases. Included among the delayed releases are fixes for various Word issues. The updates for January that did make the cut cover 10 distinct vulnerabilities, which were primarily file-based, client-side issues in the Office suite.

MS07-001...

Hon Lau | 08 Jan 2007 08:00:00 GMT | 0 comments

It hasn't been long since reports surfaced that videos of Saddam Hussein’s execution are available for download on the Internet. It’s no surprise that enterprising malware creators have latched on to this latest news in an attempt to spread their wares.

What we have is an email spam sent to unsuspecting targets with details about where you can download a video.
Of course, this email (like past, present, and future spam) is once again taking advantage of human nature to help it spread. In this case, it is trying to appeal to the dark side of the individuals who are on the receiving end of the email.

The subject line of the email looks like this:

From: videosadan@kibeloco.com.br
Subject: Video completo da morte de Saddam Hussein

The body of the email looks like this:

...

Marc Fossi | 08 Jan 2007 08:00:00 GMT | 0 comments

Happy (belated) New Year! It’s safe to say that most people are backinto the full swing of things by now. Although the first week ofJanuary may have been a short one for some, there are many of us whowere kept on our toes in the fledgling days of 2007. We are stillwitnessing the aftermath of some annoying holiday-themed emailscontaining a mass-mailing worm, and even more recently we have beendealing with a cross-site scripting (XSS) problem involving AdobeAcrobat files.

Sadly, given these examples, it seems that the more things changefrom year to year, the more they stay the same (I know it’s a cliché).And in that regard, we have recently published the December 2006version of the Symantec Home and Home Office Security Report. Thereport discusses some of the top security news items in December aswell as a roundup of noteworthy Internet security trends for 2006. Lastmonth, there was a worm discovered to be propagating because ofmalicious URLs being sent as links in instant...

Peter Ferrie | 05 Jan 2007 08:00:00 GMT | 0 comments

With the public advisoryby Determina about a double-free bug in a CSRSS message function, theimmediate question was: does it really affect Vista? The short answeris "yes, but not reliably." Arbitrary code execution is possible, butrequires a great deal of luck, though a denial-of-service is definitelypossible.

Why the fuss? Simply put, successful exploitation of the bug allowseven the most restricted user-mode application to elevate itsprivileges to the System level. From there, the kernel is accessibleeven on Vista. Even without entering the kernel, System-levelprivileges allow almost complete control of the system, so thepossibilities are limited only by the imagination.

Of course, that the bug isn't reliable on Vista doesn't mean thateveryone can relax. The bug does affect earlier versions of Windows,where arbitrary code execution is far...

Peter Ferrie | 04 Jan 2007 08:00:00 GMT | 0 comments

While we probably haven't heard the last of virus writer SPTH, hisannouncement about leaving the rRlf (Ready Rangers Liberation Front )is welcome news. Further good news was the "lack of time" cited as hisreason for leaving. This suggests that he's busy doing things otherthan writing viruses, and that is to be encouraged (the "doing thingsother than" part, not the "writing viruses" part, of course).

Even though his viruses were not on the order of complexity of someothers in recent times, there is no question that he had a knack forfinding just the right target to interest the media. With mediaattention comes the associated "coolness" factor that encourages somepeople to start writing viruses in the first place. And once a virusreceives attention from the media, other virus writers will oftentarget the same platform.

In my W64/Bounds article for...

Zulfikar Ramzan | 04 Jan 2007 08:00:00 GMT | 0 comments

Back in July, I wrote a blog entry about examples we had seen of phishing Web sites that worked entirely using Macromedia Flash. What makes these sites scary is that they cannot be analyzed in the same way as traditional HTML- or Javascript-based phishing pages.

When we first mentioned these attacks, the observations didn’t receive much external attention. Perhaps this was due to other, more pressing, issues related to the growth of phishing or, more likely, perhaps folks were in the post-Independence Day doldrums. Now, there has been a resurgence of interest in this topic as seen in some recent articles. With this resurgence, I thought it would make sense to point readers back to my original article on the subject of Flash-based...

Hon Lau | 03 Jan 2007 08:00:00 GMT | 0 comments

We have received reports of a significantproblem relating to Adobe Acrobat files and Cross Site Scripting (XSS).A weakness was discovered in the way that the Adobe Reader browserplugin can be made to execute JavaScript code on the client side. Thisstems from the “Open Parameters” feature in Adobe Reader, which allowsfor parameters to be sent to the program when opening a .pdf file. Likemost things in life, this was a feature designed for benign usage, butunfortunately somebody has discovered that it can also be used formalicious purposes.

This development is significant for a number of reasons:
• The ease in which this weakness can be exploited is breathtaking. Useof this “feature” requires no exploitation of vulnerabilities on theserver side.
• Any Web site that hosts a .pdf file can be used to conduct thisattack. All the attacker has to do is find out who is hosting a .pdffile on their Web server and then piggy back on it to mount an attack.What this means...

Candid Wueest | 02 Jan 2007 08:00:00 GMT | 0 comments

If I remember my math teacher correctly, then 1 + 1 = 2. Or, 2.0, to be trendy. In terms of the Internet today this could mean: Take one interactive Web solution plus one large user community and that will equal the next generation Web application. In 2006, we have seen many companies employing exactly this formula to create new Web services (some of which are very useful, while others are more for entertainment).

But in arithmetic you have to be sure to understand the variables you calculate with. If, like in this case, you deal with a very large active user group, then the chances of encountering people who don’t play by the rules are high. Therefore, it should be of no surprise that we have seen a rise in Web attacks toward the end of this year, especially considering the number of browser vulnerabilities that were discovered.

Jeremiah Grossman and others compiled a list of the...

TWoodward | 02 Jan 2007 08:00:00 GMT | 0 comments

Although there is no shortage of relevant news regarding the Mac OS X platform, I’m usually faced with more questions than answers when considering ideas for new Macintosh articles or blogs for the Security Response Weblog. Even though Mac OS X has been available in one form or another for about six years (not counting its pre-Apple days as NeXT/OpenStep), its security education and research community is still young and underdeveloped. With Apple’s transition to an all Intel-based architecture and the steadily increasing adoption of Mac OS X by small, medium, and large enterprises, the Mac OS X security research and education landscape is rapidly being forced to grow up.

What follows are a number of important questions to spark further research and discussion on the subject of Mac OS X and security. Please feel free to join the discussion or start a new one on the Focus-Apple SecurityFocus...

Shunichi Imano | 30 Dec 2006 08:00:00 GMT | 0 comments

Recently, we have seen many files that undermine the spirit of the holiday season. These files are typically named postcard.exe, greeting postcard.exe, or greeting card.exe. The files usually arrive as email attachments, which we have detected as W32.Mixor.Q@mm. Once infected, the worm attempts to gather email addresses from the compromised computer. It then sends a mass email with a copy of itself to those addresses.

If sending the worm is not rude enough, it also drops a Trojan horse named Trojan.Galapoper.A. The Trojan attempts to download these unwanted Christmas presents onto the infected computer from the Internet.

To mitigate the attack, customers are advised to update their products to the latest...