Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Greg Ahmad | 16 Jan 2007 08:00:00 GMT | 0 comments

The year 2006 saw the rise of numerous security trends such as attacks against social networks, initiatives by researchers to sequentially disclose many flaws in Web browsers and operating system kernels, attacks being used for financial gain, and a dramatic increase in the number of vulnerabilities affecting Web applications. During the last few months of the year, I have noticed another trend that did not receive much attention. There has been a significant increase in the vulnerabilities that affect ActiveX controls. These vulnerabilities can facilitate an assortment of attacks that may simply cause the disclosure of sensitive information to an attacker or, in the worst-case scenario, allow them to execute code to gain unauthorized access to an affected computer.

During the last few years there has been an increase in the number of vulnerabilities affecting ActiveX controls shipped by various vendors. In the year 2001, DeepSight Alert Services reported a single...

Eric Chien | 15 Jan 2007 08:00:00 GMT | 0 comments

The release of the Apple iPhone immediately raised the eyebrows of those in security. The iPhone's operating system is based on OS X and thus, some observers assumed malicious code would be possible and potentially rampant.

However, these concerns were a bit premature. Steve Jobs has confirmed that consumers will not be allowed to install just any third party applications. “These are devices that need to work, and you can’t do that if you load any software on them,” he said. “That doesn’t mean there’s not going to be software to buy that you can load on them coming from us. It doesn’t mean we have to write it all, but it means it has to be more of a controlled environment.” [New York Times]

The lack of the ability to install just any software will greatly mitigate the risk of malicious code on Apple iPhones. Can malicious software exist? Will malicious software exist? Probably, but the amount of malicious software will definitely not be on the scale as it is today...

Ollie Whitehouse | 12 Jan 2007 08:00:00 GMT | 0 comments

Back in November, I gave a presentation to a cellular industry conference entitled “Overcoming Mobile IM Security Threats.” The purpose of this presentation was to identify the types of threats that IM has faced in the desktop world, discuss how these threats could move to the mobile world, and cover how threats could be mitigated by operators and independent software vendors before services are launched.

The threats that utilize IM are well documented by Symantec and others. An interesting thing about Mobile IM is that users of these devices can and have started popping up on legacy Internet-based IM networks. There had been talk of operators going down the route of closed IM networks for their subscribers, but now it is clear that some operators are choosing public Internet-based IM networks. This means that these Mobile IM clients are going to...

Liam O Murchu | 11 Jan 2007 08:00:00 GMT | 0 comments

We regularly see Brazilian Bancos samples that try to steal the credentials of Brazilian bank users. These are generally delivered via spam or drive-by downloads. However, recently a different form of threat was spotted that specifically targets Brazilian users.

W32.Selfish is a file infector that checks what your default language pack is and only proceeds to execute its payload if you are using the Brazilian Portuguese Language pack. If you are using a different language pack, W32.Selfish will simply execute the infected host file and exit.

When W32.Selfish is executed on a Brazilian machine, it tries to download a file from the internet and execute it. At the time of writing, this file is not accessible, so it is uncertain whether it will download a Brazilian bank password stealer. However, the emergence of this threat does show that Brazil is being specifically targeted by online criminals. Not only does this show that criminals are targeting Brazil, but it...

Liam O Murchu | 11 Jan 2007 08:00:00 GMT | 0 comments

We regularly see Brazilian Bancos samples that try to steal the credentials of Brazilian bank users. These are generally delivered via spam or drive-by downloads. However, recently a different form of threat was spotted that specifically targets Brazilian users.

W32.Selfish is a file infector that checks what your default language pack is and only proceeds to execute its payload if you are using the Brazilian Portuguese Language pack. If you are using a different language pack, W32.Selfish will simply execute the infected host file and exit.

When W32.Selfish is executed on a Brazilian machine, it tries to download a file from the internet and execute it. At the time of writing, this file is not accessible, so it is uncertain whether it will download a Brazilian bank password stealer. However, the emergence of this threat does show that Brazil is being specifically targeted by online criminals. Not only does this show that criminals are targeting Brazil, but it...

Ollie Whitehouse | 10 Jan 2007 08:00:00 GMT | 0 comments

UMA (Unlicensed Mobile Access) is a set of specifications now known as “Generic access to the A/Gb interface; Stage 2.” The purpose of these specifications is to allow cellular operators to terminate cellular services over unlicensed mediums that utilize IP. The original specifications catered to Bluetooth and WiFi, so the benefits of such a technology should be obvious. In the home or in metropolitan areas, it allows operators to move away from technologies that are costly, slower, higher-latency, or bandwidth-limited. By doing so, they reduce their own costs and improve user experience.

In March 2006, I wrote an internal Symantec paper entitled “UMA Attack Surface Analysis.” The purpose of this paper was to discuss the increased risks that subscribers or operators may be exposed to as a result of deploying UMA...

Ben Greenbaum | 09 Jan 2007 08:00:00 GMT | 0 comments

Welcome to 2007! Before we get started, I'd like to wish you all a happy, healthy, and safe year from the DeepSight research teams here at Symantec. May all your plans come to fruition, and may all your patches apply smoothly... This month's patch release by Microsoft is a little lighter than previous releases, and lighter even than initially projected by Microsoft themselves. On January 4th, as per their usual policy, they publicly released high-level details of the planned release. The initial advance notification mentioned eight patches. However, the notification was later modified to list only four releases. Included among the delayed releases are fixes for various Word issues. The updates for January that did make the cut cover 10 distinct vulnerabilities, which were primarily file-based, client-side issues in the Office suite.

MS07-001...

Hon Lau | 08 Jan 2007 08:00:00 GMT | 0 comments

It hasn't been long since reports surfaced that videos of Saddam Hussein’s execution are available for download on the Internet. It’s no surprise that enterprising malware creators have latched on to this latest news in an attempt to spread their wares.

What we have is an email spam sent to unsuspecting targets with details about where you can download a video.
Of course, this email (like past, present, and future spam) is once again taking advantage of human nature to help it spread. In this case, it is trying to appeal to the dark side of the individuals who are on the receiving end of the email.

The subject line of the email looks like this:

From: videosadan@kibeloco.com.br
Subject: Video completo da morte de Saddam Hussein

The body of the email looks like this:

...

Marc Fossi | 08 Jan 2007 08:00:00 GMT | 0 comments

Happy (belated) New Year! It’s safe to say that most people are backinto the full swing of things by now. Although the first week ofJanuary may have been a short one for some, there are many of us whowere kept on our toes in the fledgling days of 2007. We are stillwitnessing the aftermath of some annoying holiday-themed emailscontaining a mass-mailing worm, and even more recently we have beendealing with a cross-site scripting (XSS) problem involving AdobeAcrobat files.

Sadly, given these examples, it seems that the more things changefrom year to year, the more they stay the same (I know it’s a cliché).And in that regard, we have recently published the December 2006version of the Symantec Home and Home Office Security Report. Thereport discusses some of the top security news items in December aswell as a roundup of noteworthy Internet security trends for 2006. Lastmonth, there was a worm discovered to be propagating because ofmalicious URLs being sent as links in instant...

Peter Ferrie | 05 Jan 2007 08:00:00 GMT | 0 comments

With the public advisoryby Determina about a double-free bug in a CSRSS message function, theimmediate question was: does it really affect Vista? The short answeris "yes, but not reliably." Arbitrary code execution is possible, butrequires a great deal of luck, though a denial-of-service is definitelypossible.

Why the fuss? Simply put, successful exploitation of the bug allowseven the most restricted user-mode application to elevate itsprivileges to the System level. From there, the kernel is accessibleeven on Vista. Even without entering the kernel, System-levelprivileges allow almost complete control of the system, so thepossibilities are limited only by the imagination.

Of course, that the bug isn't reliable on Vista doesn't mean thateveryone can relax. The bug does affect earlier versions of Windows,where arbitrary code execution is far...