Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Jesse Gough | 03 Aug 2006 07:00:00 GMT | 0 comments


The continued development of insecure code was a topic at Black Hat 2006 that was explored by speaker Paul Böhm. Paul questioned why we see these same types of manifest coding issues year after year, despite over ten years of widely documented research into the matter. This pattern is not necessarily attributed to ignorance, as these mistakes are made by novice and veteran coders alike. In fact, it is not unheard of for individuals or organizations that specialize explicitly in security to eventually make a coding mistake that compromises the security of their software. One notable example of this was a vulnerability found in the grsecurity patch for the Linux kernel, which caused a product designed to harden the operating system to actually introduce a hole that would allow a full compromise.

Paul stated that...

Peter Ferrie | 02 Aug 2006 07:00:00 GMT | 0 comments

On July 2nd, 2006 a virus author released the first virus that infects IDC files (W32.Gatt), claiming that it would be very hard for antivirus researchers to detect and that the source code would be made public at the end of the month. Media reports at the time speculated that the virus release was intended to embarrass virus researchers because it targeted some software tools that we use to analyze malicious code. However, on July 3rd we released antivirus detection for the virus. On July 4th, the virus author withdrew the claim that the source code would be released. Coincidence? I don't think so.

Symantec’s Security Response team is just that: a response team. We responded quickly when this virus appeared and we were able to provide antivirus detections in short order. It was more than likely that the virus author had originally intended to post the source code for...

Marc Fossi | 02 Aug 2006 07:00:00 GMT | 0 comments


One server controlling thousands of client computers. Sound familiar? This statement is often used to describe a botnet. But, as Tom Ptacek and Dave Goldsmith of Matasano Security pointed out in their Black Hat presentation titled “Do Enterprise Management Applications Dream of Electric Sheep?”, the same statement can be used to describe enterprise management applications. These applications are developed to help network and system administrators with the tasks of configuring and managing hundreds or even thousands of client computers from a single server. This is also known as distributed systems management. Unfortunately, many of these enterprise management applications contain common vulnerabilities and weaknesses that were fixed in most other applications long ago.

Due to the fact that these applications...

Oliver Friedrichs | 01 Aug 2006 07:00:00 GMT | 0 comments

Following closely on the heels of the release of our first publicly available research paper, I am very pleased to present our second paper: Windows Vista Security Model Analysis. In this paper, we have taken a detailed look at the new user account protection (UAP) and user interface privilege isolation (UIPI) capabilities that form the basis of Vista’s new security model.

From our research paper's abstract:

This paper provides an in-depth technical assessment of the security improvements implemented in Windows Vista, focusing primarily on User Account Protection and User Interface Privilege Isolation. This paper discusses these features and touches on several of their shortcomings. It then demonstrates how it is possible to combine...

Zulfikar Ramzan | 31 Jul 2006 07:00:00 GMT | 0 comments

URLs often consist of a query string that appears right after the location of the particular file to be accessed. These query strings are used to pass various data parameters to the file. For example, the URL would send the parameter “query-string” to the program located at While query strings in URLs are usually meant for passing data values, enterprising attackers sometimes try to craft special query strings that include actual instructions (i.e., code); if the program processing these strings does not exercise the right precautions, it will fail to make the distinction between data and instructions, and actually end up executing the attacker's code.


Ollie Whitehouse | 28 Jul 2006 07:00:00 GMT | 0 comments

I thought I'd write a blog entry around this, as it seems that it is a question that comes up a lot when speaking to press, operators, enterprises, and users alike. The common question is usually along the lines of: "Why not build security into the network to protect mobile devices?" In this case the “network” could be cellular, WiFi, WiMax, or a hybrid of technologies; “mobile devices” can be cell phones, SmartPhones, PDAs or laptops, among others.

Well, there are two reasons why a network can’t mitigate all the risks involving mobile devices. First, mobile devices today are not always connected via a network that is controlled by just one entity. For example, it is feasible (although in my experience, rare) within GPRS (2.5G) or UMTS (3G) to ensure that a roaming user's traffic never touches the home operator’s Gateway GPRS Support Node (GGSN) when the user is, say, accessing the Internet using a mobile device (this is dependent on the policies of the...

Ben Greenbaum | 27 Jul 2006 07:00:00 GMT | 0 comments

Many years ago, almost all vulnerabilitieswere a “zero-day” style in some respect. Vendors did not, for the mostpart, talk about security defects in their products and in fact,several chose not to address them at all. Information about ways tobreak into systems remained primarily in the hands of the attackers.Things began to change in the mid-90s, when the discussion of securitybugs became more widespread. Vendors started to participate moreactively in the dissemination of protective information with the goalof enabling their customers to defend their digital assets. Variouscommunities sprouted up to facilitate this discussion, vendors set upsecurity-alert mailing lists and Web sites, and the general awarenesslevel of computer security was raised substantially. During this timethere were, of course, those who still chose to keep vulnerabilityinformation to themselves for their own purposes, but the overalldiscussion of these issues was open and frank. Flaws were discovered,...

Candid Wueest | 26 Jul 2006 07:00:00 GMT | 0 comments

Mozilla’s Firefox browser is quite popular and it is often recommended when it comes to the question: What is a safe browser alternative? Unfortunately, this does not necessarily mean that you are not susceptible to browser attacks.

Microsoft Internet Explorer is often hijacked by malware that drops browser helper objects (BHO), which will then be loaded every time the user starts Microsoft Internet Explorer. The BHOs can then manipulate data that is sent to the Internet and (for example) steal passwords or monitor user habits. With the Cross Platform Component Object Model (XPCOM), something similar to a BHO exists on the Mozilla side. It is a framework for developers to create modules that access features of the Gecko engine. For example, Firefox extensions are written with XPCOM and can therefore integrate seamlessly into Firefox.

Of course, it shouldn’t be a big surprise that this technique can also be used with malicious intent. Unwanted extensions that we...

Brian Hernacki | 26 Jul 2006 07:00:00 GMT | 0 comments

Lately, there has been a whole bunch of cities announcing plans for the creation of municipal (“muni”) Wi-Fi networks. From San Francisco and Silicon Valley to New York, Philadelphia, Toronto, and even Paris, this seems to be the hot new thing to...

Symantec Security Response | 24 Jul 2006 07:00:00 GMT | 0 comments

Email is a great way to communicate with a wide audience, and the bad guys know it. We have seen yet another case of spam email that contains malicious code as an attachment. The attachment is a ZIP file ( -> WC2905036.exe) that contains a Trojan horse program that will create a backdoor on a user's system when executed. This threat is detected as Backdoor.Haxdoor.O. Some variants may be detected as Backdoor.Haxdoor.I.

This Trojan attempts several things: downloads and executes files, logs keystrokes, listens on TCP ports, etc. We have only seen a few minor variants thus far, but one thing to be aware of is that the spam email purports to be from an online retailer that is asking the user to review an attached invoice. We have...