Video Screencast Help
Security Response
Showing posts in English
Orlando Padilla | 02 Mar 2007 08:00:00 GMT | 0 comments

he media surrounding the effectiveness of Windows Vista's new security features has (in my opinion) just begun. Microsoft's reach is well beyond that of any other software vendor in the world, and with this achievement comes fame, power, and a corporate life under a microscope. To honor this tradition, I previously posted an entry about the effects of malicious code executed under a default Vista environment; if you haven't read it, you are certainly encouraged to. This research has now been completed and this new entry should serve as a compliment to my previous post. A paper detailing the full research has been made available here.

The outcome of the research:

In my previous blog, I mentioned that...

Orlando Padilla | 02 Mar 2007 08:00:00 GMT | 0 comments

The media surrounding the effectiveness of Windows Vista's newsecurity features has (in my opinion) just begun. Microsoft's reach iswell beyond that of any other software vendor in the world, and withthis achievement comes fame, power, and a corporate life under amicroscope. To honor this tradition, I previously posted an entryabout the effects of malicious code executed under a default Vistaenvironment; if you haven't read it, you are certainly encouraged to.This research has now been completed and this new entry should serve asa compliment to my previous post. A paper detailing the full researchhas been made available here.

The outcome of the research:

In my previous blog, I mentioned that about seventy...

Ollie Whitehouse | 01 Mar 2007 08:00:00 GMT | 0 comments

ASLR (Address Space Layout Randomization) is one of the cornerstones of Windows Vista and its enhanced security posture. ASLR workson the basis that it will move an application and its associated memoryaround, either each time it’s executed or when the host is rebooted,depending on the element concerned. The purpose of this is to hinder aclass of vulnerabilities commonly referred to as memory manipulation vulnerabilitiesby making it difficult for an attacker to know where an application isin memory. This would impede successful exploitation, which relies onfixed memory addresses.

Back in December, I decided to take a brief look at theimplementation of ASLR on Vista. I had seen some findings emerge duringits development, but these really didn’t show if the implementation wasgood, bad, or indifferent. Since my work load was winding down, as Ihad December off, and a tool I had written indicated there might besome problems, I decided to look at this in more detail. My...

Ollie Whitehouse | 01 Mar 2007 08:00:00 GMT | 0 comments

When I started this project, I had one goal in mind – to understandwhich binaries in Windows Vista were not /GS compiled. While this mayseem rather simple on the surface, as I started to dig, it became alittle more complex. That said, my goal was achievable and today I’mhappy to present my findings.

The purpose of my paper "Analysis of GS Protection in Windows Vista"was to show which binaries under a default installation of WindowsVista 32bit RTM were not protected by the Visual Studio 2005 /GScompiler flag. This, in turn, was designed to help Symantec and ourclients understand any exposure, either direct or indirect, which mayresult from this lack of protection.

The abstract for my paper is as follows:

Visual Studio 2002 introduced the Buffer Security Check(GS) option to protect stack variables from overflows that resulted inarbitrary code...

Juniper Security Research | 01 Mar 2007 08:00:00 GMT | 0 comments

This is the first guest blog post from the Juniper Security ResearchLab. We wish to thank our partners at Symantec for allowing us to usethis forum and further show the value in our partnership that was announced last September.

Today marks the first vendor-acknowledged vulnerability that wasfound by a Juniper Security Researcher. The vulnerability was found byKarl Lynn and is a Buffer Overflow in the Citrix Presentation ServerClient for Windows. If successfully exploited, this vulnerability canallow for remote code execution. When exploited, the malicious codewill run in the context of the logged-in user.

We will not be releasing a separate advisory from the vendor releaseand we do strongly recommend that those using this software install thepatch from Citrix. Users of our IDP can rest assure that they areprotected against this vulnerability with our latest...

Juniper Security Research | 01 Mar 2007 08:00:00 GMT | 0 comments

This is the first guest blog post from the Juniper Security ResearchLab. We wish to thank our partners at Symantec for allowing us to usethis forum and further show the value in our partnership that was announced last September.

Today marks the first vendor-acknowledged vulnerability that wasfound by a Juniper Security Researcher. The vulnerability was found byKarl Lynn and is a Buffer Overflow in the Citrix Presentation ServerClient for Windows. If successfully exploited, this vulnerability canallow for remote code execution. When exploited, the malicious codewill run in the context of the logged-in user.

We will not be releasing a separate advisory from the vendor releaseand we do strongly recommend that those using this software install thepatch from Citrix. Users of our IDP can rest assure that they areprotected against this vulnerability with our latest...

Ollie Whitehouse | 01 Mar 2007 08:00:00 GMT | 0 comments

When I started this project, I had one goal in mind – to understandwhich binaries in Windows Vista were not /GS compiled. While this mayseem rather simple on the surface, as I started to dig, it became alittle more complex. That said, my goal was achievable and today I’mhappy to present my findings.

The purpose of my paper "Analysis of GS Protection in Windows Vista"was to show which binaries under a default installation of WindowsVista 32bit RTM were not protected by the Visual Studio 2005 /GScompiler flag. This, in turn, was designed to help Symantec and ourclients understand any exposure, either direct or indirect, which mayresult from this lack of protection.

The abstract for my paper is as follows:

Visual Studio 2002 introduced the Buffer Security Check(GS) option to protect stack variables from overflows that resulted inarbitrary code...

Ollie Whitehouse | 01 Mar 2007 08:00:00 GMT | 0 comments

ASLR (Address Space Layout Randomization) is one of the cornerstones of Windows Vista and its enhanced security posture. ASLR workson the basis that it will move an application and its associated memoryaround, either each time it’s executed or when the host is rebooted,depending on the element concerned. The purpose of this is to hinder aclass of vulnerabilities commonly referred to as memory manipulation vulnerabilitiesby making it difficult for an attacker to know where an application isin memory. This would impede successful exploitation, which relies onfixed memory addresses.

Back in December, I decided to take a brief look at theimplementation of ASLR on Vista. I had seen some findings emerge duringits development, but these really didn’t show if the implementation wasgood, bad, or indifferent. Since my work load was winding down, as Ihad December off, and a tool I had written indicated there might besome problems, I decided to look at this in more detail. My...

Eric Chien | 28 Feb 2007 08:00:00 GMT | 0 comments

Soon after information was released about a vulnerability in the in.telnetd daemon in Solaris 10, Symantec's Deepsight monitoring system began to see spikes in port 23 traffic. Most of this traffic was due to people scanning for vulnerable systems. However, yesterday we saw a renewed spike in traffic that has been correlated to a worm known as Wanuk, which uses the vulnerability to spread.

wanuk_fig1.jpg

Once Wanuk is on the system, it drops an executable that creates a /bin/sh back door, which listens on port 32982/TCP. In addition, Wanuk's payload includes sending out system broadcast messages of creatively designed shout-outs to a...

Elia Florio | 28 Feb 2007 08:00:00 GMT | 0 comments

People using Web 2.0 have personal Web spaces, blogs, and online discussions on forums and public boards. Everyone can create Web content from his or her own computer just by using the browser. So what would be the perfect vector for spreading malwares in the Web 2.0 world? The Web itself, of course.

On Monday we posted a blog about a new variant of Trojan.Mespam distributed via StormWorm/Peacomm botnet. We noticed that this new Mespam takes advantage of new Web technologies and spreads by injecting malicious links when users interact with the Web.

What does it mean? When users are going to post something on any Web site running VBulletin or phpBB, the Trojan will sneakily add a malicious link into the outgoing Web packet. The same also happens when users are sending emails using clients such as Gmail, Yahoo, Lycos, Tiscali...