Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
TWoodward | 22 Feb 2007 08:00:00 GMT | 0 comments

While Microsoft has chosen a scheduled update approach, Apple Inc.releases updates on an "as-needed" basis. While each approach isarguably valid, during Apple's World Wide Developer Conference lastyear, Bud Tribble, VP of Software Technology at Apple addressed whyApple decided on its approach: "There is some controversy in IT shopsasking 'Wouldn’t it be easier if [Apple] could have their securityupdates scheduled on a monthly basis?' We think it’s better to getthose security updates out as soon as we can get them out and not waitfor the next month to roll around."

First out of the gate is "Security Update 2007-002" containing four patches against vulnerabilities discovered during the "Month of Apple Bugs" campaign. (See Aaron Adams' "...

Jeremy Ward | 22 Feb 2007 08:00:00 GMT | 0 comments

If 2006 was the year of NAC, then 2007 is already shaping up to be the year of Risk Management. Perhaps you missed many of the analyst and expert New Year’s predictions of information security evolving into IT Risk Management this year, but a brief walk through RSA’s show floor and a perusal of the product news coverage would have only confirmed 2007’s focus on IT risk.

Similar to NAC’s challenges, there seems to be a good deal of confusion regarding the definition of IT Risk Management and how it is practiced. Fortunately—nearly one year later and after 500+ in-depth interviews with IT executives and business professionals worldwide—Symantec released the results of a new study, the IT Risk Management Report. The report is designed to cut through some of the industry noise and help organizations understand the fundamental elements of IT...

Zulfikar Ramzan | 21 Feb 2007 08:00:00 GMT | 0 comments

n this blog entry, I’ll talk about where malicious software (or malware) can find its place within the lifecycle of phishing attacks. This material accompanies a recent panel I participated in during the American Association for the Advancement of Science Annual meeting. If you attended the panel, this blog will review the points I made. If you missed the panel, then hopefully you’ll get a sense for what I covered.

Phishing: Overview and Motivation. Recall that a phishing attack is one where some illegitimate entity sends you an email posing to be a legitimate entity, like a bank or credit card company. Their goal is typically to get you to click on a link in the email, which directs you to a Web site that appears to be that of the legitimate entity. You are prompted to enter sensitive information, and from that point onward, the information is in the hands of an attacker. Not only can he or she wipe your accounts clean, but that information can then be used...

Zulfikar Ramzan | 21 Feb 2007 08:00:00 GMT | 0 comments

In this blog entry, I’ll talk about where malicious software (or malware) can find its place within the lifecycle of phishing attacks. This material accompanies a recent panel I participated in during the American Association for the Advancement of Science Annual meeting. If you attended the panel, this blog will review the points I made. If you missed the panel, then hopefully you’ll get a sense for what I covered.

Phishing: Overview and Motivation. Recall that a phishing attack is one where some illegitimate entity sends you an email posing to be a legitimate entity, like a bank or credit card company. Their goal is typically to get you to click on a link in the email, which directs you to a Web site that appears to be that of the legitimate entity. You are prompted to enter sensitive information, and from that point onward, the information is in the hands of an attacker. Not only can he or she wipe your accounts clean, but that information can then...

Ollie Whitehouse | 20 Feb 2007 08:00:00 GMT | 0 comments

People who have been following the notunexpected initial wave of security research with regards to WindowsVista will have seen a few informative blog posts recently. First, in ablog titled "Running Vista Every Day!"Joanna Rustkowska pointed out some issues with UAC, one of them being asimple implementation bug in UIPI. This, I believe in part, resulted inMark Russinovich writing his blog entry "PsExec, User Account Control and Security Boundaries." Joanna posted another blog, "Vista Security Model ? A Big Joke?" in response to Mark's blog post. And then followed it with "...

Elia Florio | 20 Feb 2007 08:00:00 GMT | 0 comments

This morning we received reports of spammed emails with the following bodies:

John Howard survived a heart attack
Read more: http://wi[REMOVED]news.hk

Prime Minister survived a heard attack
Read more: http://in[REMOVED]help.hk

Once again, it’s the usual attack that tries to lead victims to a Web site that hosts an exploit code. In this case, attackers also added some additional social engineering fun to pursue their criminal purposes. In fact, when someone visits the hostile Web site, it will show a false “502” error and will gently suggest shutting down firewall and antivirus software to avoid the problem. (Of course! What else? Do you want my credit card number? Send money to your bank?).

...

Ollie Whitehouse | 20 Feb 2007 08:00:00 GMT | 0 comments

People who have been following the notunexpected initial wave of security research with regards to WindowsVista will have seen a few informative blog posts recently. First, in ablog titled "Running Vista Every Day!"Joanna Rustkowska pointed out some issues with UAC, one of them being asimple implementation bug in UIPI. This, I believe in part, resulted inMark Russinovich writing his blog entry "PsExec, User Account Control and Security Boundaries." Joanna posted another blog, "Vista Security Model ? A Big Joke?" in response to Mark's blog post. And then followed it with "...

Peter Ferrie | 19 Feb 2007 08:00:00 GMT | 0 comments

A colleague of mine came to see me one morning recently with anunusual result. For reasons that he didn't explain to me (he called it"a secret project"), he had intentionally placed a particular encodingof an invalid instruction near the end of a valid page, next to anunallocated page, then executed that instruction. However, instead ofseeing the expected invalid opcode exception, he was seeing a pagefault. Initially, I thought that it was related to the unexpected LOCKexception bug in Windows that I documented here, but it turned out to be something else entirely.

It turns out that the CPU performs a complete fetch, includingparsing the ModR/M byte, prior to performing any kind of decoding.Thus, because of the instruction encoding that he had used, the CPU wasattempting to retrieve all of the necessary bytes first,before it knew that the...

Debbie Mazurek | 19 Feb 2007 08:00:00 GMT | 0 comments

One of the most common practices insoftware development is code reuse. Developers use the strategy to savetime and money by reducing redundant tasks and the theory is put intopractice in several popular content management systems available tousers who want to create their own Web presence.

The CMS, or content management system, is a framework that can beused by both experienced and novice developers to produce Web sites forcountless purpose. From blog sites (like this one) to e-commerce sites,for Fortune 500 companies to private individuals, a CMS can makedeveloping content for the Web a whole lot easier.

Many of the popular CMS varieties employ a modular approach thatmakes it easy to construct your own add-ons to suit any purpose you'dlike - searching, FAQ building, file uploading, news posting - the listis exhaustive. In fact, the odds are good that someone else has alreadymade the add-on you seek: they figured out code reuse.

Joomla! and Mambo are two...

James O'Connor | 16 Feb 2007 08:00:00 GMT | 0 comments

There has been much talk recently about thelaunch of Windows Vista, and one feature in particular: SpeechRecognition. Speech Recognition allows the user to dictate arbitrarytext to the computer (a letter for example) using speech instead of thekeyboard. It also allows the user to carry out normal computing tasksvia a choice of pre-defined commands. There are commands such as"delete that," "press escape key," and "what can I say?" This last oneshows the user what kinds of command they can use in the currentsituation. If Speech Recognition is running, but sleeping, the usersays "start listening" to activate it.

It has been suggested that Speech Recognition could be subverted fornefarious purposes using malicious audio clips. The scenario would beas follows:

• The user is browsing the Web, with Speech Recognition enabled.
• They visit a Web site, with a background audio clip that plays as soon as the site is opened.
• The audio clip contains commands that...