Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Zulfikar Ramzan | 04 Jan 2007 08:00:00 GMT | 0 comments

Back in July, I wrote a blog entry about examples we had seen of phishing Web sites that worked entirely using Macromedia Flash. What makes these sites scary is that they cannot be analyzed in the same way as traditional HTML- or Javascript-based phishing pages.

When we first mentioned these attacks, the observations didn’t receive much external attention. Perhaps this was due to other, more pressing, issues related to the growth of phishing or, more likely, perhaps folks were in the post-Independence Day doldrums. Now, there has been a resurgence of interest in this topic as seen in some recent articles. With this resurgence, I thought it would make sense to point readers back to my original article on the subject of Flash-based...

Hon Lau | 03 Jan 2007 08:00:00 GMT | 0 comments

We have received reports of a significantproblem relating to Adobe Acrobat files and Cross Site Scripting (XSS).A weakness was discovered in the way that the Adobe Reader browserplugin can be made to execute JavaScript code on the client side. Thisstems from the “Open Parameters” feature in Adobe Reader, which allowsfor parameters to be sent to the program when opening a .pdf file. Likemost things in life, this was a feature designed for benign usage, butunfortunately somebody has discovered that it can also be used formalicious purposes.

This development is significant for a number of reasons:
• The ease in which this weakness can be exploited is breathtaking. Useof this “feature” requires no exploitation of vulnerabilities on theserver side.
• Any Web site that hosts a .pdf file can be used to conduct thisattack. All the attacker has to do is find out who is hosting a .pdffile on their Web server and then piggy back on it to mount an attack.What this means...

Candid Wueest | 02 Jan 2007 08:00:00 GMT | 0 comments

If I remember my math teacher correctly, then 1 + 1 = 2. Or, 2.0, to be trendy. In terms of the Internet today this could mean: Take one interactive Web solution plus one large user community and that will equal the next generation Web application. In 2006, we have seen many companies employing exactly this formula to create new Web services (some of which are very useful, while others are more for entertainment).

But in arithmetic you have to be sure to understand the variables you calculate with. If, like in this case, you deal with a very large active user group, then the chances of encountering people who don’t play by the rules are high. Therefore, it should be of no surprise that we have seen a rise in Web attacks toward the end of this year, especially considering the number of browser vulnerabilities that were discovered.

Jeremiah Grossman and others compiled a list of the...

TWoodward | 02 Jan 2007 08:00:00 GMT | 0 comments

Although there is no shortage of relevant news regarding the Mac OS X platform, I’m usually faced with more questions than answers when considering ideas for new Macintosh articles or blogs for the Security Response Weblog. Even though Mac OS X has been available in one form or another for about six years (not counting its pre-Apple days as NeXT/OpenStep), its security education and research community is still young and underdeveloped. With Apple’s transition to an all Intel-based architecture and the steadily increasing adoption of Mac OS X by small, medium, and large enterprises, the Mac OS X security research and education landscape is rapidly being forced to grow up.

What follows are a number of important questions to spark further research and discussion on the subject of Mac OS X and security. Please feel free to join the discussion or start a new one on the Focus-Apple SecurityFocus...

Shunichi Imano | 30 Dec 2006 08:00:00 GMT | 0 comments

Recently, we have seen many files that undermine the spirit of the holiday season. These files are typically named postcard.exe, greeting postcard.exe, or greeting card.exe. The files usually arrive as email attachments, which we have detected as W32.Mixor.Q@mm. Once infected, the worm attempts to gather email addresses from the compromised computer. It then sends a mass email with a copy of itself to those addresses.

If sending the worm is not rude enough, it also drops a Trojan horse named Trojan.Galapoper.A. The Trojan attempts to download these unwanted Christmas presents onto the infected computer from the Internet.

To mitigate the attack, customers are advised to update their products to the latest...

Ollie Whitehouse | 30 Dec 2006 08:00:00 GMT | 0 comments

Collin Mulliner gave an updated version of his presentation at 23C3 in Berlin titled ‘Advanced Attacks Against PocketPC Phones’ (we originally blogged about it in August). As I previouslymentioned, one of the vulnerabilities he discussed had, to myknowledge, still not been patched. Well Collin confirmed this in hispresentation and also released a working exploit for the...

Ollie Whitehouse | 30 Dec 2006 08:00:00 GMT | 0 comments

Collin Mulliner gave an updated version of his presentation at 23C3 in Berlin titled ‘Advanced Attacks Against PocketPC Phones’ (we originally blogged about it in August). As I previously mentioned, one of the vulnerabilities he discussed had, to my knowledge, still not been patched. Well Collin confirmed this in his presentation and also released a working exploit for the...

Ollie Whitehouse | 30 Dec 2006 08:00:00 GMT | 0 comments

Collin Mulliner gave an updated version of his presentation at 23C3 in Berlin titled ‘Advanced Attacks Against PocketPC Phones’ (we originally blogged about it in August). As I previously mentioned, one of the vulnerabilities he discussed had, to my knowledge, still not been patched. Well Collin confirmed this in his presentation and also released a working exploit for the...

Ollie Whitehouse | 29 Dec 2006 08:00:00 GMT | 0 comments

While speaking with an industry friend recently, he mentioned that he had received some spam. When viewed in plain text, the spam looked like this (the filename has been changed to save the compromised):

Subject: You have received a greeting from a family member! You can pick up your postcard at the following web address http://62.75.XXX.XXX/~XXXXXXXX/XXXXXXXXXX.exe

However, if you remove the executable from the URL, you get a directory listing:

OW_dcrim_index.jpeg

So, from this we can see the machine had been compromised for two months prior to the malicious code being placed upon the site (one day before my friend received the message). However, the individual in this...

Ollie Whitehouse | 29 Dec 2006 08:00:00 GMT | 0 comments

While speaking with an industry friend recently, he mentioned that he had received some spam. When viewed in plain text, the spam looked like this (the filename has been changed to save the compromised):

Subject: You have received a greeting from a family member! You can pick up your postcard at the following web address http://62.75.XXX.XXX/~XXXXXXXX/XXXXXXXXXX.exe

However, if you remove the executable from the URL, you get a directory listing:

OW_dcrim_index.jpeg

So, from this we can see the machine had been compromised for two months prior to the malicious code being placed upon the site (one day before my friend received the message). However, the individual in this...