Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Amado Hidalgo | 13 Dec 2006 08:00:00 GMT | 0 comments

MS Word is under scrutiny again this month.We have some new and interesting details about the vulnerabilityreported by Microsoft on December 5 (referenced by CVE-2006-5994). Thestory shows how the road from a simple bug to a working exploit isshort and sometimes unpredictable.

This morning we analyzed some new samples that had been detected as Bloodhound.Exploit.106, which is a new heuristic detection released yesterday for the Microsoft Word zero-day vulnerability (described in Microsoft Security Advisory 929433). Among the submissions received from our customers we found a Word file that turned out to be a little gem.

We found a malicious Word document that was written in Portuguese and added detection for it as...

Ben Greenbaum | 12 Dec 2006 08:00:00 GMT | 0 comments

All aboard! Welcome to another ride on themonthly Microsoft patch train. We’ve got quite a few stops this monthand most are client-side vulnerabilities, meaning that an end user hasto take specific actions (typically by obtaining and then openinghostile content). Unless otherwise stated, the privilege granted to theattacker for all of the below vulnerabilities is the privilege level ofthe victim user. Most were publicly disclosed for the first time today,but the exceptions are noted. They are listed below in the order ofmost to least critical for the fabled “typical” network.

Vulnerability in SNMP Could Allow Remote Code Execution MS06-074 / KB926247

This vulnerability seems almost old-fashioned in the modern securitylandscape – a common buffer overflow...

Ben Greenbaum | 12 Dec 2006 08:00:00 GMT | 0 comments

All aboard! Welcome to another ride on the monthly Microsoft patch train. We’ve got quite a few stops this month and most are client-side vulnerabilities, meaning that an end user has to take specific actions (typically by obtaining and then opening hostile content). Unless otherwise stated, the privilege granted to the attacker for all of the below vulnerabilities is the privilege level of the victim user. Most were publicly disclosed for the first time today, but the exceptions are noted. They are listed below in the order of most to least critical for the fabled “typical” network.

Vulnerability in SNMP Could Allow Remote Code Execution MS06-074 / KB926247

This vulnerability seems almost old-fashioned in the modern security landscape – a common buffer...

Ollie Whitehouse | 12 Dec 2006 08:00:00 GMT | 0 comments

Bonjour! Carrying on from my previous blog post, here is some more information on Windows CE/Mobile 5 security.

Shatter

Windows CE and Mobile, like its desktop cousin, can suffer “shatter attacks” across processes. This includes processes running at different levels of trust (please see my previous blog post and the section on One-tier versus Two-tier). For those of you unfamiliar with what shatter attacks are, there is a Microsoft TechNet bulletin that addresses the original assertion that the shatter attack condition can exist.

There are some complexities...

Symantec Security Response | 11 Dec 2006 08:00:00 GMT | 0 comments

Microsoft have announced they are investigating yet another zero-dayvulnerability, apparently unrelated to the December 5 MicrosoftSecurity Advisory 929433. According to their investigations, Word 2000,Word 2002, Word 2003 and the Word Viewer 2003 are affected, but Word2007 is not affected by the vulnerability. They also report that thevulnerability is being exploited on a very limited and targeted basis.Symantec Security Response is monitoring the situation and will respondappropriately once further information is available. As always,standard best practices apply in this situation and caution should beexercised when dealing with unsolicited attachments from both unknownsources, as well as from trusted sources.

Kelly Conley | 08 Dec 2006 08:00:00 GMT | 0 comments

Besides the obvious inconvenience of time wasted clicking through and deleting spam email messages, what are some of the negative effects of spam? To the average user, it’s as simple as having better things to do than hunt through their email accounts for ”real” messages – messages they want to receive. For businesses, it is money spent paying employees for work they aren’t doing because they’re spending work hours picking through emails.

Then we have the hapless user who falls into a phish trap. To this user the problem can include a financial hit, not to mention the endless hours spent trying to get their money back or pursuing legal action. This often leads to a long lasting fear of future dealings with the company that was phished. This scenario also has a negative impact on said company because they may lose a customer do to fear of recurrence. In fact, they may lose several customers if word spreads on the Internet. We call this “negative brand image” – and no...

Chintan Trivedi | 07 Dec 2006 08:00:00 GMT | 0 comments

"A browser" – that’s all we were led tobelieve the next generation would need to create office applications orengineering applications. Now, the focus on security has begun todivert in that direction. Statistics from the first half of 2006 showedthat 69 percent of exploitable vulnerabilities were from Webapplications. Web application vulnerabilities usually get mixed up withserver vulnerabilities, although the two are distinctly different. Webdevelopers who design Web sites are not usually security gurus. Thedevelopers will often leave behind various security holes in the Webapplication because of bad coding practices and a lack of securityreviews.

On one hand, there are many security experts around the world whofuzz Web servers with variations in order find another zero-day. Theend result is that the gap between popular Web servers and exploitablevulnerabilities within them is increasing. It has been a long timesince we have seen a completely exploitable security...

Chintan Trivedi | 07 Dec 2006 08:00:00 GMT | 0 comments

"A browser" – that’s all we were led to believe the next generation would need to create office applications or engineering applications. Now, the focus on security has begun to divert in that direction. Statistics from the first half of 2006 showed that 69 percent of exploitable vulnerabilities were from Web applications. Web application vulnerabilities usually get mixed up with server vulnerabilities, although the two are distinctly different. Web developers who design Web sites are not usually security gurus. The developers will often leave behind various security holes in the Web application because of bad coding practices and a lack of security reviews.

On one hand, there are many security experts around the world who fuzz Web servers with variations in order find another zero-day. The end result is that the gap between popular Web servers and exploitable vulnerabilities within them is increasing. It has been a long time since we have seen a completely...

Eric Chien | 06 Dec 2006 08:00:00 GMT | 0 comments

In 2004, I spoke at Virus Bulletin about a new technology that at that time was known as Monad. Monad has since received an official name of Microsoft PowerShell and recently has been released for Windows XP and 2003 Server, with Vista versions following in January, 2007. PowerShell is a new command line shell, like cmd.exe, but much more powerful.

In 2004, PowerShell was still in its early beta stages and was originally rumored to be shipping in default with Vista. I examined the robust features of PowerShell and demonstrated that a variety of malicious code types were possible – including viruses, worms, and Trojans – using PowerShell. More worrying was that this new language (and platform) was a scripting language and it had the possibility to follow in the footsteps of Melissa and LoveLetter. In addition to their clever social engineering, those threats...

Symantec Security Response | 06 Dec 2006 08:00:00 GMT | 0 comments

On December 5, 2006, Microsoft announcedthey were investigating reports of the exploitation of a zero-dayvulnerability in Microsoft Word (described in Microsoft Security Advisory 929433).There is very little information available regarding the technicaldetails of this new vulnerability. Symantec Security Response ismonitoring the situation and will respond appropriately once furtherinformation is known.

At this time, Security Response has seen various malware binarieswhich may be related to the limited reports noted by Microsoft. Thesefiles are detected as "Downloader" by LiveUpdate virus definitions,version 12/6/2006 rev. 16. At least one known downloaded file isdetected as Backdoor.HackDefender, using Rapid Release virusdefinitions, version 12/6/2006 rev. 25.

The standard best practices apply in this situation and as such,caution should be exercised when...