Video Screencast Help
Security Response
Showing posts in English
Ollie Whitehouse | 08 Aug 2006 07:00:00 GMT | 0 comments

I posted a blog in May thatspoke about the potential for remote code execution on Windows CEdevices and the problems involved with patching. I also alluded to someresearch Symantec had been doing at the time. Well, at DefCon this pastweekend, Collin Mulliner demonstrated a remote code execution flaw viaMMS on Windows CE.

Collin's slides showhow he used a malformed MMS message to achieve arbitrary code executionon a device, simply by having a user view the message. This isobviously of great concern; Windows Mobile devices are becoming moreand more prevalent and the substantial challenges with patchingcontinue to exist.

At the end of 2005, the Symantec Advanced Threat Research teamperformed a detailed attack...

Ollie Whitehouse | 08 Aug 2006 07:00:00 GMT | 0 comments

I posted a blog in May that spoke about the potential for remote code execution on Windows CE devices and the problems involved with patching. I also alluded to some research Symantec had been doing at the time. Well, at DefCon this past weekend, Collin Mulliner demonstrated a remote code execution flaw via MMS on Windows CE.

Collin's slides show how he used a malformed MMS message to achieve arbitrary code execution on a device, simply by having a user view the message. This is obviously of great concern; Windows Mobile devices are becoming more and more prevalent and the substantial challenges with patching continue to exist.

At the end of 2005, the Symantec Advanced Threat Research team performed a detailed...

Eric Chien | 07 Aug 2006 07:00:00 GMT | 0 comments

While most of the threats we see today are average infostealers or IRC bots, we still regularly receive malware that sits on the fringes of the malware landscape. The fringes don’t only involve threats that run on uncommon platforms; they also include threats that use old school techniques (such as simple file infectors), or threats that are well before their time.

Recently, a virus magazine (it, in itself, an endangered species) was released that had a collection of more than 30 pieces of malware. These different types of malware fell all along the spectrum, but most of them definitely leaned towards the fringes. Some examples of the malware included were:
- a worm that spreads by modifying all the links on a Wiki to point to itself
- a MatLab scripting virus
- a 64bit infector
- a CHM (Compiled HTML) file infector
- a virus for FreeBSD
- more than one threat written in C#
- a virus that infects Microsoft InfoPath files
- an IDA...

Dave Cole | 04 Aug 2006 07:00:00 GMT | 0 comments

As we stand here in the middle of 2006, it’s already become a little tired to mention the shift in the threat landscape from the digital graffiti of the past to the outright criminal pursuits that dominate the industry today. The dramatic impact of this shift has left a dense fog in its wake—hanging over the industry—obscuring other important changes that have taken place during the same timeframe. Some of the more interesting trends have been specifically related to the concept of “Web 2.0”: the new genre of Web technologies and models that have emerged, like a phoenix, from the ashes of the dotcom meltdown. Let’s take a look at a few Web 2.0 trends and see what impact they have on security.

User-created content
Blogs are first to leap to mind here, but there are certainly other notable areas where the content creation responsibilities have shifted from the traditional publisher into the hands of the people. Check out the spate of new online video...

Jesse Gough | 03 Aug 2006 07:00:00 GMT | 0 comments

BlackHat_NoTransparency.gif

The continued development of insecure code was a topic at Black Hat 2006 that was explored by speaker Paul Böhm. Paul questioned why we see these same types of manifest coding issues year after year, despite over ten years of widely documented research into the matter. This pattern is not necessarily attributed to ignorance, as these mistakes are made by novice and veteran coders alike. In fact, it is not unheard of for individuals or organizations that specialize explicitly in security to eventually make a coding mistake that compromises the security of their software. One notable example of this was a vulnerability found in the grsecurity patch for the Linux kernel, which caused a product designed to harden the operating system to actually introduce a hole that would allow a full compromise.

Paul stated that...

Peter Ferrie | 02 Aug 2006 07:00:00 GMT | 0 comments

On July 2nd, 2006 a virus author released the first virus that infects IDC files (W32.Gatt), claiming that it would be very hard for antivirus researchers to detect and that the source code would be made public at the end of the month. Media reports at the time speculated that the virus release was intended to embarrass virus researchers because it targeted some software tools that we use to analyze malicious code. However, on July 3rd we released antivirus detection for the virus. On July 4th, the virus author withdrew the claim that the source code would be released. Coincidence? I don't think so.

Symantec’s Security Response team is just that: a response team. We responded quickly when this virus appeared and we were able to provide antivirus detections in short order. It was more than likely that the virus author had originally intended to post the source code for...

Marc Fossi | 02 Aug 2006 07:00:00 GMT | 0 comments

BlackHat_NoTransparency.gif

One server controlling thousands of client computers. Sound familiar? This statement is often used to describe a botnet. But, as Tom Ptacek and Dave Goldsmith of Matasano Security pointed out in their Black Hat presentation titled “Do Enterprise Management Applications Dream of Electric Sheep?”, the same statement can be used to describe enterprise management applications. These applications are developed to help network and system administrators with the tasks of configuring and managing hundreds or even thousands of client computers from a single server. This is also known as distributed systems management. Unfortunately, many of these enterprise management applications contain common vulnerabilities and weaknesses that were fixed in most other applications long ago.

Due to the fact that these applications...

Oliver Friedrichs | 01 Aug 2006 07:00:00 GMT | 0 comments

Following closely on the heels of the release of our first publicly available research paper, I am very pleased to present our second paper: Windows Vista Security Model Analysis. In this paper, we have taken a detailed look at the new user account protection (UAP) and user interface privilege isolation (UIPI) capabilities that form the basis of Vista’s new security model.

From our research paper's abstract:

This paper provides an in-depth technical assessment of the security improvements implemented in Windows Vista, focusing primarily on User Account Protection and User Interface Privilege Isolation. This paper discusses these features and touches on several of their shortcomings. It then demonstrates how it is possible to combine...

Zulfikar Ramzan | 31 Jul 2006 07:00:00 GMT | 0 comments

URLs often consist of a query string that appears right after the location of the particular file to be accessed. These query strings are used to pass various data parameters to the file. For example, the URL http://www.well-known-site.com/program?query-string would send the parameter “query-string” to the program located at www.well-known-site.com. While query strings in URLs are usually meant for passing data values, enterprising attackers sometimes try to craft special query strings that include actual instructions (i.e., code); if the program processing these strings does not exercise the right precautions, it will fail to make the distinction between data and instructions, and actually end up executing the attacker's code.

Whatever...

Ollie Whitehouse | 28 Jul 2006 07:00:00 GMT | 0 comments

I thought I'd write a blog entry around this, as it seems that it is a question that comes up a lot when speaking to press, operators, enterprises, and users alike. The common question is usually along the lines of: "Why not build security into the network to protect mobile devices?" In this case the “network” could be cellular, WiFi, WiMax, or a hybrid of technologies; “mobile devices” can be cell phones, SmartPhones, PDAs or laptops, among others.

Well, there are two reasons why a network can’t mitigate all the risks involving mobile devices. First, mobile devices today are not always connected via a network that is controlled by just one entity. For example, it is feasible (although in my experience, rare) within GPRS (2.5G) or UMTS (3G) to ensure that a roaming user's traffic never touches the home operator’s Gateway GPRS Support Node (GGSN) when the user is, say, accessing the Internet using a mobile device (this is dependent on the policies of the...