Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.
Security Response
Showing posts in English
Symantec Security Response | 14 Aug 2006 07:00:00 GMT | 0 comments

In an earlier blog regardingMicrosoft’s recent vulnerability announcement, MS06-040 (Server servicevulnerability) was discussed, along with how this issue would beexploitable for worm-based attacks. Although there were samples ofproof-of-concept exploits released last week, it was pretty quiet onthis front, until now. We have now seen our first real, in-the-wildstyle attack leveraging MS06-040.

Here's what we know so far:
• On August 12, 2006 Symantec Security Response detected a new exploitbased on MS06-040, dubbed W32.Wargbot. This is a network-aware wormthat leverages the described vulnerability to spread itself onvulnerable machines. Once on the compromised machine, W32.Wargbot thenproceeds to open an IRC backdoor.
• In response to this new attack, Symantec has released AV signaturesspecific to W32.Wargbot; however,...

Robert Keith | 11 Aug 2006 07:00:00 GMT | 0 comments

As a vulnerability analyst, I need togather as much information as I can on new or existing vulnerabilities.Part of my job is to scour vendor security sites, public disclosurelists, and other security-related sites looking for security-relatedinformation. In the process I often come across messages, emails, orblog entries etc. that are, to me at least, quite amusing. Typically,these messages tend to be from application authors declaring that theirapplication “can’t have vulnerabilities” or, that “it just isn’tpossible”. The arguments are often made that the programmer is eithertoo reputable, or the software that they’ve developed has check uponcheck, making it impossible for the application to havevulnerabilities. Of course, no one wants to hear that something theyhave created has bugs or security holes, but more often than not,unfortunately it does. More likely, the case isn’t that the applicationis not vulnerable, but the author themselves may not understand...

Brian Hernacki | 10 Aug 2006 07:00:00 GMT | 0 comments

In a previous blog I wrote about security in municipal Wi-Fi networks and talked about what I called network identification. I wanted to talk a little more about that now. I think this is actually one of the hardest problems to deal with.

Just to recap, the problem is that when you attempt to connect to a wireless network, you do so based on the network name (the SSID). That name, however, is a very poor identifier. The administrator of the access point can name it whatever they like. So, if I want to setup an access point and name it "GoogleWi-Fi", I can. And now when anyone in range attempts to connect to a wireless network they will see one called "GoogleWi-Fi". So, how do you know who you're connecting to?

People have suggested a number of approaches. I've heard some suggestions around educating users about what names...

Symantec Security Response | 09 Aug 2006 07:00:00 GMT | 0 comments

Guess what time it is (again)? Yep—it’sthat time of the month when our friends at Microsoft open a bit oftheir kimono in the interest of "community service”. For Star DateAugust 8, 2006, Microsoft presents us with a cornucopia of issues: 23vulnerabilities spread over 12 bulletins, to be exact.

Manyof the items disclosed are rated "critical" by Microsoft and I couldn'tagree more. Some of the items carrying a critical rating are highlyexploitable and the most severe of them all is contained in theMS06-040 bulletin entitled "Vulnerability in Server Service Could AllowRemote Code Execution”. The bulletin speaks to a buffer overflowcondition (in the "Server" service, which is used for sharing resourcesbetween Windows machines) that may occur if specially crafted RPCmessages are sent to vulnerable machines. If successfully exploited, anattacker can take complete control over the affected system.

Worse yet, do you remember the worms of yore in the not too distantpast?...

Oliver Friedrichs | 09 Aug 2006 07:00:00 GMT | 0 comments

The Windows Vista operating system launches one of the most aggressive assaults on kernel mode security threats seen to date; even when compared to those capabilities seen in Mac OS X, Linux, and many UNIX variants. Microsoft is using a number of new security technologies in order to accomplish this:

• Driver signing (mandating digital signatures on all drivers)
• PatchGuard (protecting key kernel data structures – on 64-bit Windows)
• Kernel-mode code integrity checks (validating kernel component hashes)
• Optional support for Secure Bootup using a TPM hardware chip
• Access to \Device\PhysicalMemory blocked from user-mode

Our new paper, Windows Vista Kernel Mode Security takes a detailed look at the Vista boot process and these new security technologies. It also discusses techniques by which driver signing and PatchGuard can be...

Ollie Whitehouse | 08 Aug 2006 07:00:00 GMT | 0 comments

I posted a blog in May thatspoke about the potential for remote code execution on Windows CEdevices and the problems involved with patching. I also alluded to someresearch Symantec had been doing at the time. Well, at DefCon this pastweekend, Collin Mulliner demonstrated a remote code execution flaw viaMMS on Windows CE.

Collin's slides showhow he used a malformed MMS message to achieve arbitrary code executionon a device, simply by having a user view the message. This isobviously of great concern; Windows Mobile devices are becoming moreand more prevalent and the substantial challenges with patchingcontinue to exist.

At the end of 2005, the Symantec Advanced Threat Research teamperformed a detailed attack...

Ollie Whitehouse | 08 Aug 2006 07:00:00 GMT | 0 comments

I posted a blog in May that spoke about the potential for remote code execution on Windows CE devices and the problems involved with patching. I also alluded to some research Symantec had been doing at the time. Well, at DefCon this past weekend, Collin Mulliner demonstrated a remote code execution flaw via MMS on Windows CE.

Collin's slides show how he used a malformed MMS message to achieve arbitrary code execution on a device, simply by having a user view the message. This is obviously of great concern; Windows Mobile devices are becoming more and more prevalent and the substantial challenges with patching continue to exist.

At the end of 2005, the Symantec Advanced Threat Research team performed a detailed...

Eric Chien | 07 Aug 2006 07:00:00 GMT | 0 comments

While most of the threats we see today are average infostealers or IRC bots, we still regularly receive malware that sits on the fringes of the malware landscape. The fringes don’t only involve threats that run on uncommon platforms; they also include threats that use old school techniques (such as simple file infectors), or threats that are well before their time.

Recently, a virus magazine (it, in itself, an endangered species) was released that had a collection of more than 30 pieces of malware. These different types of malware fell all along the spectrum, but most of them definitely leaned towards the fringes. Some examples of the malware included were:
- a worm that spreads by modifying all the links on a Wiki to point to itself
- a MatLab scripting virus
- a 64bit infector
- a CHM (Compiled HTML) file infector
- a virus for FreeBSD
- more than one threat written in C#
- a virus that infects Microsoft InfoPath files
- an IDA...

Dave Cole | 04 Aug 2006 07:00:00 GMT | 0 comments

As we stand here in the middle of 2006, it’s already become a little tired to mention the shift in the threat landscape from the digital graffiti of the past to the outright criminal pursuits that dominate the industry today. The dramatic impact of this shift has left a dense fog in its wake—hanging over the industry—obscuring other important changes that have taken place during the same timeframe. Some of the more interesting trends have been specifically related to the concept of “Web 2.0”: the new genre of Web technologies and models that have emerged, like a phoenix, from the ashes of the dotcom meltdown. Let’s take a look at a few Web 2.0 trends and see what impact they have on security.

User-created content
Blogs are first to leap to mind here, but there are certainly other notable areas where the content creation responsibilities have shifted from the traditional publisher into the hands of the people. Check out the spate of new online video...

Jesse Gough | 03 Aug 2006 07:00:00 GMT | 0 comments

BlackHat_NoTransparency.gif

The continued development of insecure code was a topic at Black Hat 2006 that was explored by speaker Paul Böhm. Paul questioned why we see these same types of manifest coding issues year after year, despite over ten years of widely documented research into the matter. This pattern is not necessarily attributed to ignorance, as these mistakes are made by novice and veteran coders alike. In fact, it is not unheard of for individuals or organizations that specialize explicitly in security to eventually make a coding mistake that compromises the security of their software. One notable example of this was a vulnerability found in the grsecurity patch for the Linux kernel, which caused a product designed to harden the operating system to actually introduce a hole that would allow a full compromise.

Paul stated that...