Vulnerabilities & Exploits
Security Intel ...
|
November 21st, 2009
A new exploit targeting Internet Explorer was published to the BugTraq mailing list yesterday. Symantec has conducted further tests and confirmed that it affects Internet Explorer versions 6 and 7 as well. The exploit currently exhibits signs of poor reliability, but we expect that a fully-functional reliable exploit will be available in the near future. When this happens, attackers will have the ability to insert the exploit into Web sites, infecting potential visitors. For an attacker to launch a successful attack, they must lure victims to their malicious Web page or a Web site they have compromised. In both cases, the attack requires JavaScript to exploit Internet Explorer.
The exploit targets a vulnerability in the way Internet Explorer uses cascading style sheet (CSS) information. CSS is used in many Web pages to define the presentation of the sites’ content. Symantec currently detects the exploit with the Bloodhound.Exploit.129 antivirus signature and is...
Emerging Threats, Security, Security Response, Vulnerabilities & Exploits, Endpoint Protection (AntiVirus)
0 comments
Leo Nikora
|
November 20th, 2009
Endpoint Protection 11.0.5002.333 failed to even find (much less fix) the Sheur2 trojan.
AVG did find and fix it.
0 comments
Marian Merritt
|
November 20th, 2009
I had the honor recently of moderating a virtual roundtable discussion on the top Internet security trends from 2009 and what we expect to see in the security threat landscape in 2010. Funny thing about security predictions—you hope they won’t come true, but expect them to anyway. The roundtable featured expert panelists Paul Wood (Senior Analyst, MessageLabs Intelligence, Symantec) and Zulfikar Ramzan (Technical Director, Symantec Security Response). They each have unique insights into the world of cybercrime, spam, phishing attacks, and other cyberthreats that plague us all.
We want to give a big thanks to everyone who joined in to listen to our experts, and we hope you found it interesting. For those of you who couldn’t make it, please take a few minutes to listen to the podcast of the actual roundtable.
You can read more about Symantec’s top trends from 2009 and our predictions for 2010 by clicking on the following links:
Breadth of Security...
Emerging Threats, Security, Security Response, Evolution of Security, Malicious Code, Online Fraud, Security Risks, Spam, Vulnerabilities & Exploits, Endpoint Protection (AntiVirus)
0 comments
Kevin Haley
|
November 17th, 2009
Yes, it’s a cheap trick and not even close to original. But the lesson here is that even obvious social engineering tricks can get people to click on a link. We can’t help ourselves. We love to click. Clicking on links and attachments that are accompanied by just the slightest bit of social engineering appears to be a basic human need. I expect it to show up in a revision of Maslow’s Hierarchy of Human Needs any day now—behind love, but certainly ahead of safety.
I do have a point to all this. Two actually. As we compiled the Security Trends to Watch in 2010, what occurred to me is that the people who most needed to read this information never will. At least not without some social engineering on my part. And since social engineering plays such a prominent role in future trends, it seemed appropriate. So I’ve decided to use this little trick to get people to read the list of trends below. So…
Don’t read this if you think antivirus technology...
11.x, Security, Security Response, 10.x, Evolution of Security, 9.x and Earlier, IT Risk Management, Malicious Code, Online Fraud, Security Risks, Spam, Vulnerabilities & Exploits, Endpoint Protection (AntiVirus)
0 comments
Kevin Haley
|
November 17th, 2009
The Security Response team has compiled the top security trends of 2009. We pulled data from the Global Intelligence Network and the experiences of the thousands of analysts and security experts at Symantec to come up with the top trends for the year. While none of these trends will be a surprise to anyone even casually following the threat landscape, when compiled and summarized, it is clear that the breadth of security problems in the past year was pretty stunning.
For example:
• Toolkits and threat recycling have made malware easier to create than ever
• Polymorphic technology is being applied to make threats harder to catch
• Botnets, large and small, are used as the foundation of attacks making most attacks complex
• All major news events are used for social engineering
• Major brands are being appropriated by cybercriminals to lure online victims
But, it’s the...
Security, Security Response, Evolution of Security, IT Risk Management, Malicious Code, Online Fraud, Security Risks, Spam, Vulnerabilities & Exploits, Endpoint Protection (AntiVirus)
0 comments
MarissaVicario
|
November 17th, 2009
Posted on behalf of Paul Wood
This week I had the pleasure of sitting on a panel with some of the best and the brightest among my Symantec colleagues to reflect on 2009’s threat landscape and what we anticipate for the year ahead.
We concur that what we’ve seen this year was ugly. Botnets prevailed and took over as a primary means of spamming and spreading malware and social engineering attacks became more sophisticated. But what we also know is that this year pales in comparison to what 2010 is expected to bring: fast flux botnets will dominate, IM spam will rear its head, rogue security software vendors will up their game, fraud targeted at social networking apps will grow, new CAPTCHA bypass techniques will emerge... to name a few.
That’s the bad news. The good news is that with a bit of preparation and the right security solutions in place, we can continue to outsmart the bad guys.
So without further ado, I present to you Symantec’s 2010 Security...
0 comments
Adrian Pisarczyk
|
November 16th, 2009
On November 4, 2009, Marsh Ray published detailed information about a vulnerability that affects the TLS/SSL protocols and allows for limited man-in-the-middle (MITM) attacks. We say “limited” because the attack exploiting this issue would be different from traditionally viewed MITM attacks, which would involve an attacker placing themselves in the middle of the SSL session between a client and a server and being able to intercept, view, and modify any requests or responses exchanged by the two communicating parties. In an attack using this recent TLS vulnerability, due to the way SSL-enabled applications handle the session-renegotiation process, an attacker may inject arbitrary plaintext into the beginning of the application protocol stream. This can affect multiple protocols that can communicate over an SSL session, such as HTTPS, IMAP, POPS, SIP, etc. Note that in this attack, the attacker would have no ability (at least without additionally exploiting other...
0 comments
Robert Keith
|
November 10th, 2009
Hello and welcome to this month’s blog on the Microsoft patch releases. This is a moderate month—the vendor is releasing six bulletins covering a total of 15 vulnerabilities.
Three of the issues are rated “Critical” and affect Web Services on Devices API, License Logging Server, and the Windows kernel. An attacker could exploit these issues remotely to gain complete control of a vulnerable computer.
The remaining issues, rated “Important”, affect Excel, the Windows kernel, Office, and Active Directory. Although these are only rated “Important” by Microsoft, we consider the Office and Excel issues quite serious and advise customers to apply updates as soon as possible.
As always, customers are advised to follow these security best practices:
- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining functionality.
- Avoid handling files from unknown or questionable sources.
- Never visit sites of...
0 comments
Peter Coogan
|
November 4th, 2009
The Fragus exploit pack showed up on our radar a few months ago and has been steadily growing to become one of the most prevalent exploit packs being seen in the wild today by Symantec. It is similar to other popular exploit packs available—such as Unique, YES, Eleonore, and Liberty—but it brings some new and interesting features with it. Exploit packages are generally designed as a means to allow attackers to group and serve exploits from their website against the browsers of unsuspecting visitors. It is done in a nice GUI form, hosted on a Web server, and allows the attacker to generally choose which exploits to run. Once exploited, a final payload is served to the system. All of this is dished up in a control panel with some nice statistics on how successful the campaign has been.
Figure 1.
The authors of Fragus stick to this formula, but in addition have employed the use of a legitimate software protection tool known as ionCube PHP Encoder to protect...
0 comments
MisterZip
|
October 23rd, 2009
Attachments with the incorrect MIME type of "application/applefile" get stuck in the queue.
There is no notification to either the sender or the recipient and an error message will not be generated until the queue is manually purged (or the server is rebooted).
The net result is that the sender has no idea the message was not delivered until many days, perhaps months or years, after the fact.
Thunderbird and Firefox mimeTypes.rdf files can be accidentally (or maliciously) corrupted so that normal Word or PDF files are incorrectly classified as application/applefile instead application/pdf or application/msword.
That part is obviously not your problem, but silently sitting on a message that will never be delivered is not an appropriate reaction to what is otherwise a minor bug. If the message is actually delivered, the attachment will be intact, and some mail clients will have no issue whatsoever with the file.
7 comments
soumyaghosh
|
October 22nd, 2009
I have seen this messgae in NTP log.I have also attached the printscrn.Can anybody help me out...
Soumya Ghosh
Network Executive
Shriram Insight Share Brokers Limited
India
11.x, Security, Malicious Code, Security Risks, Vulnerabilities & Exploits, Endpoint Protection (AntiVirus)
3 comments
WowandIT
|
October 22nd, 2009
Just wanted to throw a question out there to see if anyone else has experienced this issue before. We have over 4,000 computer in our firm and have recently rolled out SEP11. We first had issues with profiles being blocked, which has since been resolved. Now we're seeing machines(a small number but still....hehe) that have received SEP11 and upon reboot, are dead in the water. The machines boot up to our default background but doesn't load the local machine policy, etc. Ctrl+Alt+Delete never shows up. It's almost as if the machine is locked up but the mouse cursor and the keyboard still work. Safe Mode is the same, boots into Safe Mode but never loads all the way to Ctrl+Alt+Delete. While the machine is up, there is no way to manage it. We've had to resort to imaging the machines to restore functionality. Restoring from the registry is hit or miss and I was wondering if there was an alternate resolution?!?! Thanks
11.x, Security, Basics, IT Risk Management, Configuring, Vulnerabilities & Exploits, Installing, Performance, Endpoint Protection (AntiVirus), Tip/How to
11 comments
jomargonzales
|
October 21st, 2009
This will manually remove Daprosy on your computer. Please see the attached file and read the procedure.
11.x, Emerging Threats, Security, Malicious Code, Security Risks, Vulnerabilities & Exploits, Endpoint Protection (AntiVirus)
0 comments
Pequenina
|
October 19th, 2009
Good night. Sometimes I've been struggling with a problem with what I believe is a new virus. When I put an infected pen in an health PC, it comes up with some shortcuts to folders Music, Pictures, Videos, a shortcut to a txt file, whose name is Password. Symantec (inclusive the new version 11.0.5), detect it as biecei.exe (or any other name), but does not remove it, nor the quarantines. What to do?? HEEELLPPPP
5 comments
grovenat
|
October 16th, 2009
I am currently in the military and I am having problems with Symantec Endpoint Protection and this virus "Bloodhound.exploit.196" Can some one help me as I have been searching all your forums. I did find this one: http://www.symantec.com/connect/forums/symdeltmps but I am unable to download the symdeltmps. Any help would be much appreciative. Thanks Nate
4 comments
teiva-boy
|
October 16th, 2009
On CD2 or which ever, Symantec should provide a WinPE ISO image, with SEP embedded. Much like the BESR boot CD, just put SEP in there.
This would go a long way to assisting with off-line scans, rather than pulling the HDD, and putting it in another PC, risking infection in rare cases.
Even sell it as a one-time add-on would be handy too!
If you dont provide a WInPE image, how about providing a WinPE validator, that the customer provides to show we already have the media, and then you create a new image with SEP installed.
An Altiris competitor does something like this, where to create their boot CD for imaging, you have to prove you own WinPE, by sticking in that CD first.
It should have Liveupdate capabilities too, so we can update on the fly as needed.
11.x, Security, Security Risks, Vulnerabilities & Exploits, Endpoint Protection (AntiVirus), Endpoint Protection Small Business
0 comments
Vikram Kumar-SA...
|
October 13th, 2009
What is Peer to Peer (P2P) Application?
P2P is nothing but just Peer to Peer networking. As we have Server - Client Model and Peer to Peer network in the same way these P2P applications work. You need a P2P program that will be installed on your computer it creates a community of P2P application users and it creates a virtual network between these users. For the user it will look as it is in a Peer to Peer network and he can share files from his local computer and download files shared by other users. It is very similar to our Instant Messaging like Yahoo, AOL or GTalk where even though to whom we are taking to are on a different network but a virtual network is created where it looks we are on a same network and we can share files and chat. The P2P application has been very much in demand from last couple of years. A P2P application is mainly used for sharing Music, Movies, Games and other files.
What are the disadvantages of Peer to Peer (P2P) Application?
Is it...
11.x, Emerging Threats, Security, IT Risk Management, Malicious Code, Security Risks, Vulnerabilities & Exploits, Endpoint Protection (AntiVirus), Endpoint Protection Small Business
11 comments
Robert Keith
|
October 13th, 2009
Hello and welcome to this month’s blog on the Microsoft patch releases. This is a very heavy month—the vendor is releasing 13 bulletins covering a total of 34 vulnerabilities.
Twenty-one of the issues are rated “Critical” and affect GDI+, Active Template Library (ATL), Media Player, .NET, Silverlight, Internet Explorer, Server Message Block (SMB), and Media Runtime. Most of those are client-side vulnerabilities that require a victim to open a malicious file or visit a malicious page. The SMB issue is a fairly serious server-side vulnerability that was reported early last month.
The remaining issues, rated “Important” and “Moderate,” affect GDI+, Windows Indexing Service, Windows kernel, CryptoAPI, Internet Information Services (IIS), LSASS, and SMB.
As always, customers are advised to follow these security best practices:
- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining functionality.
-...
0 comments
Doug H.
|
September 22nd, 2009
Have several remote servers running Symantec Backup Exec For windows Servers 11d and receiving alerts through our IPS when it is trying to communicate back to our domain controller. The alert received is
Event Type Details: Symantec Storage Foundation for Windows VxSchedService.exe Authentication Bypass Vulnerability
Symantec Storage Foundation for Windows versions 5.0, 5.0 RP1a, and 5.1 contain a vulnerability that could alLow an unauthenticated, remote attacker to execute arbitrary code. The vulnerability is due to an error in the Storage Foundation for Windows Scheduler Service. An unauthenticated, remote attacker could exploit this vulnerability by establishing a connection to the affected service via TCP port 4888. The attacker could leverage this access to execute arbitrary by modifying the system registry with elevated privileges. Symantec has confirmed this vulnerability and released updated software.
Wondering if this product has same velnerability because it may use...
0 comments
Kim2VP
|
September 21st, 2009
I have a laptop user that started to get a popup this morning for Windows Police Pro, I shut down his computer, removed the hard drive and slaved it to my computer and ran Symantec Endpoint Protection 11.0.4202.75. After several hours of a full system scan of the drive all it found was a single instance of Trojan.Dropper. His computer is also running Symantec Endpoint Protection 11.0.4202.75 and had the lastes virus definitions. I put the hard drive back in his laptop booted up and the first thing that pops up is the Windows Police Pro again.
1. Why is trojan.dropper getting through undetected by SEP?
2. How can I get rid of Windows Police Pro?
Thanks.
11.x, Security, Malicious Code, Security Risks, Vulnerabilities & Exploits, Endpoint Protection (AntiVirus)
17 comments
neil_rogers
|
September 17th, 2009
Everyone knows USB drives are a huge chance for losing data. I found a way to make that worse.
I bought a USB drive for my wife to use on her personal laptop. We all carry at least one of these. Her drive stopped be recognized, let alone work on the system.
Since it had only been used 3 times, i wanted the manufacturer to replace it under warranty. They offered to exchange it only if i send it back with drive intact. I was shocked that they required me to send it back. They had a fax number that if i was with the government and can send letterhead of such an organization asking to not send the drive, and they will exempt it.
So a new drive cost $60-$150 depending on size. Having personal, let alone any corporate data on the drive and it falls into the wrong hands, which if it is being sent in a box that says what company makes the drive or is addressed to the company, it would be easy for someone to take a look inside to...
Altiris Client Management Suite, Emerging Threats, Security, Evolution of Security, Endpoint Management and Virtualization, Online Fraud, Security Risks, Vulnerabilities & Exploits, Control Compliance Suite, Critical System Protection, Data Loss Prevention (Vontu), Endpoint Encryption
1 comments
Satyam Pujari a...
|
September 17th, 2009
It has always been observed that autoplay/autorun feature of MS windows OS is one of the most preffered selection of malware propagation.We've witnessed some devastating examples of malware which used this feature effectively to replicate and converting a single machine infection to a malware outbreak with in first few hours.Conficker a.k.a W32.downadup is the most recent example of such malware.But this is not at all a new method of infection,rather this method of infection is there since decades.Some more popular examples are Trojan.Brisv.A!inf,W32.Gammima and many more in the long list.
Many other AV vendors detect autorun.inf but Symantec does not.Many people take it in a wrong way but there's a valid reason behind this decision that why Symantec does not detect autorun.inf.
https://www-secure.symantec.com/connect/forums/autoruninf-virus-remains-undetected
The answer is pretty simple and logical "It's a feature of MS windows OS which is...
11.x, Emerging Threats, Security, 10.x, Evolution of Security, Malicious Code, Security Risks, Vulnerabilities & Exploits, Endpoint Protection (AntiVirus)
5 comments
BIGf00t
|
September 16th, 2009
Hello! I am evaluating the most current edition of Symantec Backup Exec System Recovery. I would like to use the backup to FTP option, but I am wary of sending the content of my servers over an unencrypted connection with passwords and files in plain text. An FTP connection has a username and password which can be intercepted, which means a malicious person could in theory grab that password and download the contents of your FTP. That being said, please advise the following.
1. What type of security do the files which are being transmitted via the FTP contain? If they are encrypted, the malicious user would have no gain from downloading them, thus there is no concern. If the backup files are encrypted and protected, what type of protection is there?
2. Is it possible to have Backup Exec open a PPTP VPN session to the FTP server, stream the data over a secured PPTP connection, and then close that connection every time the online offsite backup occurs? This would properly...
8.x, Backup and Archiving, Best Practice, Compatibility, Security Risks, Configuring, Vulnerabilities & Exploits, Backup Exec System Recovery, Windows, Tip/How to
2 comments
Greg Ahmad
|
September 15th, 2009
Recently we became aware of a new security vulnerability that affects various versions of Microsoft Windows operating systems. This vulnerability allows remote attackers to carry out denial-of-service and local privilege escalation attacks against affected computers and though not confirmed, it may also facilitate remote code-execution with kernel-level privileges.
The issue was publicly released on September 7, 2009, by a researcher named Laurent Gaffié. The researcher published proof-of-concept code and some technical details on the Full Disclosure mailing list. He indicated that the code targets the Microsoft Server Message Block version 2 (SMB v2) protocol implementation in Microsoft Windows Vista and Windows 7 and it could be used to trigger a denial-of-service condition in the affected operating systems. We tested the exploit code and confirmed the issue on Windows Vista SP1 and Windows Server 2008.
Subsequent analysis revealed that the vulnerability specifically affects...
0 comments
Robert Keith
|
September 8th, 2009
Hello and welcome to this month’s blog on the Microsoft patch releases. This is a fairly light month—the vendor is releasing five bulletins covering a total of eight vulnerabilities.
Six of the issues are rated “Critical” and affect DHTML Editing ActiveX control, Windows TCP/IP, Windows Wireless, Windows Media, and JScript. The DHTML, Media, and JScript issues are all familiar client-side vulnerabilities that can allow arbitrary code to run in the context of the currently logged-in user. The TCP/IP issue is a remote code-execution vulnerability that attackers can leverage to gain complete control of a vulnerable computer.
The remaining issues, rated “Important,” are denial-of-service vulnerabilities affecting Windows TCP/IP.
As always, customers are advised to follow these security best practices:
- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining functionality.
- Avoid handling files from...
0 comments