Exploit This

Security News, Exploits, and Vulnerabilities.

Windows 10: What’s New in the Security System

This review consists of three parts devoted to the most prominent new Windows 10 features that affect security. We use examples to demonstrate how Windows 10 protection technologies work and how they can be complemented by third-party solutions to improve system security.

Facebook malware – the missing piece

Recently we revealed that a threat actors exploited social networks to spread a Trojan that captures a victim’s entire browser traffic. Approximately 10,000 Facebook users with Windows PCs were hit by malicious friend notifications. In this article we will explain the security issue and attack.

Lurk: a danger where you least expect it

While we were researching the malicious program Lurk in early February 2016, we discovered an interesting oddity in how this banking Trojan spreads. From the data we had, it emerged that the users attacked by Lurk also installed the remote administration software Ammyy Admin on their computers.

Industrial cybersecurity threat landscape

Expansion of the Internet makes ICS easier prey to attackers. The number of ICS components available over the Internet increases every year. Taking into account that initially many ICS solutions and protocols were designed for isolated environments, such availability often provides a malicious user with multiple capabilities to cause impact to the infrastructure behind the ICS due to lack of security controls.

The Dropping Elephant actor

A threat actor, likely operating from India, was undertaking aggressive cyber-espionage activity in the Asian region, targeting multiple diplomatic and government entities with a particular focus on China and its international affairs.

VDI: Non-virtual problems of virtual desktop security, and how to solve them for real

There is a much higher probability of encountering security issues with Virtual Desktop Infrastructure (VDI) than with virtualized servers. We are going to talk about VDI myths, specifics – and how to provide proper security for corporate VDI.

An increase of sophisticated phishing attacks in Sweden

Whilst sitting and working in the South African office I receive an email from my Swedish ISP. I quickly look at it and there is something that doesn’t add up. The email states that I need to pay my invoice, but I never receive electronic invoices from this company.

Surges in mobile energy consumption during USB charging and data exchange

Is it possible to measure the energy consumed by a host and mobile when they exchange data over the USB connection? We could find in-depth research on energy consumption for USB data transfer, so we decided to carry out our own experiment.

TA16-187A: Symantec and Norton Security Products Contain Critical Vulnerabilities

Original release date: July 05, 2016

Systems Affected

All Symantec and Norton branded antivirus products

Overview

Symantec and Norton branded antivirus products contain multiple vulnerabilities. Some of these products are in widespread use throughout government and industry. Exploitation of these vulnerabilities could allow a remote attacker to take control of an affected system.

Description

The vulnerabilities are listed below:

CVE-2016-2207

  • Symantec Antivirus multiple remote memory corruption unpacking RAR [1]

CVE-2016-2208

  • Symantec antivirus products use common unpackers to extract malware binaries when scanning a system. A heap overflow vulnerability in the ASPack unpacker could allow an unauthenticated remote attacker to gain root privileges on Linux or OSX platforms. The vulnerability can be triggered remotely using a malicious file (via email or link) with no user interaction. [2]

CVE-2016-2209 

  • Symantec: PowerPoint misaligned stream-cache remote stack buffer overflow [3]

CVE-2016-2210

  • Symantec: Remote Stack Buffer Overflow in dec2lha library [4]         

CVE-2016-2211

  • Symantec: Symantec Antivirus multiple remote memory corruption unpacking MSPACK Archives [5]

CVE-2016-3644

  • Symantec: Heap overflow modifying MIME messages [6]      

CVE-2016-3645

  • Symantec: Integer Overflow in TNEF decoder [7]       

CVE-2016 -3646

  • Symantec: missing bounds checks in dec2zip ALPkOldFormatDecompressor::UnShrink [8]

 

Impact

The large number of products affected (24 products), across multiple platforms (OSX, Windows, and Linux), and the severity of these vulnerabilities (remote code execution at root or SYSTEM privilege) make this a very serious event. A remote, unauthenticated attacker may be able to run arbitrary code at root or SYSTEM privileges by taking advantage of these vulnerabilities. Some of the vulnerabilities require no user interaction and are network-aware, which could result in a wormable-event.

Solution

Symantec has provided patches or hotfixes to these vulnerabilities in their SYM16-008 [9] and SYM16-010 [10] security advisories.

US-CERT encourages users and network administrators to patch Symantec or Norton antivirus products immediately. While there has been no evidence of exploitation, the ease of attack, widespread nature of the products, and severity of the exploit may make this vulnerability a popular target.

References

Revision History

  • July 5, 2016: Initial Release

This product is provided subject to this Notification and this Privacy & Use policy.

Facebook malware: tag me if you can

A malware attack tricked around 10,000 Facebook users around the world. Compromised PCs were used to hijack Facebook accounts in order to spread the infection through the victim’s Facebook friends and for other malicious activity.

%d bloggers like this: