Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

* Updated: Serious Symantec Vulnerability, 1-day exploits, and the missing 13th patch

Published: 2005-02-09
Last Updated: 2005-02-10 19:38:03 UTC
by Erik Fichtner (Version: 1)
0 comment(s)

Serious Symantec Vulnerability

It appears that Symantec has not actually released the patches as is mentioned on their web site. We have not found any patches for the Symantec Antivirus Corporate Edition 8 and 9. We are investigating this futher.

ISS X-Force has found a serious heap overflow vulnerability in many
versions of the Symantec UPX decompression engine. As some of you may
be aware, most modern trojans are packed with a combination of
obfuscating and compression methods to evade detection; a component of
which is UPX compression. It is conjectured that malware will
soon take advantage of this attack to evade, disable, and possibly
damage Symantec security products. Please examine the list of
products posted by SARC and take immediate action to remedy any
vulnerability you might be exposed to. Hotfixes are available.
Stop reading and go patch now. This webpage will be here when you
get back, which is more than we can say for your browsing experience
should you decide NOT to take action.

Further information is available at

PoC's available for MS05-005 and MS05-009

Proof of concept code has been released for the MS05-005 (Microsoft Office
URL handling) and MS05-009 (Multiple PNG file decode problems) issues.
Both of these are on the critical patch list, and we expect to see malware
utilizing either of these attacks in the near future. The portion of
MS05-009 that relates to MSN Messenger; the CAN-2004-0597 libpng vulnerability,
is especially serious, as CORE Security has determined that this attack may
be possible to execute in a completely undetected manner to the end user
with little to no user interaction, depending on MSN client settings.

Major antivirus vendors have signatures posted or nearly complete
for both of these issues, and you can get snort signatures for MS05-009 over

The 13th Patch

In all the ruckus yesterday, many of us missed the fact that Microsoft
quietly issued an update to the MS04-035 SMTP server DNS validation
overflow issue from October, 2004. It appears that Exchange 2003 and
the "Exchange-Lite" SMTP Server bundled with Windows Server 2003 are
also suceptible to this attack. Get'cher patch on.
0 comment(s)
Diary Archives