SANS ISC: * Updated: Serious Symantec Vulnerability, 1-day exploits, and the missing 13th patch

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Serious Symantec Vulnerability

Update:
It appears that Symantec has not actually released the patches as is mentioned on their web site. We have not found any patches for the Symantec Antivirus Corporate Edition 8 and 9. We are investigating this futher.


http://www.sarc.com/avcenter/security/Content/2005.02.08.html



ISS X-Force has found a serious heap overflow vulnerability in many
versions of the Symantec UPX decompression engine. As some of you may
be aware, most modern trojans are packed with a combination of
obfuscating and compression methods to evade detection; a component of
which is UPX compression. It is conjectured that malware will
soon take advantage of this attack to evade, disable, and possibly
damage Symantec security products. Please examine the list of
products posted by SARC and take immediate action to remedy any
vulnerability you might be exposed to. Hotfixes are available.
Stop reading and go patch now. This webpage will be here when you
get back, which is more than we can say for your browsing experience
should you decide NOT to take action.

Further information is available at http://xforce.iss.net/xforce/alerts/id/187

PoC's available for MS05-005 and MS05-009

Proof of concept code has been released for the MS05-005 (Microsoft Office
URL handling) and MS05-009 (Multiple PNG file decode problems) issues.
Both of these are on the critical patch list, and we expect to see malware
utilizing either of these attacks in the near future. The portion of
MS05-009 that relates to MSN Messenger; the CAN-2004-0597 libpng vulnerability,
is especially serious, as CORE Security has determined that this attack may
be possible to execute in a completely undetected manner to the end user
with little to no user interaction, depending on MSN client settings.


Major antivirus vendors have signatures posted or nearly complete
for both of these issues, and you can get snort signatures for MS05-009 over
at http://www.bleedingsnort.com/

The 13th Patch

In all the ruckus yesterday, many of us missed the fact that Microsoft
quietly issued an update to the MS04-035 SMTP server DNS validation
overflow issue from October, 2004. It appears that Exchange 2003 and
the "Exchange-Lite" SMTP Server bundled with Windows Server 2003 are
also suceptible to this attack. Get'cher patch on.
http://www.microsoft.com/technet/security/bulletin/ms04-035.mspx