jump to navigation

Bonus episode of AudioParasitics Podcast May 24, 2007

Posted by Dave Marcus in General Security, Malware, PodCasting, Vulnerabilities, Zero Day.
add a comment

We released a bonus podcast episode of AudioParasitics – The Official Podcast of McAfee Avert Labs earlier this week.

In this episode we delve once again into the debate around vulnerability disclosure and bounty programs. Jim Walter and I wrestle with the ethics of bounty programs and whether or not they help protect customers. We battle with the explosive and complex relationships between bounties, vulnerabilities, exploits and malware.


Remember that you can subscribe to the podcast through iTunes or Podzinger as well.


The ball drops and the bubble bursts January 2, 2007

Posted by Dave Marcus in General Security, Vulnerabilities, Zero Day.
add a comment

It should prove to be a very interesting New Year indeed! The ball has dropped in Times Square signifying a fresh start. What better way to start of a new year than with a new month of bugs. As most already know, January 2007 is to be the Month of Apple Bugs and the first one has been released.

I think this will be an interesting bug month for a few reasons. The Apple community, in general, has an overblown sense of invulnerability when it comes to security. True, there has been little exploitation of the various Apple platforms. This is mainly true for a very simple reason: lack of deployment footprint. At the end of the day, Apple is not really a great target of opportunity. Scan a million IP addresses and what will you get? Well over 90% (that is a very low estimate) will be various incarnations of MS Windows. If I am a malware/exploit writer and money or data is my goal, where would I focus my efforts?

Interesting when you consider that by the end of this month there will probably be more public exploits for Apple OS and applications then there have been in several years. Will any of these exploits end up being used in targeted attacks? Who knows. But I think that many peoples bubbles will be burst over the next month.

Hey, they may even have to change those dopey ads they run……….

MS Word Zero-Day Trio December 22, 2006

Posted by Dave Marcus in Malware, Vulnerabilities, Zero Day.
add a comment

Boy was that ever a weekend!!! Three solid zero-day exploits over a 5-6 day period of time right around MS Patch Tuesday (no coincidence).

Over at Avert Labs we have been tracking this for quite some time. The trend seems to be to release a zero-day exploit within +3 or -3 days of the MS patch release. Pretty good strategy actually when you consider it. If an MS zero-day is released 3 days prior to the patch it is very unlikely it will get included in the release. If the exploit is released 3 days after the patch it is very unlikely that MS will release an out-of-cycle patch to address it. This gives the exploit writer a potential usage window of 27 – 33 days for the malware.

Definitely speaks to the continued organization and planning skills of the malware writer.

Vectors, bots and BuddyProfiles…… Oh my! December 5, 2006

Posted by Dave Marcus in General Security, Malware, Vulnerabilities.
add a comment

Some really great new posts on the McAfee Avert Labs Research Blog! OK, I am not exactly unbiased in my opinion here, however some really great blogs have been posted lately. In no particular order:

  • A really neat post from Allysa Myers on BuddyProfiles misuse. Just goes to show you what can happen when you allow users free reign over their own html code and content!
  • Bhaskar Krishna wrote up a really interesting piece on masking potential adware/spyware installs with 404 Errors. Adware and revenue – not a good mixture!
  • Vinoo Thomas on bots using more application vulnerabilities for exploitation/installation.

Read them. Learn them. Live them!!!

First Windows Kernel Bug for the MoKB Released November 6, 2006

Posted by Dave Marcus in Vulnerabilities, Zero Day.
add a comment

Well, we knew it was only a matter of time but the first kernel bug for Windows has been released for the MoKB. Interestingly enough this particular bug is darn near 2 YEARS OLD and has been previously reported to MS, although it has remained unpatched. Read the full post or get the source code here.

XML Core Services 0-Day Update November 6, 2006

Posted by Dave Marcus in Vulnerabilities, Zero Day.
add a comment

The other day I wrote about a new zero day in Windows IE XML Core Services. Well, it seems that some new developments have occurred! The Register has picked up the story, in which they state that Secunia is now seeing more active exploitation. Microsoft has posted an Advisory about the vulnerability and even included suggestion and workarounds. No word yet on whether they will release an early patch for it tho. As MS rarely releases out-of-cycle patches, my guess would be no.

I have not heard any updated intel from the researchers at McAfee Avert Labs where I work, but if I do I will certainly update on it.

More MoKB Fun!!! November 5, 2006

Posted by Dave Marcus in Vulnerabilities, Zero Day.
add a comment

In case you haven’t been following the fun with the Month of Kernel Bugs, we are up to four so far.

The running total looks like this:

  • 1 Mac OSX
  • 1 Linux
  • 1 FreeBSD
  • 1 Solaris

Mostly denial-of-service at this point, but I would guess that further work and anlysis will be done on these. That being the case, we could see some further proof-of-concept code and exploits later for these.

New IE 0-day making the rounds November 5, 2006

Posted by Dave Marcus in Malware, Vulnerabilities, Zero Day.

One of my buddies at McAfee Avert Labs has posted on a new IE zero-day exploit making the rounds. Tho he would never admit to it, Craig Schmugar is one of the finest researchers in the security industry and a fairly prolific blogger himself.

Month of Kernel Bugs off to a good start! November 2, 2006

Posted by Dave Marcus in Vulnerabilities, Zero Day.
add a comment

As I had mentioned in previous posts, November 2006 is the Month of Kernel Bugs. Well yesterday, true to form, they posted the first kernel bug, a nice one in Apple’s Airport Driver.  This particular bug, a kernel memory corruption issue, was found by none other than H D Moore which in turn is based upon some previous work by Cache and Maynor

Moore was nice enough to supply a handy-dandy Metasploit module  for the kernel bug as well.  Considerate that was!  An unpatched vulnerability disclosed complete with working exploit code……….

Oh and btw – it really is nice to see someone aside from Microsoft get targeted once and a while!