Rule release for today - February 27th 2009
We've been busy again... Microsoft Excel Code Execution (CVE-2009-0238): Microsoft Excel contains a programming error that may allow a remote attacker to execute code on a vulnerable system. The problem occurs when Excel attempts to process a specially crafted document with
Conficker variant B - Still detected
As with all malware, variants eventually float to the surface of the threat landscape. Conficker is no different. The latest variant imaginatively named Conficker B, still uses the same propagation methods the original used. That is, it still attempts to exploit the vulnerability
Detecting Silly Javascript Obfuscation Techniques
Last week I got an e-mail from Edward Fjellskål, Senior Security Analyst at Sourcefire's new Norwegian partner Redpill Linpro. He'd run across a strange piece of obfuscated Javascript at hxxp://bizoplata.ru/pay.html (WARNING: CONTAINS LIVE MALWARE), and he wanted to know
Homebrew patch for Adobe AcroReader 9
People seemed a bit worred about the Adobe Reader bug, so I figured I'd take a bit of time this morning and create a home brew patch for people to protect themselves with until March 11th rolls around. The patch is just a replacement DLL - AcroRd32.dll to be precise. Take th
Adobe Acrobat and Reader Buffer Overflow Snort Rules
As promised earlier this evening we are releasing rules to detect attacks targeting this vulnerability. More rule details are available at http://www.snort.org/vrt/advisories/vrt-rules-2009-02-20.html Ur welcom.
Have a nice weekend! (PDF love)
Maybe you read Michael Howard's twitter feed. If so, you may be wondering why you were asked to turn off Javascript in Adobe Acrobat Reader. Well, I'm here to tell you that if you were to load a PDF file with an embedded JBIG2 image stream: << /Type /XObject /Subty
Making Conficker Cough Up the Goods
I'm not a malware gal. I really dislike analyzing the stuff. It could be an artifact of a life spent pulling apart Microsoft binaries. When Microsoft releases a binary, everything looks the same; it's not a challenge to figure out what's going on. The only challenge i
MS09-002 in the wild
Yesterday we came across a website taking advantage of a programming error in Internet Explorer that allows a remote attacker to execute code on a vulnerable system. Microsoft issued an advisory (MS09-002) on February 10, 2009 and released a patched on the same day to mitigate th
Tony Blair has NOT died today
It seems like the Armenian Branch of Nathan Associates Inc (per a whois lookup of the IP address) is hosting a webpage claiming that former UK Prime Minister Tony Blair has died. As far a we know, Tony Blair is well as of February 17, 2009. This page uses the same template as the