Security-Alerts mailing list archive (email@example.com)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[security-alerts] FYI: Symantec ThreatCon elevated
The ThreatCon is currently at Level 2: Elevated.
The ThreatCon is currently at Level 2. The DeepSight honeynet has observed
in-the-wild exploit attempts targeting a GDI vulnerability patched by Microsoft
on April 8, 2008. The malicious image appears to target the Microsoft Windows
GDI Stack Overflow Vulnerability (BID 28570). At least three different sites
are hosting the images; two different malicious binaries are associated with
the attacks. Analysis of the images has shown that although they appear to be
malicious, they do not contain enough data in the associated image property to
sufficiently trigger the vulnerability. We are still investigating as to why
this may be the case. Users are advised to apply the MS08-021 patches
immediately. These attack attempts highlight the severity of this issue -- it
is only a matter of time before new images that successfully trigger the issue
are observed in the wild. Administrators are also advised to filter activity to
the following IP addresses and/or domains: 18.104.22.168
(hxxp://igloofamily.com) 22.214.171.124 (hxxp://amrc.com.tw)
ad.goog1e.googlepages.com Symantec IPS detects the exploit; however, some of
the associated malware that is delivered with the attack is not detected.
Symantec Security Response is currently investigating the undetected malware
and will make detection available soon.