Vulnerability Analysis Blog

CERT Basic Fuzzing Framework

Wed, 26 May 2010 13:56:27 -0500

Hi folks. I've been involved in a fuzzing effort at CERT. One of the ways that I've been able to discover vulnerabilities is through "dumb" or mutational fuzzing. We have developed a framework for performing automated dumb fuzzing. Today we are releasing a simplified version of automated dumb fuzzing, called the Basic Fuzzing Framework (BFF).

Top-10 Top Level and Second Level Domains found in Malicious Software

Fri, 05 Mar 2010 14:10:32 -0500

Hello folks. This post comes to you courtesy of Ed Stoner and Aaron Shelmire from the Network Situational Awareness group at CERT. They write:

Recently there have been some statistics published on botnet Command & Control (C2) channels. These statistics claim that 94.58% of botnet C2 channels are under the .com top level domain (TLD). While it's impossible to accurately comment on those statistics without knowing the methodology used to arrive at them, we at CERT have been doing research concerning malicious domain names that arrives at a different result.

Plain Text Email in Outlook Express

Fri, 13 Nov 2009 09:23:00 -0500

Reading email messages in plain text seems like a reasonable thing to do to improve the security of your email client. Plain text takes less processing than HTML, which should help minimize your attack surface, right? As it turns out, Outlook Express (and its derivatives) is doing more than you think when it is configured with the "Read all messages in plain text" option enabled.

Managing IPv6 - Part 2

Tue, 06 Oct 2009 15:44:00 -0500

Past entries have addressed both securing and disabling IPv6. This entry describes ways that administrators can secure their networks and generate test cases to test those settings.

Managing IPv6 - Part 1

Wed, 19 Aug 2009 10:07:00 -0500

This entry is the first in a series about securely configuring the IPv6 protocol on selected operating systems. Although this entry focuses on how to disable IPv6, we are not recommending that everyone immediately disable IPv6. However, if critical parts of your infrastructure (firewall, IDS, etc.) do not yet fully support the IPv6 protocol, consider disabling IPv6 until those components can be upgraded.

Internet Explorer Kill-Bits

Fri, 31 Jul 2009 15:18:00 -0500

The Kill-Bit (or "killbit") is a Microsoft Windows registry value that prevents an ActiveX control from being used by Internet Explorer. More information is available in Microsoft KB article 240797. If a vulnerability is discovered in an ActiveX control or COM object, a common mitigation is to set the killbit for the control, which will cause Internet Explorer to block use of the control. Or will it?

Mitigating Slowloris

Wed, 01 Jul 2009 12:18:00 -0500

Slowloris is a denial-of-service (DoS) tool that targets web servers. We have some suggestions about mitigation techniques and workarounds to protect your server. However, use caution if you implement any of these suggestions because they will likely have some unintended side effects.

Vulnerabilities and Attack Surface

Thu, 25 Jun 2009 12:02:00 -0500

Two recent US-CERT Vulnerability Notes describe similar issues in the Adobe Reader and Foxit Reader PDF viewing applications. The vulnerabilities, that both applications failed to properly handle JPEG2000 (JPX) data streams, were discovered as part of our Vulnerability Discovery initiative. The two vulnerability notes are quite similar, except for one aspect: attack surface.

Release of Dranzer ActiveX Fuzzing Tool

Thu, 16 Apr 2009 11:50:26 -0500

Hi, it's Will. As previously mentioned, we have been investigating and discovering ActiveX vulnerabilities over the past few years. Today we released the Dranzer tool that we have developed to test ActiveX controls.

Bypassing firewalls with IPv6 tunnels

Thu, 02 Apr 2009 11:05:00 -0500

Hello, it's Ryan. We've talked about IPv6 in blog entries and vulnerability notes before. But instead of focusing on IPv6 vulnerabilities, this blog entry will show how functional IPv6 tunneling protocols can be used to bypass IPv4-only firewalls and ACLs. If you'd like a demonstration, watch this video that we created.

Conficker.C: How many are there?

Tue, 31 Mar 2009 18:10:14 -0500

Hello, Sid Faber from the Network Situational Awareness group at CERT. Like just about everyone else, we've been following the Conficker worm for a while and thought some updated stats on the Conficker.C variant might be useful.

Windows Installer Application Resiliency

Fri, 13 Mar 2009 13:46:00 -0500

Hi, it's Will again. Recently, I was investigating the effectiveness of the workarounds for the Adobe Reader JBIG2 vulnerability, and I encountered an unexpected situation. In certain situations, the application resiliency feature of Windows Installer can actually undo some of the steps taken to mitigate a vulnerability.

Internet Explorer Vulnerability Attack Vectors

Thu, 19 Feb 2009 15:30:00 -0500

Hey, it's Will. I noticed that several blogs, including Trend Micro and McAfee, have been talking about the recent attacks on the Internet Explorer 7 vulnerability that was fixed in MS09-002. An interesting thing about these exploits is the attack vector. The technique used in these attacks has several security impacts that may not be immediately obvious.

Reference Implementations for Securing Your Web Browser Guidelines

Fri, 09 Jan 2009 11:03:00 -0500

It's Will again, with the first blog entry of 2009. Our Securing Your Web Browser document describes how to make your web browser more secure, but applying all of the necessary changes can be a bit tedious. To make the process easier, we developed reference implementations of the guidelines for both Microsoft Internet Explorer and Mozilla Firefox.

Recommendations to vendors for communicating product security information

Thu, 20 Nov 2008 16:10:00 -0500

Hi, this is Chad Dougherty of the Vulnerability Analysis team. One of the important roles that our team plays is coordinating vulnerability information among a broad range of vendors. Over the years, we have gained a considerable amount of experience communicating with vendors of all shapes and sizes. Based on this experience, we can offer some guidance to vendors about communicating product security issues.