Number: IRCNE2015032457
Date: 2015/

According to “itpro”,Apple has put out new versions of its Safari web browser for OS X to fix a number of vulnerabilities that could enable hackers to run malicious code on a Mac.
In a security advisory, Apple warned that 17 bugs affect Safari 8.0.4 for OS X 10.10 Yosemite, Safari 7.1.4 for OS X 10.9 Mavericks and Safari 6.2.4 for OS X 10.9 Mavericks.
The first patch fixes a number of memory corruption problems in WebKit that could lead to an unexpected application termination or arbitrary code execution. Apple said that these issues were addressed through improved memory handling.
The second vulnerability concerned a user interface inconsistency in Safari itself that could prevent users from discerning a phishing attack. An attacker could misrepresent the URL in the browser, folling the user into thinking a website was genuine. Apple said this was fixed by improving user interface consistency checks.
Users can download the latest Safari versions 8.0.4, 7.1.4 and 6.2.4 for free through Software Update.
Apple did not give any further detail on the bugs or whether they had been exploited by criminals.

Number: IRCNE2015032456
Date: 2015/

According to “itpro”, research by Kaspersky has revealed businesses fear losing clients as a result of DDoS attacks, although the construction industry is more concerned about the cost of eradicating threats.
A survey conducted by the security firm in partnership with B2B International revealed 26 per cent of companies thought the problems caused by such attacks were long-term, meaning they could lose current or prospective clients as a result.
23 per cent said they were concerned a DDoS attack would cause reputational issues, while 19 per cent thought the risk of losing current customers who were not able to access services as a result of an outage was the biggest threat to business.
The research revealed that only 37 per cent of the companies surveyed had measures already in place to protect against DDoS attacks.
Of those surveyed, the majority of telecoms, e-commerce, utilities, utilities and industrial companies viewed the loss of business as the main DDoS risk, while construction and engineering verticals explained they were concerned about the cost of implementing backup systems most.

Number: IRCNE2015032455
Date: 2015/03/18

According to “itpro”, more than one billion personal records were leaked online in 2014, according to IBM’s security research team.
The total is 25 per cent higher than the 800 million personally identifiable information (PII) records leaked in 2013, the X-Force team revealed yesterday.
The experts called 2014 a “white knuckle rollercoaster ride” in which data breaches, malware and mobile app vulnerabilities all contributed to the huge volume of data exposed.
However, three overarching themes emerged – weak passwords, critical vulnerabilities in operating systems, and sensitive photos stored on cloud services.
“Breaches and security incidents were being announced so rapidly in 2014 that many struggled to keep up.
The majority of data was stolen from US companies such as Sony, which suffered embarrassing email leaks alongside unreleased films and staff data.
IBM referred to vulnerabilities including Shellshock, and this year’s newly discovered FREAK, adding that good old-fashioned malware continued to play its part, with cyber criminals using it to hit banking firms and other industries.
It also found that ransomware became more popular in 2014, with hackers either threatening sites with DDoS attacks or encrypting a user’s data until a fee is paid.

Number: IRCNE2015032451
Date: 2015/03/18

According to “computerworld”, new versions of OpenSSL will be released on Thursday to patch several security vulnerabilities, one of which is considered highly serious, according to the OpenSSL Project Team.
An advisory published on Monday did not give further details of the vulnerabilities, presumably so as not to tip off hackers and to give some organizations time to add the patch.
The updates will be included in OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf, the advisory said.
A number of serious problems have been found over the last year in OpenSSL, a widely used open-source software that encrypts communications using the SSL/TLS (Secure Sockets Layer/Transport Layer Security) protocol, a cornerstone of Web security.
OpenSSL has been undergoing a security audit since the Heartbleed flaw was found in April 2014, a serious vulnerability that leaked memory from a server, potentially exposing login credentials, cryptographic keys and other private data.
The software was also affected by FREAK, a flaw revealed earlier this month that can allow an attacker to initiate a weaker type of encrypted connection that can be compromised more easily.

Number: IRCNE2015032450
Date: 2015/03/16

According to “zdnet”, this month's Patch Tuesday is one of the biggest in recent memory, with 14 separate security-related updates going out via Microsoft's update channels. All but two of the updates are for Windows. (Depending on your OS, you'll find a large number of non-security-related updates as well. More details on those when I get them.)
Five updates (four for Windows and one for Office) are rated Critical. The remaining nine are rated Important, all for Windows except for a lone Exchange Server patch.
Two of the fixes are for vulnerabilities that have already been publicly disclosed. The good news for Microsoft's Security Response team is that they've cleared all open issues from the Google Project Zero list.
MS15-018 is a Cumulative Security Update that addresses an even dozen vulnerabilities and affects all supported versions of Internet Explorer. It includes the fix for a cross-site scripting vulnerability that was publicly disclosed prior to February's Patch Tuesday but didn't make last month's fixes.
MS15-019 repairs a scripting vulnerability in some older Windows versions; it doesn't affect Windows 7 and later desktop versions or the equivalent server versions, Windows Server 2012 and 2012 R2.
MS15-020 fixes a flaw in the way Microsoft Text Services handles objects in memory and how Microsoft Windows handles the loading of DLL files.
MS15-021 addresses an issue with the Adobe Font Driver. Both vulnerabilities could theoretically allow remote code execution, although Microsoft's summaries say that possibility is unlikely.
MS15-022 applies to all supported Microsoft Office versions (2007, 2010, and 2013), as well as the server-based Office Web Apps and SharePoint Server products. It fixes three known vulnerabilities in Office document formats as well as multiple cross-site scripting issues for SharePoint Server. The worst outcome allows remote code execution.
And then there's MS15-031, which fixes the widely publicized (and cross-platform) Schannel vulnerability, more popularly known as the FREAK technique. This update means Microsoft and Apple platforms are secured, while vulnerable Android versions have yet to be patched. (Update: It took about 36 hours extra, but this patch is now available for Internet Explorer in Windows 10 Technical Preview build 9926. It's reasonable to assume the fix will be built into the next preview release.)
Systems with Internet Explorer 11 (which includes all Windows 8.1 installations) are also receiving an update to the built-in Flash Player code. The security issues fixed by this update are addressed in a separate bulletin, not yet available from Adobe. Oh, and this month's update to the Malicious Software Removal Tool reportedly removes the unwanted Superfish certificate from Lenovo PCs.

Number: IRCNE2015032449

Date: 2015/03/16

According to “zdnet”, Adobe has issued patches for security vulnerabilities in Flash Player -- 11 of which are deemed critical.
On Thursday, Adobe issued its latest set of security updates for the Adobe Flash Player. The updates for Windows, Mac and Linux users address "vulnerabilities that could potentially allow an attacker to take control of the affected system," according to the software giant.
The patches solve memory corruption vulnerabilities and type confusion vulnerabilities which could lead to remote code execution, vulnerabilities which could cause the bypass of cross-domain policies, as well as security issues which allow the circumvention of file upload restriction. In addition, other updates fix an integer overflow vulnerability and use-after-free vulnerabilities which could lead to remote code execution.
Adobe recommends that users update their products to the latest versions. Windows and Mac users of the Adobe Flash Player desktop runtime should update to Adobe Flash Player 17.0.0.134, users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 13.0.0.277, and users of the Adobe Flash Player for Linux need to update to Adobe Flash Player 11.2.202.451.
Google Chrome users with Flash Player enabled, as well as users of Internet Explorer on Windows 8.x with the software will see an automatic update to version 17.0.0.134.
Adobe Flash Player version 16.0.0.305 and previous versions, as well as 13.0.0.269, 11.2.202.442 and both earlier 11.x and 13.x are affected by the latest security patch.

Number: IRCNE2015032447
Date: 2015/03/14

According to “zdnet”, a security flaw in a popular WordPress plugin has been patched, preventing hackers from potentially taking over an entire blog installation.
Yoast, the maker of the popular "wordpress-seo" plugin for the blogging platform, said it has patched a cross-site request forgery flaw that allowed a blind SQL attack. That could've allowed a hacker to modify the back-end database, which might have allowed the insertion of malware, adware, spam links, or other unwanted content.
The flaw required some work by a malicious actor, however. An authorized WordPress user would have had to be tricked into clicking a carefully-crafted link in order for a hacker to exploit the flaw.
Yoast credited Ryan Dewhurst with finding the flaw, who reported the vulnerability privately, preventing it from being exploited in the wild.
Dewhurst said: "One possible attack scenario would be an attacker adding their own administrative user to the target WordPress site, allowing them to compromise the entire web site."
The severity of the flaw resulted in a forced automatic update by WordPress.org, the blogging platform's hosted services.

Date: 2015/03/14

According to “cnet”, Microsoft released a Windows update Tuesday to address the "FREAK" security vulnerability, a decade-old encryption flaw that leaves device users vulnerable to having their electronic communications intercepted.
The update -- among 14 bulletins issued as part of Microsoft's regularly scheduled Patch Tuesday - also included an updated patch for Stuxnet, a sophisticated computer virus Microsoft said it addressed five years ago. The FREAK bulletin -- rated "important," Microsoft's second highest ranking security ranking -- came less than a week after Microsoft acknowledged that the encryption protocols used in all supported version of Windows were also vulnerable to the flaw.
In its security bulletin announcing the fix, released as part of Microsoft's regularly scheduled Patch Tuesday, Microsoft noted that Apple's Safari and Google's Android browsers were also identified as being susceptible to the flaw.
Researchers said there was no evidence hackers had exploited the vulnerability, which they blamed on a former US policy that banned US companies from exporting the strongest encryption standards available.
Microsoft's update also revisited Stuxnet, a highly destructive worm thought to have been developed jointly in secret by US and Israel to infect a nuclear enrichment facility in Iran in 2010. Rather than steal data, Stuxnet left a back door meant to be accessed remotely to allow outsiders to stealthily knock the facility offline and at least temporarily cripple Iran's nuclear program. While Microsoft issued a patch in 2010 to close a hole being used by the Stuxnet to infect PCs, Tuesday's update addressed a pair of remote code execution vulnerabilities.

شماره: IRCNE2015042487
تاريخ: 02/05/94

محققان شركت امنيتي FireEye دريافتند كه مشكلي در اسكنر اثر انگشت سامسونگ گلكسي S6 وجود دارد كه هكرها مي توانند بواسطه آن اطلاعات شخصي ذخيره شده بر روي دستگاه را به سرقت ببرند.
Yulong Zhang و Tao Wei دو محقق اين شركت اظهار داشتند كه داده هاي شخصي مي توانند قبل از بدست آوردن ناحيه امن بر روي دستگاه ردگيري شوند.
اين مشكل بر روي تمامي دستگاه هاي در حال اجراي اندرويد نسخه 5.0 و نسخه هاي پيش از آن وجود دارد در صورتي كه هكري بتواند دسترسي سطح بالا دستگاه را بدست آورد. با اين وجود براي كاربراني كه از سامسونگ گلكسي S5 استفاده مي كنند شرايط نگران كننده تر است زيرا هكرها مي توانند به طور بالقوه با دسترسي به حافظه دستگاه داده هاي اثرانگشت را بدست آورند.
محققان در كنفرانس امنيتي RSA نشان دادند كه مجرمان سايبري مي توانند يك صفحه قفل تقلبي را ايجاد نمايند و داده هاي اثر انگشت كاربر را با داده هاي خود عوض نمايند در نتيجه كاربر ديگر نمي تواند به دستگاه خود دسترسي يابد و هكرها مي توانند براي مقاصد خود از آن سوء استفاده نمايند.
كليه دستگاه هايي كه در حال اجراي اندرويد 5.0 و نسخه هاي پيش از آن هستند نسبت به چنين حملاتي آسيب پذير مي باشند اما به روز رساني سيستم عامل دستگاه به نسخه 5.1.1 اين مشكل را برطرف مي كند.
از آنجايي كه اين مشكل در سيستم عامل وجود دارد و مختص دستگاه نيست در نتيجه كليه دستگاه هايي كه نسخه آسيب پذير اندرويد استفاده مي كنند مي توانند در معرض خطر اين نوع حملات قرار گيرند.

شماره: IRCNE2015042486
تاريخ: 02/02/94

اخيرا يك آسيب پذيري در پلاگين هاي وردپرس توسط محققان Scrutinizer كشف شده است كه به علت استفاده ناامن از توابعadd_query_arg و remove_query_arg وردپرس ايجاد شده است.
ضربه ناشي از اين مشكل بستگي به نقش كاربر بر روي وب سايت دارد. به عنوان مثال، اگر قرباني داراي حق دسترسي مديريتي باشد مهاجم مي تواند براي انجام عمليات مديريتي از آن سوء استفاده نمايد. اگر قرباني نقش عادي داشته باشد مهاجم مي تواند كوكي هاي تاييد هويت آن ها را به سرقت برده و حساب كاربري را ارتباط ربايي نمايد.
محققان Scrutinizer بر اين باور هستند كه در اصل اين مشكل در پلاگين هاي WordPress SEO و Google Analytics كه توسط Yoast ايجاد شده وجود دارد. Joost de Valk موسس و صاحب Yoast اظهار داشت كه از اين قبيل مشكلات ممكن است در پلاگين هاي ديگر نيز وجود دارد.
اسكن بيش از 400 پلاگين معروف وردپرس نشان مي دهد كه بيش از 12 پلاگين داراي آسيب پذيري مشابه مي باشند. تم ها نيز تحت تاثير اين مشكل قرار دارند.
پلاگين هاي كه داراي آسيب پذيري مي باشند به زودي اصلاح مي شوند در نتيجه به كاربران وردپرس توصيه مي شود تا داشبوردهاي مديريتي را براي به روز رساني پلاگين ها بررسي نمايند. برخي پلاگين ها به صورت خودكار به روز رساني مي شوند.
از آن جا كه احتمالا پلاگين ها و تم هاي آسيب پذير زيادي وجود دارد كه هنوز شناسايي نشده اند، به توسعه دهندگان توصيه مي شود تا كدهاي خود را به منظور بررسي استفاده ناامن از توابعadd_query_arg و remove_query_arg بازبيني نمايند.