Number: IRCNE2015022420
Date: 2015/02/07

According to “zdnet”, a newly-discovered, severe security flaw in fully patched versions of Internet Explorer allows attackers to steal user credentials or to conduct phishing attacks through any website.
The vulnerability, which affects fully patched versions of IE 11 running on both Windows 7 and 8.1, was disclosed by security researcher David Leo from security firm Deusen. Detailed on Full Disclosure, the Internet Explorer vulnerability allows hackers to bypass the Same-Origin Policy and run scripts or inject malicious content into websites.
Not only could this result in user account theft, but HTML and cookies lifted by a hacker could then be used in legitimate-appearing phishing campaigns. For a victim to be tricked into visiting a malicious website, they do, however, need to click on a link.
Senior security engineer at Tumblr Joey Fowler responded to the disclosure, saying that while "there are quirks, it most definitely works." In addition to circumventing the Same-Origin Policy, the bug also bypasses standard HTTP-to-HTTPS restrictions as long as the page being framed doesn't contain X-Frame-Options headers with 'deny' or 'same-origin' values.
Microsoft engineers are currently working on a solution to close the security hole.

ID: IRCNE2015012419
Date: 2015-02-07

According to “ITPro”, spyware targeting iOS 7 and iOS 8 devices has been uncovered by security firm Trend Micro, who claim it could be used to steal users’ text messages, photos and contact data.
The surveillance software is one of a number of tools used by members of Operation Pawn Storm, an ongoing cyber-espionage project targeting government, military and media organisations.
“The actors of Pawn Storm tend to first move a lot of pawns in the hopes they come close to their actual, high-profile targets,” the company said in a blog post.
“When they finally successfully infect [one], they might decide to move their next pawn forward: advanced espionage malware.”
The spyware highlighted by Trend Micro falls into the latter category, and tends to be installed on devices that have already been compromised in the form of two malicious applications - XAgent (detected as IOS_XAGENT.A) and the one using the name of a legitimate iOS game, MadCap (detected as IOS_ XAGENT.B).
Their aim is to spy on activities of iOS device users and in the process steal their personal data, take screenshots, record audio and pass this data on to a command-and-control (C&C) server somewhere.
While the spyware works on iOS 7 and iOS 8 devices, its modus operandi depends on the operating system being used.
“After being installed on iOS 7, the app’s icon is hidden and it runs in the background immediately. When we try to terminate it by killing the process, it will restart almost immediately.
“Installing the malware into an iOS 8 device yields different results. The icon is not hidden and it also cannot restart automatically. This suggests that malware was designed prior to the release of iOS 8 last September.”
Interestingly, iOS devices do not need to be jailbroken in order to fall victim to this malware, Trend Micro added, and infection could be caused by connecting them to another compromised piece of hardware.
“One possible scenario is infecting an iPhone after connecting it to a compromised or infected Windows laptop via a USB cable,” the blog post concluded.

Number: IRCNE2015022418
Date: 2015/02/07

According to “itpro”, Adobe has released its third Flash unscheduled security update this year, after video sharing site Dailymotion found an advert that redirected to an attacker-controlled page that could be used to take control of a user's system.
Adobe said in its alert: "A critical vulnerability (CVE-2015-0313) exists in Adobe Flash Player 16.0.0.296 and earlier versions for Windows and Macintosh. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below."
Paul Ducklin wrote on the Sophos blog: "This script tries to guess which vulnerabilities are most likely to work on your computer, based on browser version, available plugins, and other settings, and then lets rip one-by-one with specific exploits," until nothing happens, the browser crashes or one of the exploits succeeds and your computer has been taken over.
The zero-day exploit has been patched, but Adobe doesn't anticipate completely fixing the vulnerability until later this week.
Last week, YouTube announced it has started to implement HTML5 by default in browsers to play videos rather than Flash because it said Flash couldn't support Adaptive Bitrate (ABR), which cuts down on buffering without compromising video quality.

ID: IRCNE2015012417
Date: 2015-02-07

According to “ZDNet”, Thousands of websites are at risk of being exploited by a previously undisclosed vulnerability in a WordPress plugin, which researchers say could be used to inject malicious code into websites.
The flaw exists in Fancybox, a popular image displaying tool, through which Sucuri researchers say malware or any other script can be added to a vulnerable site.
"We can confirm that this plugin has a serious vulnerability," the researchers wrote. "It's being actively exploited in the wild, leading to many compromised websites," the researchers wrote.
WordPress, which comes in two main flavors -- a hosted version and a downloadable self-hosting version -- has already removed the plugin from its repository. But researchers warn that with more than half-a-million users of the plugin at risk, users should remove the plugin from their own sites.
It's not clear how many websites are being actively exploited by the flaw, however.
WordPress remains one of the most popular blogging platforms on the web. It's used by more than 23 percent of the top 10 million websites, recent statistics show.

شماره: IRCNE2015022416
تاريخ: 14/11/93
شركت ادوبي يك هشدار امنيتي براي آسيب پذيري امنيتي نامعلوم در فلش پلير منتشر كرده است.
روز دوشنبه اين شركت اعلام داشت كه اين آسيب پذيري zero-day در آخرين نسخه فلش پلير، نسخه 16.0.0.296 و نسخه هاي پيش از آن وجود دارد و در صورتي كه مورد سوء استفاده واقع شود مي تواند باعث ايجاد خرابي شده و به مهاجم اجازه دهد تا كنترل يك سيستم آلوده را در اختيار بگيرد.
كاربران ويندوز و مكينتاش و هم چنين كاربران لينوكس نسخه 11.2.202.440 و نسخه هاي پيش از آن تحت تاثير اين آسيب پذيري قرار دارند.
شركت ادوبي وجود اين آسيب پذيري را تاييد مي كند و اعلام كرده است كه از گزارشات منتشر شده در خصوص سوء استفاده فعال از اين آسيب پذيري عليه كاربران IE و فايرفاكس باخبر است.
شركت ترند ميكرو كه در همكاري با شركت مايكروسافت در حال يافتن اين آسيب پذيري است در بلاگ خود نوشت كه كاربران بايد تا زمان انتشار اصلاحيه و برطرف شدن اين آسيب پذيري، فلش را غيرفعال نمايند.
مقرر شده است كه تا آخر هفته جاري اين مشكل برطرف شود اما تاريخ دقيق آن مشخص نيست.

Number: IRCNE2015022416
Date: 2015/02/03

According to “zdnet”, Adobe has issued an advisory warning of a previously undiscovered security vulnerability in Flash Player.
The company said Monday the zero-day flaw exists in the latest version of Flash Player, version 16.0.0.296 (and earlier), and if exploited could cause a crash that allows an attacker to take control of the affected system.
Windows and Mac users are affected, along with Linux users (version 11.2.202.440 and earlier).
Adobe confirmed it was aware of reports that the flaw was being actively exploited against Internet Explorer and Firefox users running Windows 8.1 and below.
Trend Micro, which contributed to finding the flaw along with Microsoft, said on its blog users should disable Flash until a fix is released.
The company confirmed a fix will arrive later this week, but did not say exactly when.

شماره: IRCNE2015012415
تاريخ: 11/11/93

جديدترين برنامه ايميل مايكروسافت براي آيفون و آيپد، امنيت شركت‌ها و سازمان‌ها را از راه‌هاي مختلف دچار مشكل مي‌كند.
به گفته يك برنامه‌نويس و محقق به نام رنه وينكلمير، برنامه Outlook براي iOS كه روز پنجشنبه عرضه شد، از قوانين امنيتي عادي شركت‌ها پيروي نمي‌كند، چرا كه اطلاعات لاگين كاربر را دريافت كرده و در ابر خود ذخيره مي‌كند.
مايكروسافت اين برنامه مديريت ايميل و دسترسي به فضاي مبتني بر ابر را ماه‌ها پس از خريد Acompli كه به اين شركت كمك كرد كد خود را به يك برنامه fully-fledged تبديل كند، عرضه كرد.
اما اين برنامه‌نويس بعد از بررسي اين برنامه به اين نتيجه رسيد كه اطلاعات لاگين وي بدون اطلاع دادن به وي آپلود شده است. وي ادعا كرده است كه مايكروسافت مي‌تواند دسترسي كامل به داده‌هاي كاربر داشته باشد. وي گفته است كه كاربران بايد تا زماني كه اين مشكل برطرف گردد، دسترسي اين برنامه به ميل سرورهاي شركت خود را مسدود نمايند.
برخي كاربران در وبلاگ وي كامنت گذاشته‌اند كه حتي پس از پاك كردن برنامه نيز اطلاعات آنها از روي ابر حذف نمي‌شود.
مايكروسافت هنوز در اين مورد اظهار نظر نكرده است.

شماره: IRCNE2015012414
تاريخ: 11/11/93

يك بات‌نت نظير به نظير به نام ZeroAccess پس از دوبار از كار افتادن توسط محققان امنيتي و نهادهاي قانوني، از خواب شش ماهه بيرون آمده است.
ZeroAccess كه با عنوان Sirefef نيز شناخته مي‌شود، در سال 2013 و در نقطه اوج خود از بيش از 1.9 ميليون سيستم آلوده تشكيل شده بود كه عمدتاً براي جعل كليك و بيت‌كيت ماينينگ مورد استفاده قرار مي‌گرفت.
اين موضوع تا زماني ادامه داشت كه محققان امنيتي سايمانتك يك نقص در معماري اين بات‌نت پيدا كردند. اين معماري به اعضاي بات‌نت اجازه مي‌داد فايل‌ها، دستورات و اطلاعات را بدون نياز به سرورهاي مركزي دستور و كنترل، با يكديگر جابه‌جا كنند. اين سرورها در حقيقت پاشنه آشيل اغلب بات‌نت‌ها هستند.
سايمانتك بيش از نيم ميليون كامپيوتر را در جولاي 2013 از ZeroAccess جدا كرد و با كمك ISP ها و CERT ها به پاكسازي آنها كمك كرد.
در ماه دسامبر همان سال اف‌بي‌آي، يوروپل، مايكروسافت و چندين شركت امنيتي عمليات ديگري براي زمينگير كردن اين بات‌نت انجام دادند. اپراتورهاي اين بات‌نت يك به‌روز رساني براي سيستم‌هاي آلوده ارسال كردند كه حاوي پيغام «پرچم سفيد» بود.
واحد جرايم ديجيتالي مايكروسافت در آن زمان در وبلاگ خود نوشت: «ما بر اين اعتقاد هستيم كه اين عمل به صورت سمبليك بدين معناست كه مجرمان تصميم گرفته‌اند كنترل اين بات‌نت را واگذار نمايند».
اين موضوع چندان طول نكشيد. مجرمان سايبري اين بات‌نت را مجدداً بين تاريخ‌هاي 21 مارس و 2 جولاي 2014 فعال كرده و مورد استفاده قرار دادند. اما از آن زمان تا كنون اين بات‌نت در سكوت فرو رفته بود.
اما محققان Dell SecureWorks روز چهارشنبه اعلام كردند كه اين بات‌نت روز 15 ژانويه مجدداً فعال شد و شروع به انتشار تمپليت‌هاي جعل كليك براي سوء استفاده از سيستم‌ها نمود.
براي جعل كليك، بدافزار تبليغات را بر روي سيستم‌هاي آلوده نمايش مي‌دهد و روي آنها كليك مي‌كند و اين كليك‌ها را به عنوان كاربر معتبر و واقعي پوشش مي‌دهد تا به اين وسيله براي صاحبان بات‌نت، كسب درآمد نمايد.
محققان Dell SecureWorks بين روزهاي 17 تا 25 ژانويه، 55208 آدرس آي‌پي يكتا را مشاهده كرده‌اند كه در اين بات‌نت مشاركت مي‌كنند. از اين تعداد 38094 آي‌پي متعلق به سيستم‌هاي ويندوز 32 بيتي و 17114 آي‌پي متعلق به سيستم‌هاي ويندوز 64 بيتي بوده است. ده كشور برتر تحت تأثير اين بات‌نت عبارتند از ژاپن، هند، روسيه، ايتاليا، ايالات متحده آمريكا، برزيل، تايوان، روماني، ونزوئلا و آلمان.

ID: IRCNE2015012415
Date: 2015-01-31

According to “ZDNet”, Microsoft's newest email app for iPhones and iPads "breaks" corporate and enterprise security in multiple ways, a developer claims.
The company's Outlook for iOS app, released Thursday, does not "obey the rules of common company security rules," because it takes and stores a user's credentials in its cloud, according to René Winkelmeyer, writing on his blog.
Microsoft released the email management and cloud-based storage access app months after its Acompli buy, which helped the software giant turn the code into a fully-fledged app.
But after digging around in the app's push notifications, he found that his user credentials had been uploaded without the app informing him first.
He claimed that Microsoft could potentially have "full access to my [personal information management] data."
"What I saw was breathtaking," he wrote.
Some commenters on his blog warned that even after deleting the app, their credentials would not be flushed from the cloud.
"All the email and calendar data that was already on the device before I deleted the app was back again," one user said. Another user added: "I went back to check my list of mobile devices and, yup, the 'Outlook' profile had magically reappeared."
Winkelmeyer said users should "block the app from accessing your companies mail servers" until the service is fixed.
We've reached out to Microsoft for comment, but did not immediately hear back.

ID: IRCNE2015012414
Date: 2015-01-31

According to “ComputerWorld”, a peer-to-peer botnet called ZeroAccess came out of a six-month hibernation this month after having survived two takedown attempts by law enforcement and security researchers.
At its peak in 2013, ZeroAccess, also known as Sirefef, consisted of more than 1.9 million infected computers that were primarily used for click fraud and Bitcoin mining.
That was until security researchers from Symantec found a flaw in the botnet's resilient peer-to-peer architecture. This architecture allowed the bots to exchange files, instructions and information with each other without the need for central command-and-control servers, which are the Achilles' heel of most botnets.
By exploiting the flaw, Symantec managed to detach over half a million computers from ZeroAccess in July 2013 and launched an effort to clean them up in cooperation with ISPs and CERTs.
In December that same year the FBI, Europol, Microsoft and several security vendors launched a second operation that further crippled the botnet and led to those behind it capitulating. The botnet operators actually sent an update to the infected machines that contained the message "WHITE FLAG."
"We believe [that action] symbolizes that the criminals have decided to surrender control of the botnet," Richard Domingues Boscovich, assistant general counsel with the Microsoft Digital Crimes Unit, said at the time in a blog post.
It didn't last long. Cybercriminals reactivated the botnet and used it between March 21 and July 2, 2014, but then -- silence. Until now.
The botnet was reactivated on January 15, when it "again began distributing click-fraud templates to compromised systems," researchers from Dell SecureWorks said in a blog post Wednesday.
To perpetrate click fraud, malware displays ads on infected computers and clicks on them, masking the clicks as legitimate user actions in order to generate advertising income for the botnet operators.
The Dell SecureWorks researchers observed 55,208 unique IP addresses participating in the botnet between January 17 and January 25 -- 38,094 corresponding to compromised 32-bit Windows systems and 17,114 to 64-bit systems. The top ten affected countries are Japan, India, Russia, Italy, the U.S., Brazil, Taiwan, Romania, Venezuela and Germany.