شماره: IRCNE2014122401
تاريخ: 25/09/93

شركت مايكروسافت به روز رساني هاي جديدي براي آفيس منتشر كرد. اين به روز رساني ها به منظور برطرف نمودن مشكلي كه توسط به روز رساني هاي منتشر شده اخير ايجاد شده بود، منتشر شده است.
اين مشكلات مربوط به يك به روز رساني مايكروسافت آفيس و به طور خاص مايكروسافت ورد است كه در اكتبر 2014 منتشر شده است. مايكروسافت اعلام كرد كه برخي كاربران پس از نصب اصلاحيه ها قادر نبودند فيلدها را در مايكروسافت ورد به روز رساني نمايند.
بنا به گزارشات مايكروسافت، به روز رساني كه باعث به وجود آمدن اين مشكل در ورد 2013 بوده است به روز رساني KB2889939 است. به وجود آمدن مشكل پس از نصب به روز رساني هاي مايكروسافت به امر عادي تبديل شده است. اخيرا شركت مايكروسافت به روز رساني ماه دسامبر Exchange Server 2010 را از روي كانال هاي به روز رساني حذف نمود و پس از دو روز به روز رساني جديدي براي آن منتشر كرد.

Number: IRCNE2014122401
Date: 2014/12/16

According to “zdnet”, in a what is becoming a disturbingly familiar development, Microsoft has issued fixes for problems caused by an update released earlier.
These problems date to one of the updates to Microsoft Office, Microsoft Word in particular, in October 2014. Microsoft says that, after the updates were applied, some users were unable to update fields in Microsoft Word in some scenarios. No more specific information is as yet available on the problem.
According to Microsoft, the update that caused the problem for Word 2013 was KB2889939. Problems with Microsoft updates have become common. Most recently, Microsoft withdrew an update to Exchange Server 2010.

شماره: IRCNE2014122400
تاريخ: 25/09/93

محققان امنيتي IBM's X Force با استفاده از ايده نحوه پيكربندي سرويس هاي لاگين سايت هاي اجتماعي، راهي را براي بدست آوردن دسترسي به حساب هاي كاربري وب يافتند.
اين سرويس ها به افراد اجازه مي دهند تا به سايت هاي اجتماعي مانند LinkedIn لاگين كنند. اين سرويس ها راهي مناسب براي كاربراني است كه قصد دارند حساب هاي كاربري جديدي بر روي وب سايت ها ايجاد نمايند.
محققان توانستند با استفاه از مكانيزم لاگينLinkedIn، كنترل حساب هاي كاربري سايت هاي ديگر را بدست آورند.
Or Pele و Roee Hay از IBM Security Systems معتقدند كه سرويس هاي ديگري هم وجود دارند كه در برابر حملات "SpoofedMe" آسيب پذير هستند.
پس از اعلام اين مشكل توسط شركت IBM، ارائه دهندگان آمازون، LinkedIn و Vasco مشكلات را برطرف كرده اند.

شماره: IRCNE2014122399
تاريخ: 25/09/93

Adam Langley، از شركت گوگل اظهار داشت كه بسياري از پياده سازي هاي TLS نسبت به حملات مشابه POODLE آسيب پذير هستند. حملات POODLE چند ماه پيش نسخه 3 پروتكل SSL را هدف قرار داده بود.
در پروتكل SSLv3 عمليات رمزگذاري داده در مد CBC به طور موثر مشخص نشده بود. در نتيجه فقدان مشخصات موثر باعصث شده بود تا اين پروتكل نسبت به حملات oracle آسيب پذير باشد.
پس از SSL نسخه 3، پروتكل TLS نسخه 1.0 معرفي شد. در اين پروتكل مشخصات رمزگذاري به طور كامل مشخص شده بود و در نتيجه مي توانست با حملات oracle مقابله كند.
اما به تازگي مشخص شده است كه برخي پياده سازي هاي TLS عليرغم قابليت بررسي بايت هاي رمزگذاري شده هم چنان اين بررسي را انجام نمي دهند.
تاكنون گزارشي مبني بر گسترش حملات POODLE منتشر نشده است اما گوگل و بسياري از شركت هاي ديگر در حال متوقف كردن سرورهايي هستند كه از ارتباطات SSLv3 استفاده مي كنند.
Langley اظهار داشت كه تجهيزات شبكه F5 و A10 تحت تاثير اين آسيب پذيري قرار دارند. در حال حاضز براي F5 به روز رساني هايي منتشر شده است و قرار است در آينده براي A10 نيز اصلاحيه هايي منتشر شود.
او ادامه داد رمزگذاري هايي كه توسط پروتكل هاي پيش از TLS نسخه 1.2 انجام مي شوند نسبت به حملات مشابه آسيب پذير مي باشند.

Number: IRCNE2014122400
Date: 2014/12/16

According to “techworld”, IBM's X Force security researchers found an easy way to gain access to Web accounts by taking an advantage of an oversight in how some social login services are configured.
Those services allow someone to login to a Web service using, for example, their LinkedIn credentials. It's a convenient way for users to create new accounts on websites by using existing information.
But in one instance, the researchers found they could gain control of accounts at Slashdot.org, Nasdaq.com, Crowdfunder.com and others by abusing LinkedIn's social login mechanism.
Other identity services were also found to be vulnerable to the "SpoofedMe" attack, wrote Or Peles and Roee Hay of IBM Security Systems.
LinkedIn, Amazon and Vasco, all identity providers, have all either fixed or taken measures to prevent such account takeovers, after notification from IBM, the researchers said. But the problem is one that both identity providers and third-party websites using those services should be aware of.

Number: IRCNE2014122399
Date: 2014/12/16

According to “zdnet”, Google SSL guru Adam Langley has revealed that many TLS implementations are vulnerable to an attack similar to the POODLE attack from several weeks ago which affected only SSL version 3.
SSLv3 did not effectively specify the padding of data in CBC-mode ciphers. The lack of a hard specification made effective checking of the blocks for irregularities impossible. This opened the system to what is called an "oracle attack."
After SSL version 3 the specification was renamed TLS and reset to version 1.0. One change in TLS 1.0 was to fully specify the contents of padding bytes, preventing this attack.
But it turns out that some TLS implementations still didn't check the padding bytes, despite the ability to do so.
There have been no reports of widespread (or even narrowspread) exploits of POODLE, but Google and many other companies are well on their way to stopping servers from falling back to SSLv3 connections.
Langley says that both F5 and A10 networking equipment are affected. F5 has released updates. A10 planned to, but I cannot confirm that they have.
Langley closes by reminding readers that "...everything less than TLS 1.2 with an AEAD cipher suite is cryptographically broken," including many implementations which conform to current specifications. Doing cryptography right is hard.

شماره: IRCNE2014122398
تاريخ: 24/09/93

شركت مايكروسافت به روز رساني جديدي براي Exchange 2010 منتشر كرد. اين شركت روز چهارشنبه به روز رساني كه در اصلاحيه ماه دسامبر براي اين نرم افزار منتشر شده بود را از روي كانال هاي به روز رساني حذف كرد.
اين به روز رساني Exchange Server 2010 SP3 Update Rollup 8 (KB2986475) ناميده مي شود كه در سه شنبه اصلاحيه ماه دسامبر منتشر شد. همزمان با اين به روز رساني، به روز رساني هاي ديگري براي Exchange Server نسخه هاي 2007 و 2013 نيز منتشر شده است اما مشكلي درباره آن ها گزارش نشده است.
همزمان با حذف به روز رساني Exchange 2010 شركت مايكروسافت به كاربراني كه اين به روز رساني را نصب كرده بودند اعلام كرد تا براي برطرف شدن مشكل اين به روز رساني را حذف نمايند. در حال حاضر اين شركت به كاربران توصيه مي كند تا نسخه جديد اين نرم افزار را در اسرع وقت نصب نمايند.
نسخه ابتدايي اين به روز رساني قابليت اتصال Outlook به Exchange را تحت تاثير قرار مي داد. در واقع به روز رساني هاي امنيتي اين ماه سرور Exchange با يك ماه تاخير منتشر شده است. اين به روز رساني ها قرار بود در اصلاحيه ماه نوامبر منتشر شود كه بنا به دلايلي منتشر نشد و به ماه بعد موكول شد.

Number: IRCNE2014122398
Date: 2014/12/15

According to “zdnet”, Microsoft has reissued an update to Exchange Server 2010 previously issued this week and then withdrawn.
The update is the Exchange Server 2010 SP3 Update Rollup 8 (KB2986475), one of several Exchange Server update packages released Tuesday. There were also update packs for Exchange Server 2007 and 2013, as well as language packs for Exchange Server 2013 Unified Messaging. No problems have been reported with those updates.
In withdrawing the update, Microsoft recommended that users who had already installed the Exchange Server 2010 update remove it. Now the company says that such users should install the new version of the update as soon as possible.
The initial version of the update affected the ability of Outlook to connect to Exchange. The security updates for Microsoft Exchange this month had actually been delayed a month from the November Patch Tuesday.

Number: IRCNE2014122397
Date: 2014/12/14

According to “zdnet”, Microsoft has withdrawn an update released yesterday for Microsoft Exchange 2010. The update is the Exchange Server 2010 SP3 Update Rollup 8, one of several Exchange Server update packages released yesterday. There were also update packs for Exchange Server 2007 and 2013, as well as language packs for Exchange Server 2013 Unified Messaging.
Now Microsoft says that a problem in the update affects the ability of Outlook to connect to Exchange. It has been removed from the Download Center and other channels until a fixed version is available. Microsoft recommends that customers who have already deployed the update perform a rollback on it. The rollback is the only action necessary in order to restore any lost connectivity from Outlook.

Number: IRCNE2014122396
Date: 2014/12/14

According to “zdnet”, back in October Microsoft announced that it would soon add detections to its antimalware products for behaviors exhibited by some misbehaving software. On Thursday they announced that some of these changes take effect immediately and others on January 1.
The behaviors mostly deal with browser extensions and settings. Many such problems have been blocked in all major browsers by a disabled-by-default model for newly-installed extensions, requiring the user to affirmatively choose to install new software. But some programs have found hacks around these restrictions. Microsoft has defined these two behaviors as unacceptable:

• Bypassing consent dialogs from browsers that ask you if you want to install browser toolbars/extensions/add-ons.
• Preventing you from viewing or modifying browser features or settings.

For example, some software has used Group or Local Policy Objects, registry changes, and preferences file modifications to permit the installation of software which is blocked or disabled by default.
This sort of capability, sometimes called HIPS (Host Intrusion Prevention Service), is common in other modern security suites. Kaspersky calls it Application Privilege Control, part of a set of related services that are much more flexible and comprehensive than Microsoft's.
But Microsoft's antimalware products set an effective baseline that users get by default. In a statement, Microsoft said that the new enforcement applied to all browsers, not just to Internet Explorer.
Microsoft has defined one more behavior as unacceptable: programs may not "... circumvent user consent dialogs from the browser or operating system." This change will go into effect on January 1.