Number: IRCNE2014122400
Date: 2014/12/16

According to “techworld”, IBM's X Force security researchers found an easy way to gain access to Web accounts by taking an advantage of an oversight in how some social login services are configured.
Those services allow someone to login to a Web service using, for example, their LinkedIn credentials. It's a convenient way for users to create new accounts on websites by using existing information.
But in one instance, the researchers found they could gain control of accounts at Slashdot.org, Nasdaq.com, Crowdfunder.com and others by abusing LinkedIn's social login mechanism.
Other identity services were also found to be vulnerable to the "SpoofedMe" attack, wrote Or Peles and Roee Hay of IBM Security Systems.
LinkedIn, Amazon and Vasco, all identity providers, have all either fixed or taken measures to prevent such account takeovers, after notification from IBM, the researchers said. But the problem is one that both identity providers and third-party websites using those services should be aware of.

Number: IRCNE2014122399
Date: 2014/12/16

According to “zdnet”, Google SSL guru Adam Langley has revealed that many TLS implementations are vulnerable to an attack similar to the POODLE attack from several weeks ago which affected only SSL version 3.
SSLv3 did not effectively specify the padding of data in CBC-mode ciphers. The lack of a hard specification made effective checking of the blocks for irregularities impossible. This opened the system to what is called an "oracle attack."
After SSL version 3 the specification was renamed TLS and reset to version 1.0. One change in TLS 1.0 was to fully specify the contents of padding bytes, preventing this attack.
But it turns out that some TLS implementations still didn't check the padding bytes, despite the ability to do so.
There have been no reports of widespread (or even narrowspread) exploits of POODLE, but Google and many other companies are well on their way to stopping servers from falling back to SSLv3 connections.
Langley says that both F5 and A10 networking equipment are affected. F5 has released updates. A10 planned to, but I cannot confirm that they have.
Langley closes by reminding readers that "...everything less than TLS 1.2 with an AEAD cipher suite is cryptographically broken," including many implementations which conform to current specifications. Doing cryptography right is hard.

شماره: IRCNE2014122398
تاريخ: 24/09/93

شركت مايكروسافت به روز رساني جديدي براي Exchange 2010 منتشر كرد. اين شركت روز چهارشنبه به روز رساني كه در اصلاحيه ماه دسامبر براي اين نرم افزار منتشر شده بود را از روي كانال هاي به روز رساني حذف كرد.
اين به روز رساني Exchange Server 2010 SP3 Update Rollup 8 (KB2986475) ناميده مي شود كه در سه شنبه اصلاحيه ماه دسامبر منتشر شد. همزمان با اين به روز رساني، به روز رساني هاي ديگري براي Exchange Server نسخه هاي 2007 و 2013 نيز منتشر شده است اما مشكلي درباره آن ها گزارش نشده است.
همزمان با حذف به روز رساني Exchange 2010 شركت مايكروسافت به كاربراني كه اين به روز رساني را نصب كرده بودند اعلام كرد تا براي برطرف شدن مشكل اين به روز رساني را حذف نمايند. در حال حاضر اين شركت به كاربران توصيه مي كند تا نسخه جديد اين نرم افزار را در اسرع وقت نصب نمايند.
نسخه ابتدايي اين به روز رساني قابليت اتصال Outlook به Exchange را تحت تاثير قرار مي داد. در واقع به روز رساني هاي امنيتي اين ماه سرور Exchange با يك ماه تاخير منتشر شده است. اين به روز رساني ها قرار بود در اصلاحيه ماه نوامبر منتشر شود كه بنا به دلايلي منتشر نشد و به ماه بعد موكول شد.

Number: IRCNE2014122398
Date: 2014/12/15

According to “zdnet”, Microsoft has reissued an update to Exchange Server 2010 previously issued this week and then withdrawn.
The update is the Exchange Server 2010 SP3 Update Rollup 8 (KB2986475), one of several Exchange Server update packages released Tuesday. There were also update packs for Exchange Server 2007 and 2013, as well as language packs for Exchange Server 2013 Unified Messaging. No problems have been reported with those updates.
In withdrawing the update, Microsoft recommended that users who had already installed the Exchange Server 2010 update remove it. Now the company says that such users should install the new version of the update as soon as possible.
The initial version of the update affected the ability of Outlook to connect to Exchange. The security updates for Microsoft Exchange this month had actually been delayed a month from the November Patch Tuesday.

Number: IRCNE2014122397
Date: 2014/12/14

According to “zdnet”, Microsoft has withdrawn an update released yesterday for Microsoft Exchange 2010. The update is the Exchange Server 2010 SP3 Update Rollup 8, one of several Exchange Server update packages released yesterday. There were also update packs for Exchange Server 2007 and 2013, as well as language packs for Exchange Server 2013 Unified Messaging.
Now Microsoft says that a problem in the update affects the ability of Outlook to connect to Exchange. It has been removed from the Download Center and other channels until a fixed version is available. Microsoft recommends that customers who have already deployed the update perform a rollback on it. The rollback is the only action necessary in order to restore any lost connectivity from Outlook.

Number: IRCNE2014122396
Date: 2014/12/14

According to “zdnet”, back in October Microsoft announced that it would soon add detections to its antimalware products for behaviors exhibited by some misbehaving software. On Thursday they announced that some of these changes take effect immediately and others on January 1.
The behaviors mostly deal with browser extensions and settings. Many such problems have been blocked in all major browsers by a disabled-by-default model for newly-installed extensions, requiring the user to affirmatively choose to install new software. But some programs have found hacks around these restrictions. Microsoft has defined these two behaviors as unacceptable:

• Bypassing consent dialogs from browsers that ask you if you want to install browser toolbars/extensions/add-ons.
• Preventing you from viewing or modifying browser features or settings.

For example, some software has used Group or Local Policy Objects, registry changes, and preferences file modifications to permit the installation of software which is blocked or disabled by default.
This sort of capability, sometimes called HIPS (Host Intrusion Prevention Service), is common in other modern security suites. Kaspersky calls it Application Privilege Control, part of a set of related services that are much more flexible and comprehensive than Microsoft's.
But Microsoft's antimalware products set an effective baseline that users get by default. In a statement, Microsoft said that the new enforcement applied to all browsers, not just to Internet Explorer.
Microsoft has defined one more behavior as unacceptable: programs may not "... circumvent user consent dialogs from the browser or operating system." This change will go into effect on January 1.

Number: IRCNE2014122395
Date: 2014/12/13

According to “zdnet”, Microsoft has released their December security updates addressing 24 vulnerabilities in Windows, Internet Explorer, Exchange and Office. The bulletins released are:

• MS14-075: Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3009712(
• MS14-080: Cumulative Security Update for Internet Explorer (3008923) - This first update fixes 14 vulnerabilities affecting every supported version of the browser.
• MS14-081: Vulnerabilities in Microsoft Word and Microsoft Office Web Apps Could Allow Remote Code Execution (3017301)
• MS14-082: Vulnerability in Microsoft Office Could Allow Remote Code Execution (3017349)
• MS14-083: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (3017347)
• MS14-084: Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3016711)
• MS14-085: Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3013126)

According to the Microsoft Malware Protection Center, the December version of the MSRT (Malicious Software Removal Tool) adds no new malware families, but does update the detection and remediation capabilities.
Microsoft also released 16 non-security updates to various versions of Windows, including a new set of language packs .

Number: IRCNE2014122394
Date: 2014/12/13

According to zdnet”, Adobe has released updates to Flash Player, Acrobat, Reader and ColdFusion to address vulnerabilities. The company says that they have reports to the effect that one of the vulnerabilities in Flash Player is being exploited in the wild.
Flash Player bulletin APSB14-27 describes six vulnerabilities affecting versions 15.0.0.242 and earlier in the 15.x branch, versions 13.0.0.258 and earlier 13.x versions and versions 11.2.202.424 and earlier versions for Linux.
Windows and Mac users should update to version 16.0.0.235. Users of the Extended Support Release should update to version 13.0.0.259. Linux should update to Adobe Flash Player 11.2.202.425.
Microsoft and Google will today be releasing updates to Internet Explorer 10+ and Chrome in order to patch the Flash Players embedded in them.
These vulnerabilities are rated as critical, and the presence of one which is being exploited means that this update is high-priority.
Adobe Reader and Acrobat bulletin APSB14-28 describes twenty vulnerabilities affecting the Windows and Mac versions of the products. The company says they have no reports of exploits in the wild, but the vulnerabilities have serious implications and are rated critical.
Users of Acrobat X or Reader X versions 10.1.12 and earlier for Windows or Mac should update to version 10.1.13. Users of Acrobat XI or Reader XI versions 11.0.09 and earlier for Windows or Mac should update to version 11.0.10.
These products can be updated by the user through the update option in the Help menu or via the Adobe Downloads page.
Finally, ColdFusion bulletin APSB14-29 describes a single resource consumption bug which could result in denial of service. The problem affects both ColdFusion versions 10 and 11, but not version 9.

شماره: IRCNE2014122397
تاريخ: 23/09/93

شركت مايكروسافت به روز رساني مربوط به Microsoft Exchange 2010 كه روز چهار شنبه منتشر كرده بود، حذف كرد. به روز رساني Exchange Server 2010 SP3 Update Rollup 8 يكي از چندين به روز رساني منتشر شده در سه شنبه اصلاحيه ماه دسامبر مايكروسافت بود. هم چنين در اين ماه به روز رساني هايي براي Exchange Server نسخه هاي 2007 و 2013 منتشر شده است.
شركت مايكروسافت اعلام كرد كه مشكلي در به روز رساني Microsoft Exchange 2010 وجود دارد كه توانايي ارتباط Outlook با Exchange را تحت تاثير قرار مي دهد. در نتيجه اينز به روز رساني از Download Center و ساير كانال حذف شده است. اين شركت به كاربراني كه اصلاحيه مربوطه را نصب كرده اند توصيه كرد تا آن را حذف نمايند.

شماره: IRCNE2014122396
تاريخ: 23/09/93

شركت مايكروسافت در ماه اكتبر اعلام كرد كه قصد دارد حفاظت هاي بيشتري را به محصولات ضد بدافزاري خود اضافه كند. اين شركت روز پنج شنبه اعلام كرد كه در نسخه جديد محصولات ضد بدافزاري خود برخي از اين حفاظت ها را اضافه كرده است و مابقي را در اول ژانويه منتشر خواهد كرد.
برخي رفتارهاي مرورگر در رابطه با تنظيمات و توسعه دهنده هاي مرورگر مي باشد. بسياري از اين رفتارها در تمامي مرورگرها به دليل انتخاب گزينه غيرفعال كردن به طور پيش فرض براي توسعه دهنده هايي كه جديد نصب مي شوند، مسدود مي شود و براي نصب نياز به مجوز كاربر و انتخاب آگاهانه او دارد. اما تعدادي از برنامه ها مي توانند اين محدوديت ها را هك كنند. شركت مايكروسافت دو حالت زير را در نسخه جديد ابزار ضد بدافزار خود تعريف كرده است:
1. دور زدن ديالوگ هايي از مرورگر كه از كاربر در خصوص نصب افزونه ها، توسعه دهنده ها و نوار ابزارها سوال مي شود.
2. اجازه ندادن به كاربر براي مشاهده و تغيير ويژگي ها يا تنظيمات مرورگر
به عنوان مثال، برخي نرم افزارها از خط مشي گروهي، تغييرات رجيستري و تغيير تنظميات فايل استفاده مي كنند تا به نرم افزاري كه مسدود شده است يا به طور پيش رفرض غيرفعال شده است اجازه نصب دهند.
اين نوع قابليت ها گاهي HIPS خوانده مي شوند و استفاده از آن ها در بسته هاي امنيتي امروزه متداول است. اين قابليت ها در محصولات كسپراسكاي Application Privilege Control خوانده مي شود كه نسبت به قابليت هاي مايكروسافت جامع تر بوده و از انعطاف پذيري بيشتري برخوردار است.
شركت مايكروسافت اعلام كرده است كه اين قابليت ها نه تنها بر روي IE كه بر روي تمامي مرورگرها قابل اعمال است.
شركت مايكروسافت رفتار ديگري را به عنوان رفتار غير قابل پذيرش تعريف كرده است كه اول ژانويه به قابليت هاي ابزار ضد بدافزاري خود اضافه خواهد كرد.