شماره: IRCNE2014112359
تاريخ: 10/08/93

گزارش ها نشان مي دهد كه مهاجمان با سوء استفاده از مشكل Shellshock حملاتي را عليه سرورهاي SMTP راه اندازي كرده اند.اين كمپين به دنبال ايجاد يك بات نت IRC براي حملات انكار سرويس توزيع شده و ساير اهداف مي باشد.
آسيب پذيري Shellshock حدود يك ماه پيش كشف شد و فورا به عنوان يك مشكل جدي معرفي شد. اين مشكل به مدت 20 سال در پوسته Bashقرار داشته است و به طور گسترده در پيكربندي ها مورد استفاده قرار گرفته است.
CSO اعلام كرد سروري از سرورهاي IRC را پيدا كرده اند كه به عنوان ميزبان بات ها مورد استفاده قرار مي گيرد. در 24 اكتبر حدود 160 سرور به اين سرور آسيب پذير متصل شده است.

Number: IRCNE2014112364
Date: 2014/11/05

According to “techworld”, Apple's security technologies for Mac OS X may still miss iWorm, a piece of malware discovered in late September that infected thousands of computers.
Apple released an update for its XProtect antivirus engine to detect iWorm, but the update only detects when iWorm's installer is launched, which is a one-time operation, said Patrick Wardle, director of research with Synack, a computer security company based in Redwood City, California. He wrote a paper describing his findings.
Apple "released a signature, but it doesn't address the problem," Wardle said in a phone interview Tuesday. "Unless the user has another antivirus product installed that has a correct signature, those infections aren't going to go away."
iWorm, which is a backdoor that can steal data from a computer, infected more than 18,000 machines, according to security company Dr. Web. It does not exploit any vulnerabilities on Mac OS X but instead relies on tricking people to install it.
"Unfortunately, it [iWorm] is able to bypass Apple's malware mitigations really easily," Wardle said. "It illustrates that malware on OS X is a problem. It's not that Macs are immune to malware."

Number: IRCNE2014112363
Date: 2014/11/05

According to “zdnet”, details are finally emerging about a serious vulnerability in Apple's OS X Yosemite, called "Rootpipe" which allows root access by attackers.
The privilege escalation vulnerability was discovered by Swedish hacker Emil Kvarnhammar, who has been asked by Apple to withhold details until January 2015 -- since Apple likely wouldn't allow details until they have a fix, this is probably when users can expect a patch.
"Rootpipe is a privilege escalation from admin to root so switching to a non-admin account would clearly be a good thing," Kvarnhammar said.
Kvarnhammar said, "The current agreement with Apple is to disclose all details in mid-January 2015. This might sound like a long wait, but hey, time flies. It's important that they have time to patch, and that the patch is available for some time."
Kvarnhammar first found the exploit in previous versions of Apple's OS around mid-October.
The same day Kvarnhammar tweeted caution to give Apple time in pushing out a fix, somewhat coincidentally, Apple rolled out security updates for Mountain Lion, Mavericks, OS X Server versions 2, 3 and 4 (new version) and iTunes -- which added up to address a whopping 144 separate vulnerabilities. Some of the fixes were for vulnerabilities reported over a year ago.
Don't use an admin account daily.Needless to say, you should be using FileVault regardless.
Rootpipe's access is through an admin account, which is of course what everyone has to have on a Mac -- and it's what most people use for daily computer use. To clog Rootpipe, create a secondary admin account, one that you won't use every day. Then, through the admin account, you'll want to remove admin permissions from the account you’ll be using daily.

Number: IRCNE2014112361
Date: 2014/11/02

According to “techworld”,the critical Shellshock vulnerabilities found last month in the Bash Unix shell have motivated security researchers to search for similar flaws in old, but widely used, command-line utilities.
Two remote command execution vulnerabilities were patched this week in the popular wget download agent and tnftp client for Unix-like systems. This comes after a remote code execution vulnerability was found last week in a library used by strings, objdump, readelf and other command-line tools.
GNU Wget is the go-to utility for downloading Web-based files and resources on a Linux system using the command-line interface. In addition to being used manually, wget is commonly called by custom scripts and scheduled tasks -- cron jobs on Linux.
"Wget versions prior to 1.16 are vulnerable to a symlink attack (CVE-2014-4877) when running in recursive mode with a FTP target," said HD Moore, the chief research officer at Rapid7 who found the vulnerability, in a blog post Tuesday.
"This vulnerability allows an attacker operating a malicious FTP server to create arbitrary files, directories, and symlinks on the user's filesystem," Moore explained. "The symlink attack allows file contents to be overwritten, including binary files, and access to the entire filesystem with the permissions of the user running wget."
Ultimately, the vulnerability can lead to remote code execution.
Users should either upgrade to wget 1.16 or make sure their Linux distribution ships a wget package that has the CVE-2014-4877 patch applied. The flaw can also be mitigated by manually adding the line "retr-symlinks=on" in the /etc/wgetrc or ~/.wgetrc settings files, Moore said.
Tnftp is a cross-platform port of the original BSD FTP client. It is the default FTP client in NetBSD, FreeBSD, DragonFly BSD and Mac OS X.
A vulnerability patched this week in tnftp allows a malicious server to execute arbitrary commands on the user's system. The issue is being tracked as CVE-2014-8517.

ID: IRCNE2014112362
Date: 2014-11-05

According to “ITPro”, Facebook will no longer try to stop Tor users from accessing its social network.
Until now, Facebook’s security policies had prevented people from accessing the site via the so-called “dark web”.
Users will be able to visit the site via a secure browser using the Tor network to anonymise where the user is. Tor works by adding multiple layers of encryption to data and relaying this information through random computers around the world.
The change in policy means users can access the site "without losing the cryptographic protections", according to Facebook.
Users can access Facebook anonymously through https://facebookcorewwwi.onion/ and use this address to prevent their location becoming exposed or other information about them to others.
Previously, Facebook locked out this type of traffic for fear it was under attack from a botnet.
“Tor challenges some assumptions of Facebook's security mechanisms,” said Alec Muffett, software engineer for security infrastructure at Facebook London, in a blog post.
“For example its design means that from the perspective of our systems a person who appears to be connecting from Australia at one moment may the next appear to be in Sweden or Canada. In other contexts, such behaviour might suggest that a hacked account is being accessed through a 'botnet', but for Tor this is normal.”
The access also uses SSL security on top of Tor as Facebook’s architecture requires this to accept the connection, rather than for any security concerns.

ID: IRCNE2014112360
Date: 2014-11-02

According to “ComputerWorld”, Google plans to remove support for the aging Secure Sockets Layer (SSL) version 3.0 protocol in Google Chrome 40, which is expected to ship in about two months.
The decision comes after Google security researchers recently discovered a dangerous design flaw in SSL 3.0. Dubbed "POODLE," the vulnerability allows a man-in-the-middle attacker to recover sensitive, plain text information like authentication cookies, from a HTTPS (HTTP Secure) connection encrypted with SSLv3.
Even though POODLE is the biggest security issue found in SSL 3.0 so far, it is not the protocol's only weakness. SSL version 3 was designed in the mid-1990s and supports outdated cipher suites that are now considered insecure from a cryptographic standpoint.
HTTPS connections today typically use TLS (Transport Layer Security) versions 1.0, 1.1 or 1.2. However, many browsers and servers have retained their support for SSL 3.0 over the years -- browsers to support secure connections with old servers and servers to support secure connections with old browsers.
This compatibility-driven situation is one that security experts have long wanted to see change and thanks to POODLE it will finally happen. The flaw's impact is significantly amplified by the fact that attackers who can intercept HTTPS connections can force a downgrade from TLS to SSL 3.0.
Based on an October survey by the SSL Pulse project, 98 percent of the world's most popular 150,000 HTTPS-enabled sites supported SSLv3 in addition to one or more TLS versions. It's therefore easier for browsers to remove their support for SSL 3.0 than to wait for hundred of thousands of web servers to be reconfigured.
According to Google security engineer Adam Langley, Chrome 39, which is currently in beta and will be released in a couple of weeks, will no longer support the SSL 3.0 fallback mechanism, preventing attackers from downgrading TLS connections.
"In Chrome 40, we plan on disabling SSLv3 completely.

Number: IRCNE2014112359
Date: 2014/11/01

According to “zdnet”, reports are emerging that attacks are being performed against SMTP servers using the Shellshock bug. The campaign seeks to create an IRC botnet for DDOS attacks and other purposes.
Shellshock emerged about a month ago and immediately was recognized widely as a serious problem.
The bug had been in the Bash shell for 20 years and was widely deployed in a configuration that made it easy to exploit.
This SMTP vector is a good example of the problem, as mail servers are often left untouched for long periods.
Writing about the attacks, CSO says they have found one the IRC servers used to host the bots. On October 24 it had 160 compromised servers connected to it.

شماره: IRCNE2014102353
تاريخ: 29/07/93

محققان امنيتي هشدار دادند كه اگر كاربران به روز رساني هاي منتشر شده در 14 اكتبر فلش پلير را اعمال نكرده اند، بدانند كه ممكن است تحت تاثير حملات جديدي كه در آن از بسته سوء استفاده تجاري با نام Fiesta استفاده مي شود قرار بگيرند.
اين آسيب پذيري كه در پايگاه داده CVE با شماره CVE-2014-0569 شناسايي شده است هفته گذشته در به روز رساني هاي فلش پلير اصلاح شده است.
بسته سوء استفاده از اين آسيب پذيري در يك ابزار حمله در بازارهاي زيرزميني فروخته مي شود غيرعادي است به خصوص زماني كه اين آسيب پذيري به صورت خصوصي به شركت ادوب گزارش شده است و بدين معناست كه جزئيات آن نبايد به طور عمومي منتشر شده باشد.
طراحان اين بسته مانند بسته Fiesta از حملاتي كه براي اثبات اين آسيب پذيري توسط محققان منتشر شده است استفاده كرده اند. با مهندسي معكوس اصلاحيه ها نيز مي توان محل قرار گيري آسيب پذيري را كشف كرد و سپس بر مبناي آن كدهاي سوء استفقاده كننده مناسب را نوشت كه اين كار تنها توسط افراد خبره و متخصص قابل پياده سازي است.
سوء استفاده از آسيب پذيري CVE-2014-0569حملات Fiesta براي اولين بار توسط يك محقق بدافزار مستقل با نام مستعار Kafeine كشف شده است. ابتدا اين محقق بر اين باور بود كه اين حملات با سوء استفاده از آسيب پذيري CVE-2014-0556 كه در ماه سپتامبر اصلاح شده بود انجام شده است اما Timo Hirvonen يكي از محققان F-Secure بر اين باور است كه اين حملات با سوء استفاده از آسيب پذيري جديد CVE-2014-0569 صورت گرفته است.
صرفنظر از اين كه اين حملات از چه نوع آسيب پذيري سوء استفاده مي كنند كاربراني كه هم چنان آخرين به روز رساني هاي فلش پلير را اعمال نكرده اند بايد هر چه سريع تر و در اسرع وقت اين اصلاحيه ها را نصب نمايند.
كاربران ويندوز و مكينتاش بايد فلش پلير را به نسخه 15.0.0189 يا 13.0.0.250 ارتقاء دهند. كاربران لينوكس نيز بايد فلش پلير را به نسخه 11.2.202.411 به روز رساني نمايند. پلاگين هاي فلش پلير در گوگل كروم، IE 10 و IE 11 اصلاحيه هاي مربوط به فلش پلير را از طريق مكانيزم به روز رساني مرورگر دريافت مي كنند.

Number: IRCNE2014102353
Date: 2014/10/21

According to “techworld”, if you haven't updated your Flash Player with the fixes released on Oct. 14, you may be vulnerable to new attacks using a commercial exploit kit called Fiesta, security researchers warn.
The vulnerability, which is being tracked as CVE-2014-0569 in the Common Vulnerabilities and Exposures (CVE) database, was fixed in Flash Player updates last week.
The bundling of an exploit for CVE-2014-0569 in an attack tool that's sold on underground markets is unusual, especially since the vulnerability was privately reported to Adobe through Hewlett-Packard's Zero Day Initiative (ZDI) program, meaning its details should not be public.
The creators of exploit kits like Fiesta typically reuse proof-of-concept exploits published online by researchers or included in legitimate penetration testing tools like Metasploit. That's because reverse engineering patches to discover where vulnerabilities are located and then writing reliable exploits for them requires advanced knowledge and is generally done by professionals.
The use of a CVE-2014-0569 exploit in a Fiesta-powered attack was first spotted by an independent malware researcher known online as Kafeine. Initially he believed the exploit targeted a Flash vulnerability called CVE-2014-0556 that was patched in September, but Timo Hirvonen, a researcher at F-Secure, later determined it actually attacked the much newer flaw.
Regardless of where the exploit came from, users who have not yet installed the latest Flash Player updates should do so as soon as possible.
Windows and Mac users should update to Flash Player 15.0.0.189, or 13.0.0.250 if they're using the extended support release. Users of Flash Player on Linux should upgrade to version 11.2.202.411. The Flash Player plug-ins bundled with Google Chrome, Internet Explorer 10 and Internet Explorer 11 will receive patches though the update mechanisms of those browsers.

شماره: IRCNE2014102352
تاريخ: 29/7/93

يك محقق كشف كرده است كه دستگاه‌هاي ذخيره سازي متصل به شبكه (NAS) داراي آسيب‌پذيري‌هايي هستند كه مي‌توانند داده‌هاي حساس و شبكه‌ها را در معرض خطر قرار دهند. وي براي اثبات نظر خود، يك كرم توليد كرده است كه مي‌تواند به دستگاه‌هاي سه توليد كننده مختلف ضريه بزند.
پيش‌تر و در سال جاري يك تحليلگر امنيتي شركت Independent Security Evaluators به نام ژاكوب هولكومب، شروع به تحقيق در مورد امنيت دستگاه‌هاي NAS كرده بود. وي دستگاه‌هاي مشهوري از ده توليد كننده انتخاب كرده و متوجه شده بود كه تمامي آنها در برابر سوء استفاده root آسيب‌پذير هستند. بعلاوه وي كشف كرد كه سوء استفاده از نيمي از اين دستگاه‌ها نيازي به احراز هويت ندارد.
دستگاه‌هاي تست شده عبارت بودند از Asustor AS-602T، TRENDnet TN-200 و TN-200T1، QNAP TS-870، Seagate BlackArmor 1BW5A3-570، Netgear ReadyNAS104، D-LINK DNS-345، Lenovo IX4-300D، Buffalo TeraStation 5600، Western Digital MyCloud EX4 و ZyXEL NSA325 v2.
در طول يك ارائه در هفته گذشته در كنفرانس امنيتي Black Hat Europe در آمستردام، هولكومب يك كرم را به نمايش گذاشت كه قادر است به طور خودكار و با سوء استفاده از آسيب‌پذيري‌هاي تزريق دستور و دور زدن احراز هويت، دستگاه‌هاي D-LINK DNS-345، TRENDnet TN-200/TN-200T1 و Western Digital MyCloud EX4 را آلوده سازد كه ظاهراً هنوز اصلاح نشده‌اند.
كرم هولكومب مي‌تواند گستره‌هاي از پيش تعيين شده آدرس‌هاي IP را اسكن كند تا دستگاه‌هايي را كه روي TCP پورت 80 پاسخ مي‌دهند كشف نمايد. هنگاميكه يك دستگاه آسيب‌پذير شناسايي مي‌گردد، اين كرم كد سوء استفاده كننده لازم را براي دستيابي به دسترسي root اجرا مي‌كند و يك پوسته تعاملي را نصب مي‌كند. سپس يك كپي باينري از خود دانلود و اجرا كرده و شروع به اسكن از دستگاه جديد مي‌نمايد.
هولكومب كد اين كرم را به صورت عمومي منتشر نكرده است، اما قصد دارد كه در آينده و پس از عرضه اصلاحيه‌هاي مربوط به اين آسيب‌پذيري‌ها، اين كار را انجام دهد. هدف وي از نمايش اين كرم اين بود كه اثبات كند كه ايجاد يك بدافزار خود انتشار براي دستگاه‌هاي NAS كار ساده‌اي است، چرا كه بسياري از اين سيستم‌ها از معماري و حتي كد يكساني كه توسط توليد كنندگان چيپ ست ارائه شده است استفاده مي‌كنند.
به گفته هولكومب، برخي توليد كنندگان نيز يك كد را در كل خط توليد مورد استفاده مجدد قرار مي‌دهند، در نتيجه يك آسيب‌پذيري كه در يك دستگاه NAS خانگي ارزان قيمت وجود دارد، مي‌تواند در دستگاه‌هاي گران قيمت شركتي همان توليد كننده نيز وجود داشته باشد. بنابراين در دستگاه‌هاي NAS پرداخت پول بيشتر لزوماً به معناي امنيت بهتر نيست.
كرم هولكومب كاري بيش از انتشار در يك شبكه محلي انجام نمي‌دهد، اما مهاجمان مي‌توانند بدافزارهاي مشابهي توليد كنند كه دستگاه‌هاي NAS را كه از طريق اينترنت در دسترس هستند مورد سوء استفاده قرار دهند و از آنها براي انجام حملات توزيع شده انكار سرويس يا ساير فعاليت‌هاي خرابكارانه بهره ببرند.