شماره: IRCNE2014092326
تاريخ: 03/07/93

يك آسيب پذيري امنيتي شناخته شده با عنوان Bash يا مشكل Shellshock مي تواند براي شركت هاي ديجيتالي بزرگ، ميزبان هاي وب در مقياس كوچك و حتي دستگاه هاي متصل به اينترنت فاجعه به بار آورد.
اين نقص امنيتي 25 ساله به مجرمان سايبري اجازه مي دهد تا كدي مخرب را در پوسته Bash (كه به طور عادي از طريق خط فرمان بر روي رايانه شخصي يا برنامه هاي Mac's Terminal قابل دسترسي است) اجرا نمايند و كنترل سيستم عامل را بدست آورند و به اطلاعات محرمانه دسترسي يابند.
شركت نرم افزارهاي منبع باز RedHat در پستي هشدار داد كه اجراي پوسته Bash در پس زمينه توسط برنامه هاي زيادي صورت مي گيرد و اين مشكل زماني اتفاق مي افتد كه كد اضافه اي در خط هاي كد Bash اضافه شود.
رابرت گراهام، متخصص امنيتي هشدار داد كه اين مشكل از آسيب پذيري Heartbleed بزرگتر است زيرا اين مشكل از راه هاي غيرمنتظره اي با نرم افزارهاي ديگر تعامل مي كند و هم چنين درصد بالايي از نرم افزارها با اين پوسته تعامل مي كنند.
گراهام گفت: ما قادر نخواهيم بود تمامي نرم افزارهايي كه نسبت به مشكل Bash آسيب پذير هستند را شناسايي نماييم. در نتيجه در حالي كه آسيب پذيري در سيستم هاي شناسايي شده اصلاح مي شود، سيستم هاي شناساي نشده بدون اصلاحيه باقي مي مانند. همانطور كه مشاهده مي شود، شش ماه پس از شناسايي آسيب پذيري Heartbleed هم چنان صدها هزار سيستم آسيب پذير باقي مانده اند.
بنا به گزارشات اين آسيب پذيري مي تواند دستگاه هاي يونيكس و لينوكس، هم چنين سخت افزارهاي در حال اجراي Mac OS X را تحت تاثير قرار دهد. آزمايشات بر روي سيستم عامل Mac OS X Mavericks نسخه 10.9.4 نشان مي دهد كه اين سيستم عامل نيز از يك نسخه آسيب پذير از Bash استفاده مي كند. به نظر مي رسد كه حدود 500 هزار وب سايت نسبت به مشكل Bash آسيب پذير باشند.
Tod Beardsley، مدير شركت امنيتي Rapid7 هشدار داد كه با وجود آنكه پيچيدگي اين آسيب پذيري كم است اما به مديران سيستم هاي طيف وسيعي از دستگاه هاي آلوده توصيه مي شود تا در اسرع وقت اصلاحيه هاي مربوطه را اعمال نمايند.
اين آسيب پذيري از نظر شدت در رده 10 قرار دارد كه بالاترين ضربه را دارد و از لحاظ پيچيدگي در رده "پايين" قرار دارد بدين معني كه مهاجمان به راحتي مي توانند از آن سوء استفاده نمايند.
در حال حاضر نرم افزارهايي كه تحت تاثير Bash قرار دارند به طور گسترده مورد استفاده قرار مي گيرند بنابراين مهاجمان مي توانند از اين آسيب پذيري سوء استفاده نمايند و از راه دور كد دلخواه را بر روي دستگاه و وب سرورهاي بسياري اجرا نمايند. با استفاده از اين آسيب پذيري مهاجمان مي توانند به طور بالقوه كنترل سيستم عامل دستگاه آسيب پذير را در اختيار بگيرند، به اطلاعات محرمانه دسترسي يابند و تغييراتي را بر روي سيستم عامل ايجاد نمايند.

Number: IRCNE2014082291
Date: 2014-08-16

According to “computerwprld”, BlackBerry's focus on strong security as a key differentiator for its devices does not mean that they're completely free of flaws. The company released security updates Tuesday for both the OS running on its smartphones and for its enterprise server software.
BlackBerry OS version 10.2.1.1925 was released for the company's Z10, Z30, Q10 and Q5 phone models. It fixes an authentication bypass vulnerability that could allow attackers connected to the same wireless network as affected devices to read or modify data stored on them.
The flaw can only be exploited on devices that have the Wi-Fi file-sharing service running, a service that's not enabled by default.
"Using a password for file sharing is not a workaround for this vulnerability," BlackBerry said in a security advisory published Tuesday.
The company also released BlackBerry Enterprise Service version 10.2.2 and BlackBerry Enterprise Server version 5.0.4 MR7 to fix an information disclosure vulnerability that in certain cases could allow attackers to gain access to credentials stored in the server's diagnostic logs.
"During rare cases of an exception, certain credentials are logged in an encoded form or in plain text," BlackBerry said in an advisory.
A workaround for this vulnerability is to manually delete the logs or to redact the sensitive information stored in them.

Number: IRCNE2014082298
Date: 2014-08-24

According to “zdnet”, the majority of Android's most popular apps are susceptible to SSL vulnerabilities, according to new research.
Google's Android operating system is an open-source, free framework which appeals to developers due to this unrestrictive nature. However, with such an open and free system, there is always the potential for abuse, a lack of patching and security consistency, and a wealth of Android-based operating systems and apps which many contain different vulnerabilities that can be exploited.
After analyzing the 1,000 most-downloaded free Android applications in the Google Play store, the FireEye Mobile Security Team found that a significant portion of them are susceptible to Man-In-The-Middle (MITM) attacks. According to a blog post published Thursday, the researchers found that as of July 17, 2014, 674 out of 1,000 contained at least one of three SSL vulnerabilities studied.
In other words, 68 percent of the most popular apps could become a pathway for cybercriminals to lift sensitive data.
The security team says that many of these vulnerabilities were traced back to configurations within advertising libraries used by app developers.
While the HTTPS protocol is often used to make it harder to intercept data, the incorrect use of the Android platform’s SSL libraries can become the weak link which allows MITM attacks.
The developers of vulnerable apps discovered were notified by the FireEye team, and were subsequently acknowledged with the promise of addressing the vulnerabilities in subsequent versions of their applications.

Number: IRCNE2014082282
Date: 2014-08-09

According to “computerworld”, a security review of network-attached storage (NAS) devices from multiple manufacturers revealed that they typically have more vulnerabilities than home routers, a class of devices known for poor security and vulnerable code.
Jacob Holcomb, a security analyst at Baltimore-based Independent Security Evaluators, is in the process of analyzing NAS devices from 10 manufacturers and has so far found vulnerabilities that could lead to a complete compromise in all of them.
"There wasn't one device that I literally couldn't take over," Holcomb said Wednesday during a talk at the Black Hat security conference in Las Vegas, where he presented some of his preliminary findings. "At least 50 percent of them can be exploited without authentication," he said.
The devices he evaluated are: Asustor's AS-602T, TRENDnet's TN-200 and TN-200T1, QNAP's TS-870, Seagate's BlackArmor 1BW5A3-570, Netgear's ReadyNAS104, D-LINK's DNS-345, Lenovo's IX4-300D, Buffalo's TeraStation 5600, Western Digital's MyCloud EX4 and ZyXEL's NSA325 v2.
Holcomb led a similar study last year that identified over 50 vulnerabilities in popular SOHO routers. He expects the number of vulnerabilities identified in NAS systems to far exceed those he found in routers by the time his new project is over.
The type of issues he found in the NAS systems include command injection, cross-site request forgery, buffer overflows, authentication bypasses and failures, information disclosure, backdoor accounts, poor session management and directory traversal. By combining some of these vulnerabilities, attackers can gain a "root shell" on the devices, allowing them to execute commands with the highest possible privilege.
All the vulnerabilities found so far were reported to the vendors, but the release of patches for them can take months, Holcomb said.
There are obvious differences in what can be done by compromising NAS devices and compromising routers. By controlling a router an attacker could capture and modify Internet traffic for a network, while hacking into a NAS system could provide access to potentially sensitive information stored on it.
By compromising a NAS device an attacker could also hijack traffic from other devices on the same network by using techniques like ARP spoofing, Holcomb said.
A big concern is that many NAS vendors use the same code base for their high-end and low-end devices, the researcher said. That means the same vulnerabilities in a low-cost NAS device designed for home use could exist in a much more expensive NAS system designed for enterprise environments.Paying more money for a device does not mean it has better security, Holcomb warned.

ID: IRCNE2014072262
Date: 2014-07-22

According to “ComputerWorld”, Cybercriminals are spreading a new file-encrypting ransomware program that's more powerful and resilient than Cryptolocker, a threat recently shut down by the U.S. Department of Justice.
The new ransomware threat is called CTB-Locker (Curve-Tor-Bitcoin Locker), but Microsoft anti-malware products detect it as Critroni. Its creator has been advertising the program to other cybercriminals on Russian-language forums since the middle of June and it seems that he's been trying to fix most of Cryptolocker's faults.
Critroni uses a file encryption algorithm based on elliptic curve cryptography, which its creator claims is significantly faster than encryption schemes used by other ransomware threats. This also makes decrypting the affected files impossible without paying the ransom, if there are no implementation flaws.
Like Cryptolocker, Critroni generates a public and private key pair for every infected system. The public key is stored on the infected computer and given to the victim, who is then asked to pay a ransom in Bitcoin in order to recover the files.
The private key, which is used to decrypt the files, is stored on a remote command-and-control server that, in the case of Critroni, can only be accessed over the Tor anonymity network. This is a precaution that the creator has taken in order to make it difficult for law enforcement agencies or security researchers to identify and shut down the server.
In early June, the DOJ along with law enforcement agencies from several other countries took control of the Gameover Zeus botnet which was distributing the Cryptolocker ransomware. During the operation the authorities also seized the Cryptolocker command-and-control servers.
To prevent a similar takedown Critroni was designed to complete the file encryption operation locally before connecting to the command-and-control server. This also makes it hard for network security products to detect it early and block it by analyzing traffic.
Blocking Tor traffic only prevents the user from paying, not the program from functioning, the Critroni author said in his advertisement.
The new ransomware program initially targeted Russian-speaking users, but variants seen lately also display the ransom message in English, suggesting that the threat is now distributed more widely, said an independent malware researcher known online as Kafeine in a blog post Friday. "It seems to be a strong, well thought piece of malware."

ID: IRCNE2014072264
Date: 2014-07-26

According to “CNet”, The European Central Bank (ECB) admitted Thursday that a security breach has led to the theft of personal data.
The central bank for the euro announced that a database linked to its public website has been compromised, resulting in the theft of personal data related to people registering for events at the ECB via the organization's website.
A cybercriminal was able to penetrate a database storing details of people who had registered for conferences, visits and other events, but the database is physically separate from internal ECB systems. According to the ECB, "no internal systems or market sensitive data were compromised," however email addresses, physical addresses, and phone numbers were stolen.
The ECB said most of the data was encrypted, but the contact information of registrants was not. Approximately 20,000 email addresses and a smaller number of phone numbers and physical addresses were lifted. Also stolen, in encrypted form, was "data on downloads from the ECB website."
The theft came to light after an anonymous email was sent to the ECB demanding money in exchange for the data.
The organization is now contacting people whose email addresses or other data might have been compromised, all passwords have been changed on the system as a precautionary measure, and ECB security staff have addressed the vulnerability responsible.
"The ECB takes data security extremely seriously," the organization said. "German police have been informed of the theft and an investigation has started."

ID: IRCNE2014072265
Date: 2014-07-26

According to “ComputerWorld”, A critical vulnerability found recently in a popular newsletter plug-in for WordPress is actively being targeted by hackers and was used to compromise an estimated 50,000 sites so far.
The security flaw is located in MailPoet Newsletters, previously known as wysija-newsletters, and was fixed in version 2.6.7 of the plug-in released on July 1. If left unpatched, it allows attackers to upload arbitrary PHP files on the Web server and take control of the site.
MailPoet Newsletters has been downloaded almost 2 million times from the official WordPress plug-in repository to date.
Several days ago researchers from Web security firm Sucuri spotted an automated attack that injected a PHP backdoor file into many WordPress sites. A deeper analysis revealed that the attack exploited the MailPoet file upload vulnerability patched at the beginning of the month.
"The backdoor is very nasty and creates an admin user called 1001001," the Sucuri security researchers said Wednesday in a blog post. "It also injects a backdoor code to all theme/core files. The biggest issue with this injection is that it often overwrites good files, making very hard to recover without a good backup in place."
The Sucuri free website scanner, which people use voluntarily, detects a few thousand sites compromised by this attack every day, according to Daniel Cid, chief technology officer at Sucuri. However, Sucuri estimates that up to 50,000 sites were infected so far, he said Thursday via email.
Some sites that didn't have MailPoet installed or were not even using WordPress were also compromised, because of what Cid calls cross-contamination. If one Web hosting account has a WordPress site vulnerable to this attack, the PHP backdoor uploaded through it can infect all sites hosted under that same account.
"On most shared hosting companies -- GoDaddy, Bluehost, etc. -- one account can not access files from another account, so the cross-contamination would be restricted to sites within the same account," Cid said. However, in other cases, "if the server is not properly configured, which is not uncommon, then [the infection] can spread to all sites and accounts on the same server."
The injection script used in the initial attack had a bug that damaged legitimate site files, resulting in obvious errors. That's no longer the case, as attackers fixed their code and the latest variation of the malware no longer breaks websites, Cid said.
In order to protect their WordPress websites from this attack, administrators should update the MailPoet plug-in to the latest version, which at this time is 2.6.9. Version 2.6.8 of the plug-in, released on July 4, addressed an additional security issue.

Number: IRCNE2014092311
Date: 2014/09/10

According to “zdnet”, Microsoft has released four security bulletins and updates to address them. A total of 42 vulnerabilities are addressed in these updates.

• MS14-052: Cumulative Security Update for Internet Explorer (2977629) — This update fixes 37 vulnerabilities, one of them publicly-disclosed back in February. The other 36 are all memory corruption vulnerabilities. The worst of them could allow an attacker to run code on the user's system in the context of the user. All versions of Windows other than the Server Core versions are affected by these bugs.
• MS14-053: Vulnerability in .NET Framework Could Allow Denial of Service (2990931) — This is a single vulnerability which affects all current versions of the Microsoft .NET Framework except version 3.5 Service Pack 1. All versions of Windows, including the Server Core versions except for the non-R2 versions of Windows Server 2008 are affected by this vulnerability.
• MS14-054: Vulnerability in Windows Task Scheduler Could Allow Elevation of Privilege (2988948) — An attacker who logged on to the system and ran a malicious program could elevate privilege to that of the local system account. This single vulnerability affects only the current generations of Windows: Windows RT, Windows 8.x and Windows Server 2012 and Windows Server 2012 R2, including Server Core.
• MS14-055: Vulnerabilities in Microsoft Lync Server Could Allow Denial of Service (2990928) — An attacker who sends a specially-crafted request to Microsoft Lync Server 2010 or 2013 could cause a denial of service in the server.

At the same time, Microsoft has released 11 non-security updates and a new version of the Windows Malicious Software Removal Tool.

ID: IRCNE2014072269
Date: 2014-07-31

According to "ComputerWorld", Symantec's Endpoint Protection product has three zero-day flaws that could allow a logged-in user to move to a higher access level on a computer, according to a penetration testing and training company.
The three flaws, all known as privilege escalation vulnerabilities, were found during a security test of a financial services company, said Mati Aharoni, lead trainer and developer for Offensive Security, in a phone interview late Tuesday.
Offensive Security, famous for its Kali Linux penetration testing software, released a short video on Tuesday demonstrating a successful exploit. It plans to preview proof-of-concept code during its "Advanced Windows Exploitation" training class at the Black Hat security conference in Las Vegas next month.
The flaws have been reported to computer emergency response teams. Symantec said it is aware of the reported flaws and is investigating.
The flaws allow greater access to a computer where a person is already logged in. From there, that access can eventually be parlayed into system access, which opens up the potential for other attacks, such as dumping hashes or identifying the cache credentials of domain administrators, Aharoni said.
Offensive Security didn't specifically target Endpoint Security during its penetration test, but realized that if it did have a flaw, it would result in a catastrophic compromise, Aharoni said. Endpoint Protection was running on "hundreds if not thousands of computers" in the financial services company, Aharoni said.

ID: IRCNE2014082292
Date: 2014-08-18

According to “ZDNet”, since Patch Tuesday this past week, Microsoft has been receiving reports of severe system errors caused by one or more of the updates. In response, the company has pulled several updates from download channels and offered advice on how to remove them. In one case, it recommends that users uninstall the update.
The most severe case appears to be MS14-045 (Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation of Privilege). The security advisory recommends that users uninstall that update.
Microsoft reports problems with three other updates and has pulled them from download and provided uninstallation instructions, but has not specifically recommended that users uninstall. Two of these are non-security updates released on Tuesday. The third is a re-release ("Revision: 7.0") on Thursday, August 14 of an older update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2; only metadata was supposed to change in the new version and users who had previously installed it did not need to reinstall.