Number:IRCNE2014042165
Date: 2014-04-16

According to “zdnet”, VMWare has issued a security advisory (VMSA-2014-0004) listing which of their products are affected by the Heartbleed vulnerability. The advisory also announced one patch that has been released.
A long list of products are listed as affected: vCenter Server, ESXi, VMware Fusion, NSX-MH, NSX-V, NVP, Horizon Mirage Edge Gateway, Horizon View Feature Pack, Horizon View Client, Horizon Workspace Server, Horizon Workspace Client, Horizon Workspace for Macintosh, Horizon Workspace for Windows , OVF Tool, vCloud Networking and Security and vCloud Automation Center (vCAC). Of these, a patch has been released only for Horizon Workspace Server.
Users of Horizon Workspace Server 1.0 are advised to upgrade to version 1.5 and to apply the patch horizon-nginx-rpm-1.5.0.0-1736237.x86_64. Version 1.5 users should apply the same patch. Users of version 1.8 should apply horizon-nginx-rpm-1.8.1.1810-1736201.x86_64.

Number:IRCNE2014042164
Date: 2014-04-16

According to “zdnet”, a new version of Adobe Reader for Android released on April 10 fixed a critical security vulnerability.
The "What's New" section of the Adobe Reader page on Google Play for version 11.2.0 lists several new features but no security updates.
On April 13, Dutch information security firm Securify posted an advisory on the Full-Disclosure mailing list for a vulnerability in Adobe Reader for Android version 11.1.3 which was fixed in version 11.2.0. They also have the advisory on their own site.
The vulnerable version of Reader exposes several insecure Javascript interfaces. Using the vulnerability a malicious PDF could execute arbitrary Java code. The code would run in the app sandbox for Reader, so documents available to Readers could be compromised, and the attack code could create new files, but no damage would be possible outside the sandbox.On April 14 Adobe issued an advisory (APSB14-12) for the vulnerability.

Number:IRCNE2014042163
Date: 2014-04-16

According to “techworld”,Google has issued a patch for an attack that could lead an Android user to a phishing site, according to security vendor FireEye.
FireEye recently spotted an malicious Android application that could modify the icons of other applications so that when they're launched, they send victims to a phishing website.
The malware is abusing a set of permissions known as

"com.android.launcher.permission.READ_SETTINGS"
and
"com.android.launcher.permission.WRITE_SETTINGS."

The permissions allow an application to modify configuration settings of Android's Launcher, including that of icons, wrote researchers Hui Xue, Yulong Zhang and Tao Wei on a company blog.
The two permissions have long been classified as "normal," a designation give to application permissions thought to have no malicious possibilities. Android users aren't warned about granting those permissions when they install an application, they wrote.
But "using these normal permissions, a malicious app can replace legit Android home screen icons with fake ones that point to phishing apps or websites," they wrote.
FireEye developed a proof-of-concept attack using Google's Nexus 7 tablet running Android version 4.2.2 to show icons could be modified to send people to another website.
Google's Play store, which does check applications for security issues, didn't prevent FireEye's application from appearing in the store, they wrote.
The danger is that attackers could modify the icon of a banking application and fool users into divulging sensitive information on a fake website they've created.
Other Android devices that don't use the "Launcher" functionality in the Android Open Source Project are also vulnerable.
Google has released a patch to its OEM partners, FireEye wrote. But many Android vendors are slow to adopt security upgrades, they wrote.
"We urge these vendors to patch vulnerabilities more quickly to protect their users," FireEye wrote.

شماره: IRCNE2014042162
تاريخ:26 /01/93

توليدكنندگان محصولات شبكه و رايانه به سرعت درحال برطرف نمودن رخنه HeartBleed در محصولات خود مي باشند. اين رخنه به مهاجمان اجازه مي دهد تا داده هاي حياتي از قبيل رمز عبور و كليدهاي رمزگذاري را از روي سيستم هاي آلوده سرقت نمايند.
شركت هاي Hewlett-Packard، Dell و IBM صفحاتي ايجاد نمودند و در آن محصولات سخت افزاري و نرم افزاري آسيب پذير را معرفي كردند.
اين رخنه كه هفته گذشته كشف و افشاء شد، درحال حاضر در نسخه جديد OpenSSL اصلاح شده است اما شركت هاي سخت افزاري در حال اصلاح محصولاتي مي باشند كه از نسخه هاي قديمي OpenSSL استفاده مي كنند. اصلاحيه هاي نرم افزاري و سفت افزاري سرورهاي BladeSystems شركت HP و AIX شركت IBM و هم چنين به روز رساني هاي تجهيزات شبكه و ابزارآلات شركت Dell منتشر شده است. در راهنمايي امنيتي آمده است كه به مشتريان سرورهاي مختلف توصيه مي شود تا ميان افزارها، سيستم عامل ها و hypervisorهاي خود را به منظور وجود آسيب پذيري بررسي نمايند.
روز دوشنبه سخنگوي شركت HP گفت: برخي از سرورهاي HP براي رمزگذاري و ايجاد ارتباط امن از OpenSSL استفاده مي كنند و اين شركت يك بررسي كلي و جامع را به منظور يافتن آسيب پذيري بر روي محصولات خود انجام داده است. در حال حاضر به روز رساني هاي امنيتي به صورت رايگان براي تمامي مشتريان در دسترس مي باشد.
روز يكشنبه اين شركت اصلاحيه هايي را براي برخي نسخه هاي ابزار مديريتي سرورهاكه از OpenSSL استفاده مي كنند از جمله BladeSystem c-Class Onboard Administrator، Smart Update Manager و System Management Homepage در حال اجرا بر روي لينوكس و ويندوز منتشر كرده است.
سرورهاي PowerEdge شركت Dell و محصولات مديريتي سيستم OpenManage احتمالا تحت تاثير اين آُسيب پذيري قرار ندارند. اما در يك راهنمايي امنيتي جامع براي HeartBleed، شركت Dell اظهار داشت كه برخي سيستم هاي مديريتي، ابزارات امنيتي و تجهيزات شبكه اين شركت تحت تاثير اين رخنه قرار دارند.
اين شركت در حال كار بر روي اصلاحيه هايي براي ابزار مديريتي دستگاه تلفن همراه Kace K3000، برخي ابزارهاي شبكه اي Foglight و تجهيزات شبكه در حال اجرا بر روي FTOSمي باشد. در حال حاضر اصلاحيه هاي ميان افزار ابزار امنيتي SonicWall منتشر شده است. هم چنين اصلاحيه هاي ساير محصولات Dellبر روي وب سايت اين شركت بخش راهنمايي امنيتي قرار خواهد گرفت.
شركت IBM دريافت كه سرورهاي AIX آن كه براي پياده سازي ارتباطات از پروتكل TLS استفاده مي كنند، تحت تاثير آسيب پذيري HeartBleed قرار دارد. اين شركت اصلاحيه اي براي سرورهاي AIX 6.1 OS با پروتكل TL9 و AIX 7.1 با پروتكل TL3 منتشر كرد. هم چنين به مشتريان خود توصيه مي كند تا OpenSSL را براي سيستم GPFS نسخه هاي 3.4 و v3.5 براي AIX و لينوكس براي Power و سرورهاي 32 بيتي به آخرين نسخه ارتقاء دهند.
نرم افزارهاي WebSphere MQ، Sametime Community Server نسخه 9 HF1 و Cloudant تحت تاثير مشكل HeartBleed قرار دارند.

شماره: IRCNE2014042161
تاريخ:26 /01/93

داده هاي كاربران وب سايت منبع مالياتي كانادا و يك وب سايت محبوب انگليسي پس از سوء استفاده مهاجمان از آسيب پذيري HeartBleed از دست رفت.
مديران اين وب سايت ها گمان مي كنند كه اولين قربانيان رخنه HeartBleed مي باشند. اين رخنه سه شنبه گذشته به طور عمومي افشاء شد.
آژانس سهام كانادا (CRA) روز سه شنبه در واكنش به خبر افشاي رخنه OpenSSL دسترسي به سرويس آنلاين خود را مسدود كرد. اما اين واكنش به اندازي اي سريع نبود كه بتواند جلوي سرقت اطلاعات توسط مهاجمان را بگيرد. طبق آخرين گزارشات، مهاجمي كه از آسيب پذيري HeartBleed استفاده كرده است توانسته اطلاعات حدود 900 كاربر را از سيستم CRA حذف نمايد.
يك وب سايت محبوب انگليسي با نام Mumsnet با حدود يك ميليون كاربر ثبت شده، آخر هفته گذشته اعلام كرد كه در واكنش به كشف يك رخنه در OpenSSL تمامي كاربران را وادار كرديم تا رمزهاي عبور خود را تغيير دهند.
مديران وب سايت از بابت نشتي كه بواسطه اين رخنه ايجاد شده است عذرخواهي كردند و اعلام كردند كه در اسرع وقت تمامي راهكارهاي ممكن براي حفاظت از امنيت اعضاي اين وب سايت اعمال مي شود.

شماره: IRCNE2014042160
تاريخ:26 /01/93

چهار محقق كه به طور جداگانه بر روي رخنه HeartBleed كار كرده بودند نشان دادند كه كليد خصوصي رمزگذاري سرور مي تواند با استفاده از مشكل HeartBleed افشاء شود.
اين رقابت از آن جا آغاز شد كه شركت CloudFlare از محققان امنيت خواست تا به اين پرسش جواب دهند كه رخنه افشاء شده HeartBleed مي تواند براي دسترسي به كليد خصوصي استفاده شده در يك كانال رمزگذاري شده بين كاربران و وب سايت ها استفاده شود.
كليد خصوصي بخشي از گواهينامه امنيتي است كه بررسي مي كند رايانه كلاينت به وب سايت تقلبي كه سعي دارد خودش را معتبر نشان دهد متصل نشود. رايانه كلاينت پس از بررسي درصورتي كه گواهينامه وب سايت نامعتبر باشد، هشداري را نشان مي دهد.
محققان امنيتي بر اين باور هستند كه اين امكان وجود دارد كه بتوان با استفاده از رخنه HeartBleed، كليد خصوصي را افشاء كرد.
Nick Sullivan از شركت امنيتي CloudFlare بر روي وب سايت اين شركت نوشت: اين نتيجه به ما يادآوري مي كند كه قدرت اين رخنه را ناديده نگيريم و بر تاثير مخرب اين آسيب پذيري تاكيد مي كند.
با بدست آوردن كليد خصوصي يك گواهينامه SSL/TLS، يك مهاجم مي تواند يك وب سايت تقلبي را به گونه اي تنظيم كند كه از بررسي هاي امنيتي عبور نمايد. آن ها هم چنين مي توانند ترافيك بين يك كلاينت و سرور را رمزگشايي نمايند.
محققان هم چنان در تلاش هستند تا شرايطي كه داده هاي خاص مي تواند تحت آن شرايط آشكار شود را بيابند. OpenSSL يك برنامه منبع باز است كه در طيف وسيعي از سيستم عامل ها، برنامه هاي كاربردي تلفن همراه ، مسيرياب ها و ديگر تجهيزات شبكه استفاده مي شود.

هم چنان كد سوء استفاده اي كه هر يك از محققان براي بدست آوردن كليد خصوصي طراحي كرده اند، افشاء نشده است.

شماره: IRCNE2014042159
تاريخ:26 /01/93

شركت بلك بري قصد دارد مجموعه به روز رساني هايي براي برطرف نمودن رخنه Heartbleedمنتشر نمايد. Heartbleed يك رخنه امنيتي است كه اين ماه توسط محققان امنيتي كشف شد. اين رخنه در نرم افزار OpenSSL كه براي نگهداري امن داده ها در سرويس هاي مختلف استفاده مي شود يافت شده است. با سوء استفاده از اين رخنه هكرها مي توانند با سروري ارتباط برقرار نمايند و بدون هيچ اثري، حجم بالايي از اطلاعات را به سرقت ببرند.
تعدادي از شركت ها از جمله گوگل، فيس بوك، يوتيوب و ياهو اين مشكل را اصلاح نمودند. با توجه به اظهارات Scott Totzke ، معاون شركت بلك بري، اين شركت بايد دو محصول محبوب پست الكترونيكيSecure Work Space و برنامه پيام رساني خود را به روز رساني نمايد.
Totzke گفت: اكثر سرويس هاي بلك بري از OpenSSL استفاده نمي كنند در نتيجه نسبت به رخنه HeartBleed تاثيرناپذير مي باشند اما در صورتي كه مجرمان سايبري از طريق واي فاي يا شبكه هاي حامل به سرويس هاي Secure Work Space و BBM دسترسي يابند، اين برنامه ها آسيب پذير مي باشند.Totzke ادامه داد كه استفاده از اين برنامه ها تا زمان انتشار اصلاحيه ها بلامانع است.

Number:IRCNE2014042162
Date: 2014-04-15

According to “computerworld”,Enterprise IT vendors are rushing to protect users from the Heartbleed bug, which has been found in some servers and networking gear and could allow attackers to steal critical data -- including passwords and encryption keys -- from the memories of exposed systems.
Hewlett-Packard, Dell and IBM have set up pages that identify hardware and software products affected by Heartbleed, which exposes a critical defect in certain versions of OpenSSL, a software library for secure communication over the Internet and networks.
The bug, which was detailed last week, has already been patched in a new version of OpenSSL, but hardware companies are now racing to patch products relying on older versions. Firmware and software patches have been issued for HP's BladeSystems and IBM's AIX servers and also Dell's appliances and networking equipment. In advisories, the server makers have advised customers to investigate hypervisors, OSes and middleware for possible vulnerabilities.
Some HP servers use OpenSSL for encryption and secure communication, and the company is conducting an "aggressive and comprehensive review of all actively supported products" for exposure to the Heartbleed bug, an HP support page said. The security updates are available for free to all customers, an HP spokesman said in an email on Monday.
HP on Sunday issued patches for some versions of server management tools BladeSystem c-Class Onboard Administrator, Smart Update Manager and the System Management Homepage running OpenSSL on Linux and Windows.
Dell's PowerEdge servers and OpenManage system management products are not likely affected by Heartbleed. But in a comprehensive Heartbleed advisory, Dell identified system management, security appliances and networking equipment affected by the bug.
Dell is working on patches for the Kace K3000 mobile-device management appliance, some Foglight network appliances and networking equipment running on Dell's Networking Operating System (FTOS). The company has already issued firmware patches for affected SonicWall security appliances, and the advisory page on Dell's website will be updated when fixes for more products are released.
IBM has found the Heartbleed bug affecting AIX servers, which use OpenSSL to implement communication across clusters via the TLS (Transport Security Layer) protocol. OpenSSL also enables SSL (Secure Sockets Layer) for secure communication over the Internet.
IBM has issued an OpenSSL patch for servers that shipped with AIX 6.1 OS with the TL9 protocol and AIX 7.1 with the TL3 protocol. IBM is also recommending upgrading to the new OpenSSL version on GPFS (General Parallel File System) versions 3.4 and V3.5 for AIX and Linux for Power and x86 servers. Software including WebSphere MQ, Sametime Community Server version 9 HF1 and Cloudant are affected by the Heartland bug.

Number:IRCNE2014042161
Date: 2014-04-15

According to “computerworld”,Canada's tax authority and a popular British parenting website both lost user data after attackers exploited the Heartbleed SSL vulnerability, they said Monday.
The admissions are thought to be the first from websites that confirm data loss as a result of Heartbleed, which was first publicized last Tuesday. The flaw existed in Open SSL, a cryptographic library used by thousands of websites to enable encryption, and was quickly labeled one of the most serious security vulnerabilities in years.
The Canada Revenue Agency (CRA) blocked public access to its online services last Tuesday in reaction to the announcement, but that wasn't fast enough to stop attackers from stealing information, it said on its website.
"Regrettably, the CRA has been notified by the Government of Canada's lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period. Based on our analysis to date, Social Insurance Numbers of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability."
Mumsnet, a British parenting website with more than a million registered users, said over the weekend that it was forcing all users to change their passwords as a result of a Heartbleed attack.
"We are very sorry for all the fuss," the site said. "We want to assure you that we followed all the published steps to protect members' security as soon as we became aware of the Heartbleed security risk, but it seems that the breach occurred prior to that risk becoming known."

Number:IRCNE2014042160
Date: 2014-04-15

According to “computerworld”, four researchers working separately have demonstrated a server's private encryption key can be obtained using the Heartbleed bug.
The findings come shortly after a challenge created by CloudFlare, a San Francisco-based company that runs a security and redundancy service for website operators.
CloudFlare asked the security community if the flaw in the OpenSSL cryptographic library, made public last week, could be used to obtain the private key used to create an encrypted channel between users and websites, known as SSL/TLS (Secure Sockets Layer/Transport Security Layer).
The private key is part of a security certificate that verifies a client computer isn't connecting with a fake website purporting to be a legitimate one. Browsers indicate a secure connection with a padlock and show a warning if the certificate is invalid.
Security experts thought it might be possible that the private key could be divulged by exploiting the Heartbleed flaw, which may have affected two-thirds of the Internet and set off a mad scramble to apply a patch that fixes it.
"This result reminds us not to underestimate the power of the crowd and emphasizes the danger posed by this vulnerability," wrote Nick Sullivan of CloudFlare on the company's blog.
By obtaining the private key for an SSL/TLS certificate, an attacker could set up a fake website that passes the security verification. They could also decrypt traffic passing between a client and a server, known as a man-in-the-middle attack.
Researchers are still trying to figure out the conditions under which what specific data is revealed. OpenSSL, an open source program, is used in a wide variety of operating systems, mobile applications, routers and other networking equipment.
How the researchers each accomplished obtaining the private key hasn't been revealed.