شماره: IRCNE2014032128
تاريخ:21/12/92

شركت ادوبی به منظور برطرف نمودن دو آسيب پذيري در محصولات خود بر روي ويندوز، مكينتاش و لينوكس به روز رساني هايي را منتشر نمود. اين شركت اين آسيب پذيري ها را در رده امنيتي "مهم" قرار داده است.
در صورتيكه مهاجمان از اين آسيب پذيري ها سوء استفاده نمايند مي توانند امنيت داده ها را در معرض خطر قرار دهند و به طور بالقوه بتوانند به داده هاي محرمانه دسترسي يابند يا مي تواند پردازش منابع را در كامپيوتر كاربر به مخاطره بياندازد.
شركت ادوبی به اين آسيب پذيري ها بر روي ويندوز و مكينتاش اولويت 2 و بر روي لينوكس اولويت 3 را نسبت داده است. اين بدان معناست كه تاكنون هيچ كد سوء استفاده براي اين آسيب پذيري ها كشف نشده است و كاربران ويندوز و مكينتاش بايد به زودي اين اصلاحيه ها را اعمال نمايند. هم چنين ادمين ها بنا به صلاحديد خود مي توانند اصلاحيه ها را اعمال نمايند.

شماره: IRCNE2014032127
تاريخ:21/12/92

محققان امنيتي روز دوشنبه اعلام كردند با استفاده از يك فريب قديمي، هكرها توانستند با استفاده از بيش از 162000 وب سايت معتبر وردپرس حملات انكار سرويس توزيع شده را عليه وب سايت هاي ديگر راه اندازي نمايند.
شركت امنيتي Sucuri اعلام كرد هكرها در اين حمله از يك رخنه شناخته شده در وردپرس استفاده كردند. مشخص نيست كه كدام سايت قرباني اين حمله سايبري شده است اما شركت امنيتي Sucuri اعلام كرد كه احتمالا قرباني يك سايت وردپرس محبوب است كه براي چند ساعت از كار افتاده است.
مدير فناوري Sucuriدر پستي نوشته است كه اين رخداد يك حمله توزيع شده مبتني بر HTTP است كه در هر ثانيه صدها درخواست را براي سرور ارسال مي كند. نكته قابل توجه آن است كه يك مهاجم توانسته است با استفاده از هزاران وب سايت محبوب وردپرس يك حمله انكار سرويس توزيع شده را راه اندازي نمايد.

ID: IRCNE2014032130
Date: 2013-03-12

According to "computerworld", recently released security updates for the popular Joomla content management system (CMS) address a SQL injection vulnerability that poses a high risk and can be exploited to extract information from the databases of Joomla-based sites.
The Joomla Project released versions 3.2.3 and 2.5.19 of the open-source CMS on Thursday. Both updates address two cross-site scripting (XSS) vulnerabilities in core components, but version 3.2.3 also patches a SQL injection flaw, publicly disclosed in early February, and an unauthorized log-in flaw in the Gmail-based authentication plug-in.
The Joomla advisory for the SQL injection vulnerability is lacking technical details. It only notes that the flaw, whose severity is rated as high, stems from "inadequate escaping" and affects Joomla CMS versions 3.1.0 through 3.2.2.
Successful exploitation of this vulnerability requires the affected site to use the Similar Tags module, researchers from vulnerability intelligence firm Secunia said in a security advisory. According to the official Joomla documentation, Similar Tags is one of the modules shipped by default with the CMS.
SQL injection is one of the most common types of flaws exploited by attackers to compromise websites. Depending on their specific technical details, these vulnerabilities allow attackers to inject rogue code into sites or steal sensitive data from their databases.
The SQL injection vulnerability recently patched by Joomla does not appear to allow code injection, just the manipulation of SELECT calls to extract information from the database, including user names and password hashes, Cid said.
The bug in the Gmail-based authentication plugin is also scary, according to Cid. That plug-in allows users to authenticate on Joomla sites using their Gmail addresses and passwords instead of creating separate accounts.
It's not clear how many Joomla-based websites are on the Internet, but according to statistics from W3Techs, a service that gathers data about the use of various Web technologies, Joomla is the second most popular CMS after WordPress. The W3Techs data also shows that only around 8 percent of Joomla sites use 3.x versions of the software, while over 50 percent still use 1.x versions that are no longer supported.

ID: IRCNE2014032129
Date: 2013-03-12

According to "zdnet", microsoft released five updates fixing 23 vulnerabilities in Windows, Internet Explorer and Silverlight. Among the vulnerabilities fixed is a zero-day bug in Internet Explorer 9 and 10 being exploited in the wild.
A Cumulative Update for Internet Explorer accounts for 18 of the 23 vulnerabilities. One of these is the zero-day vulnerability that Microsoft acknowledged recently.
Today is the next-to-last Patch Tuesday for Windows XP and Office 2003. The updates include fixes for four vulnerabilities in Windows XP, but none in Office. XP users will also have updates for Internet Explorer.
The five specific updates are:

• MS14-012: Cumulative Security Update for Internet Explorer (2925418)
• MS14-013: Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (2929961)
• MS14-014: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2930275)
• MS14-015: Vulnerability in Security Account Manager Remote (SAMR) Protocol Could Allow Security Feature Bypass (2934418)
• MS14-016: Vulnerability in Silverlight Could Allow Security Feature Bypass (2932677)
• Microsoft has also released a large number of non-security updates for all versions of Windows.

ID: IRCNE2014032128
Date: 2013-03-12

According to "zdnet", Adobe has released updates to Flash Player to address two vulnerabilities in the product on Windows, Mac and Linux.
Adobe ranks the severity of these vulnerabilities as "important," rather than "critical." They define important as "[a] vulnerability, which, if exploited would compromise data security, potentially allowing access to confidential data, or could compromise processing resources in a user's computer."
Adobe has assigned them priority 2 on Windows and Mac, and priority 3 on Linux. This means that there are no known exploits and that Mac and Windows users should install it "soon (for example, within 30 days)." Linux admins may apply the update at their discretion.

ID: IRCNE2014032127
Date: 2013-03-12

According to "cnet", with some old-fashioned trickery, hackers were able to get more than 162,000 legitimate WordPress-powered Web sites to mount a distributed-denial-of-service attack against another Web site, security researchers said Monday.
Security firm Sucuri said hackers leveraged a well-known flaw in WordPress. It's unclear which site was the victim of the cyberattack but Sucuri said it was a "popular WordPress site" that went down for many hours.
"It was a large HTTP-based (layer 7) distributed flood attack, sending hundreds of requests per second to their server," Sucuri chief technology officer Daniel Cid said in a blog post.
"Can you see how powerful it can be?" he wrote. "One attacker can use thousands of popular and clean WordPress sites to perform their DDOS attack, while being hidden in the shadows."

شماره: IRCNE2014032126
تاريخ:20/12/92

روز گذشته iOS 7.1 منتشر شد. در اين نسخه از سيستم عامل اپل 41 آسيب پذيري برطرف شده است.
موتور مرورگر Webkit كه توسط مرورگر سافاري استفاده مي شود داراي 19 آسيب پذيري بود كه نه آسيب پذيري توسط گروه امنيتي گوگل كروم به شركت اپل گزارش شده است. تمامي 19 آسيب پذيري مي تواند توسط مهاجم راه دور مورد سوء استفاده قرار بگيرد تا كنترل دستگاه كاربر را در اختيار بگيرد. استفاده همزمان از اين آسيب پذيري ها به همراه سوء استفاده از آُسيب پذيري افزايش سطح دسترسي باعث مي شود تا مهاجم كنترل مديريتي سيستم را بدست آورد.
يك آسيب پذيري جالب و خاص در dyld (OS X's dynamic linker/loader) وجود دارد. دستورات جا به جايي متن در كتابخانه پويا ممكن است توسط dyld بدون ارزيابي امضاي كد بارگذاري شود. به طور معمول دور زدن امضاي كد يك مشكل بسيار قابل توجه به حساب مي آيد. جالب تر آن است كه اپل "evad3rs" را به اين آسيب پذيري نسبت مي دهد.
براي اپل بسيار عادي است كه آسيب پذيري هايي را برطرف نمايد كه مدت طولاني است كه افشاء شده اند. چندين آسيب پذيري Webkit چند ماه است كه گزارش شده است اما آسيب پذيري CVE-2012-2088 در ماه ژوئن سال 2012 گزارش شده بود. شركت اپل اين آسيب پذيري را در ماه مارس 2013 در سيستم عامل خود اصلاح كرد.

شماره: IRCNE2014032125
تاريخ:20/12/92

يك مشكل نادر در توييتر برطرف شده است. اين مشكل به پيروان تاييد نشده اجازه مي دهد تا به توييت هاي مخفي ده ها هزار نفر از كاربران توييتر دسترسي يابند.
روز يكشنبه شركت microblogging در پستي نوشت: 93788 حساب كاربري حفاظت شده از طريق پيام هاي متني قابل مشاهده بوده است. انجمن كلاه سفيد به كشف و تشخيص اين مشكل كمك كرد.
توييتر اعلام كرد كه تمامي پيگيري هاي تاييد نشده را حذف كرده است و هم چنين به منظور جلوگيري از وقوع اشكالات مشابه در آينده برخي اقدامات اضافي را اعمال كرده است.
توييتر نيز اعلام كرد كساني كه تحت تاثير اين مشكل قرار گرفتند از طريق پست الكترونيكي آن ها را مطلع ساختيم و از آن ها عذرخواهي كرديم.
هفته گذشته توييتر با خطاي ديگري مواجه شده بود كه در نتيجه آن تعدادي پيام تغيير رمز عبور براي بسياري از كاربران ارسال شد.

ID: IRCNE2014032126
Date: 2013-03-11

According to "zdnet", iOS 7.1, released today, fixes 41 vulnerabilities in the most recent version of the operating system.
The Webkit browser engine used by the Safari browser accounts for 19 of the vulnerabilities, and nine of these were reported to Apple by the Google Chrome Security Team. Any of the 19 could be used by a remote attacker to take user control of the device. Combined with a privilege escalation exploit, the user could take administrative control.
An especially interesting vulnerability is in dyld, OS X's dynamic linker/loader. The impact is "Text relocation instructions in dynamic libraries may be loaded by dyld without code signature validation. This issue was addressed by ignoring text relocation instructions."
Even more interesting, Apple credits "evad3rs" for this vulnerability.
It's not uncommon for Apple to patch vulnerabilities which were disclosed long ago. Several of the Webkit vulnerabilities date to last fall, but one (CVE-2012-2088), was reported in June, 2012. Apple patched it in OS X in March of 2013.

ID: IRCNE2014032125
Date: 2013-03-11

According to "zdnet", twitter has squashed a "rare" bug that allowed non-approved followers to access the hidden tweets of tens of thousands of its users.
The microblogging firm said in a blog post on Sunday that 93,788 protected accounts — streams that are not ordinarily visible except to those that user follows — were viewable via text messages. The white hat community helped "discover and diagnose" the bug, the blog post read.
Twitter said it had also "removed all of these unapproved follows," as well as additional steps to prevent similar bugs occurring in the future.
It said those hit by the bug were emailed to inform them of the bug, and to apologize.
Last week, Twitter suffered another error that resulted in a false number of password-reset messages sent out to many users, sister-site CNET reported.