According to “ZDNet”, Adobe Shockwave Player 12.0.7.148 and earlier versions for Windows and Macintosh are vulnerable to attack through a memory corruption vulnerabilities.
The vulnerabilities have an Adobe Priority Rating of 1, which Adobe explains as:
This update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible. (for example, within 72 hours).
The updated version of Shockwave Player is 12.0.9.149. Users may obtain it from http://get.adobe.com/shockwave/.
The vulnerabilities were found by Liangliang Song of Fortinet's FortiGuard Labs.

ID: IRCNE2014022099
Date: 2014-02-12

According to “ZDNet”, Microsoft has released their monthly Patch Tuesday updates. There are seven updates: six for Windows, one for Microsoft Forefront Protection 2010 for Exchange Server. Three of the Windows updates are rated Critical, the other three Important.
A total of 32 vulnerabilities are addressed in these updates, 24 of them in the Cumulative Update for Internet Explorer. Four of the vulnerabilities have already been publicly disclosed, according to Microsoft and, for two of those, Microsoft is aware of targeted attacks in the wild which attempt to exploit it. Microsoft credits 13 different researchers for reporting vulnerabilities to them.

• MS14-005: Vulnerability in Microsoft XML Core Services Could Allow Information Disclosure (2916036) — This fixes one non-critical, publicy-disclosed vulnerability which could disclose files or other content on the system when the user views content in Internet Explorer which is designed to invoke the XML Core Services. Oddly, Microsoft says both that successful exploit code is unlikely and that they are aware of attacks in the wild which attempt to exploit it.
• MS14-006: Vulnerability in IPv6 Could Allow Denial of Service (2904659) — One non-critical vulnerability affecting Windows 8, Windows RT and Windows Server 2012.
• MS14-007: Vulnerability in Direct2D Could Allow Remote Code Execution (2912390) — This is a single Microsoft Graphics Component Memory Corruption Vulnerability, rated critical, which could allow remote code execution vulnerability when the user views specially-crafted content in Internet Explorer on Windows 7, Windows 8, Windows RT, Windows 8.1, Windows RT 8.1, Windows Server 2012 or Windows Server 2012 RT.
• MS14-008: Vulnerability in Microsoft Forefront Protection for Exchange Could Allow Remote Code Execution (2927022) — An attacker could run code in the context of the configured service account.
• MS14-009: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2916607) — Three .NET vulnerabilities, two of them publicly-disclosed. The most serious could allow elevation of privilege from viewing web content.
• MS14-010: Cumulative Security Update for Internet Explorer (2909921) — 24 vulnerabilities, one of which is publicly disclosed. 23 are memory corruption vulnerabilities and the last a Cross-domain Information Disclosure Vulnerability.
• MS14-011: Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (2928390) — Remote code execution is possible when the user visits a malicious web site.

In their initial Advance Notification for this month, Microsoft indicated that there would be five updates, four for Windows. On Monday they issued an updated Advance Notification Bulletin which added two extra updates for Windows. They are MS14-005 and MS14-006 in the list above.

شماره: IRCNE2014022098
تاريخ:20/11/92

روز پنج شنبه يك شركت امنيتي هشدار داد كه بسياري از نشت هاي اطلاعات به دليل استفاده شركت ها از سيستم هاي گرمايشي، تهويه و تهويه مطبوع مبتني بر اينترنت اتفاق مي افتاد زيرا اين سيستم ها از امنيت مناسبي برخوردار نمي باشند و هكرها مي توانند بواسطه آن ها به سيستم هاي سازماني دسترسي يابند.
شركت Qualys ارائه دهنده خدمات امنيت ابر در گزارشي آورده است: تحقيقات اين شركت نشان مي دهد كه دو سال گذشته بيش از 55000 سيستم HVAC كه به اينترنت متصل مي شوند داراي رخنه هايي بوده است كه مي تواند به راحتي توسط هكرها مورد سوء استفاده قرار بگيرد. در حمله هاي هدفمند، هكرها اعتبارنامه هاي ورودي متعلق به شركت را به سرقت بردند و از آن براي دسترسي به پايگاه سيستم هاي پرداخت شركت استفاده كردند.
توليدكنندگان سيستم هاي HVAC و شركت هاي پشتيباني كننده آن مي توانند به منظور پشتيباني از اين سيستم ها از راه دور به آن ها متصل شوند.
هكرها مي توانند از اين سيستم ها براي دسترسي به شبكه شركت ها و هم چنين دسترسي به ساير شركت هاي متصل به شركت هدف سوء استفاده نمايند.
احتمالا نشت اطلاعاتي كه اخيرا اتفاق افتاد و منجر به افشاي 40 ميليون كارت اعتباري و كارت بانكي شد، بواسطه اين روش اتفاق افتاده است.
در گزارش آمده است كه سيستم Sochi رمز عبور درخواست نمي كند و براي اتصال به آن تنها كافي است آدرس IP آن را داشته باشيم. اين موضوع به توليدكننده Sochi اعلام شده است.
اغلب شركت هايي كه از راه دور به اين قبيل سيستم ها متصل مي شوند نمي دانند كه اين سيستم ها مي توانند به عنوان يك دروازه عبور براي دسترسي به اطلاعات حساس شركت مورد استفاده قرار گيرند در نتيجه به امنيت آن ها اهميتي نمي دهند. به عنوان مثال بسياري از شركت هاي مديريتي HVAC براي دسترسي به محصولات خود كه در شركت هاي مختلفي نصب شده اند از رمز عبور يكسان استفاده مي كنند.

ID: IRCNE2014022098
Date: 2013-02-09

According to "computerworld", the massive Target breach led to revelations that many companies use Internet-connected heating, ventilation, and air conditioning (HVAC) systems without adequate security, giving hackers a potential gateway to key corporate systems, a security firm warned Thursday.
Cloud security service provider Qualys said that its researchers have discovered that most of about 55,000 HVAC systems connected to the Internet over the past two years have flaws that can be easily exploited by hackers. In Target's case, hackers stole login credentials belonging to a company that provides it HVAC services and used that access to gain a foothold on the company's payment systems.
HVAC vendors and other third parties often have remote access right to these systems for administrative and support purposes.
Hackers can exploit these systems to gain access to enterprise networks and leapfrog onto other corporate systems, Qualys said.
The recent breach at Target, which resulted in the theft of data on 40-million credit and debit cards, is believed to have occurred in this way.
"The Sochi system doesn't even require a password, so if you know the IP address, you're in. We've contacted the integrator to warn them of this problem," Rios noted.
Often, the companies that have remote access to HVAC systems fail to realize that the systems can be used as a gateway to sensitive corporate networks. So they typically tend to have lax security measures, he said. For instance, many HVAC management companies use the same password to access systems belonging to multiple customers, he said.

شماره: IRCNE2014022097
تاريخ:20/11/92

با توجه به يافته هاي MyPermissions، يك برنامه مخرب در فيس بوك مي تواند مانع از آن شود كه كاربران مجوزها را باطل نمايند يا برنامه هاي كاربردي را حذف نمايند.
برنامه هاي كاربردي فيس بوك اغلب ويژگي ها و قابليت هايي را براي دسترسي و استفاده از اطلاعات شخصي درخواست مي كنند. اما اگر برنامه اي به شما اين امكان را نداد تا مجوزهاي آن برنامه براي دسترسي به اطلاعات شخصي را باطل نماييد، احتمالا اين برنامه يك بدافزار است و كاربران قادر نيستند تا آن را حذف نمايند.
اين مشكل تنها برنامه هاي كاربردي فيس بوك مربوط به تلفن همراه را تحت تاثير قرار مي دهد. در حال حاضر بيش از نيمي از كاربران فيس بوك از طريق تلفن همراه به اين شبكه اجتماعي متصل مي شوند.
اين شركت در گزارش خود آورده است كه در حال حاضر از فيس بوك استفاده نمي كند تا اين مشكل برطرف شود. البته تاكنون فيس بوك بيانيه اي مبني بر تاييد اين ادعا منتشر نكرده است.

شماره: IRCNE2014022096
تاريخ:20/11/92

با توجه به تحقيقات موسسه Netcraft، تعداد بسيار كمي از سرورهاي آپاچي از نسخه كاملا اصلاح شده آن استفاده مي كنند. بسياري از سايت هاي محبوب و معروف بر روي نسخه قديمي، آسيب پذير و اصلاح نشده از آپاچي ميزباني مي شوند.
آخرين نسخه منتشر شده از Apache Stable نسخه 2.4.7 مي باشد كه در 25 نوامبر سال 2013 منتشر شد. تعداد بسيار كمي از سايت ها از اين نسخه استفاده مي كنند. بنا به گزارشات ارسالي كمتر از يك درصد از سايت ها در حال استفاده از نسخه هاي 2.4 مي باشند در صورتي كه شركت آپاچي به كاربران توصيه اكيد كرده است كه از نسخه هاي 2.4 استفاده نمايند. برخي از سروهاي آپاچي از نسخه هاي مربوط به 2.2 آپاچي استفاده مي كنند و آخرين به روز رساني اين نسخه مربوط به 18 نوامبر سال 2013 نسخه 2.2.26 مي باشد. حتي بسياري از سايت هاي محبوب و معروف در حال حاضر از نسخه هاي سري 1.3.x آپاچي استفاده مي كنند و بسياري از آن ها در حال اجراي نسخه 1.3.42 مي باشند.
با توجه به يافته هاي Netcraft، بيش از نيمي از وب سايت هاي آپاچي نسخه خود را مخفي نگه مي دارند اگر چه با برخي راهكارها مي توان نسخه آن را بدست آورد. برخي از سرورها با نسخه آسيب پذير ممكن است نسبت به رخنه هاي موجود درآن نسخه آسيب پذير نباشند.
مي توان گفت كه نسخه هاي 2.2.x غالب مي باشند و هم چنان توسط بسياري از برنامه ها مانند Red Hat مورد استفاده قرار مي گيرند. و هم چنين بسياري از سايت هايي كه امنيت يك نگراني اساسي براي آن ها به شمار مي رود مانند OpenSSL از نسخه هاي قديمي آپاچي استفاده مي كنند. OpenSSL.org از نسخه 2.2.22 آپاچي بر روي Ubuntu Linux استفاده مي كند.

شماره: IRCNE2014022095
تاريخ:20/11/92

شركت مايكروسافت هشدارهاي بولتن امنيتي خود را براي ماه فوريه منتشر كرد. در اين ماه تنها دو به روز رساني بحراني وجود دارد. اولين به روز رساني مربوط به ويندوز نسخه هاي 7، 8 و 8.1 براي نسخه هاي 64 بيتي و RT و هم چنين ويندوز سرور 2008 و 2012 مي باشد و دومين به روز رساني براي Microsoft Forefront Protection 2010 براي سرور Exchange منتشر خواهد شد.

بسته هاي به روز رساني و جزئيات بيشتر در خصوص آسيب پذيري هايي كه برطرف شده اند در روز سه شنبه يازدهم فوريه در دسترس خواهد بود.

در اصلاحيه روز سه شنبه، سه به روز ساني مهم براي نسخه هاي مختلف ويندوز نيز وجود دارد. تمامي نسخه هاي پشتيباني شده ويندوز تحت تاثير حداقل دو آسيب پذيري مهم قرار دارند. هم چنين شركت مايكروسافت تعدادي به روز رساني هاي غير امنيتي براي محصولات مختلف و نسخه جديدي از Malicious Software Removal Kit را منتشر خواهد كرد.

ID: IRCNE2014022097
Date: 2013-02-09

According to "zdnet", a malicious Facebook app could prevent the user from revoking permissions or removing the app, according to MyPermissions, an ISV that makes software to protect user privacy.
Facebook apps often require capabilities to access and use personal information. According to MyPermissions, an app author "... could make it impossible for you to revoke an app's permission to access your information." Presumably this would be a malicious app. The user would be unable to remove it.
The bug only affects the Facebook mobile app but, as the company says, "... nearly half of Facebook's users now access Facebook almost exclusively from their mobile phone." It's also very easy to forget about an app that is installed in your account.ا
The company says they have reached out to Facebook and that Facebook expects to provide a fix promptly. This story has been updated to include an initial response from Facebook.

ID: IRCNE2014022096
Date: 2013-02-09

According to "zdnet", very few Apache web servers are running the current, fully-patched version of the software, according to research by Netcraft. Some very popular sites are running very old, vulnerable and unsupported versions.
The latest version of the Apache Stable Release is 2.4.7, released November 25, 2013. Very few sites are running this version. In fact, less than 1 percent of sites are reporting that they run any version in the 2.4 branch, despite Apache urging users to do so. In fact, Apache servers are overwhelmingly running the "Legacy Release," i.e. the 2.2 branch, the latest version of which is 2.2.26, released November 18, 2013.
Even version 1.3.x, at roughly 6 million sites, is far more popular than the Stable Release. The most popular such site is Weather Underground, which runs Apache 1.3.42.
As Netcraft notes, over half of Apache web sites hide the version number, although further tests may indicate the version. By the same token, some servers with a vulnerable version number may not be vulnerable to some of that version's flaws; for example, Red Hat Linux provides a backporting feature by which fixes for later versions may be applied to an earlier version.
But, as best as we can tell, the 2.2.x branch is dominant. It is still distributed by many third parties, such as Red Hat. And many sites for which security is a prominent concern, such as OpenSSL, run old versions. OpenSSL.org runs Apache 2.2.22 on Ubuntu Linux.

ID: IRCNE2014022095
Date: 2013-02-09

According to "zdnet", Microsoft has released their Security Bulletin Advance Notification for February 2014. There will be just two critical updates this month, the first for Windows 7/8/8.1, both x86 and RT, and for Windows Server 2008 and 2012. The second critical update is for Microsoft Forefront Protection 2010 for Exchange Server.
The updates and more details on the vulnerabilities they address will be available at 2PM EST on Tuesday, February 11.
Three other updates for various versions of Windows have a maximum rating of Important. Every supported version of Windows is affected by at least two of the three Important updates.
The same day Microsoft will release non-security updates for various products and a new version of the Malicious Software Removal Kit.