ID: IRCNE2013011730
Date: 2013-01-13

According to “Computerworld”, Google on Thursday upgraded Chrome, improving the browser's start-up performance and patching two dozen security vulnerabilities.
Chrome 24 contained few major changes. That's typical, as Google usually refreshes its browser every six to eight weeks.
Google called out only a handful of improvements and additions, including faster start-up, another small speed uptick of Chrome's V8 JavaScript engine, and support for MathML (Mathematical Markup Language), which renders math formulas and symbols on browser pages.
The JavaScript performance boost was minor compared to Chrome 23, the version introduced nine weeks ago, but Google boasted that since October 2011, V8's speed has improved by 26%.
Chrome 24 also patched 24 vulnerabilities. Its security team labeled 11 of the flaws as "high," Google's second-most-serious threat rating, eight as "medium," and five as "low."
Three of the vulnerabilities were reported to Google by a quartet of outside researchers, who received $6,000 for their efforts as part of the search company's bounty program. Two of the four were Facebook researchers who together earned $4,000 for uncovering and reporting a bug in Chrome's "same origin policy," a security provision intended to block browser-based languages, including JavaScript, hosted on one domain from running on another.
Five of the flaws were "use-after-free" bugs, a type of memory allocation vulnerability that Chrome's security engineers have become adept at finding; and four, including one of the use-after-free vulnerabilities, that affected the browser's built-in PDF viewer.
Chrome 24 also included a new version of Adobe's Flash Player that contained a solo critical patch. Adobe had patched Flash for other browsers on Tuesday. It is rare for Chrome to lag behind Flash's patch pace; in several instances, a new Chrome update has hit Google's download servers before Adobe releases the fixes to the public.
Google updates Flash because it's responsible for maintaining the bundled copy of Flash Player inside Chrome. Google has baked Flash into Chrome since March 2010. Last year, Microsoft mimicked the practice by including Flash in Internet Explorer 10 (IE10), the Redmond, Wash., company's newest Windows 7 and Windows 8 browser.
Users can download Chrome 24 from Google's website. Active users can simply let the automatic updater retrieve the new edition.

ID: IRCNE2013011729
Date: 2013-01-13

According to "computerworld", Foxit Reader, a PDF viewer application often used as an alternative to the more popular Adobe Reader, contains a critical vulnerability in its browser plug-in component that can be exploited by attackers to execute arbitrary code on computers.
Details about the vulnerability and how it can be exploited were publicly disclosed Monday by Andrea Micalizzi, an independent security researcher from Italy.
There is currently no official patch for the issue, according to an advisory from vulnerability intelligence and management company Secunia. The security firm rated the flaw as highly critical because it can be exploited remotely to gain system access.
Foxit's developers have identified the cause of the vulnerability and are working on creating a patch, a Foxit sales and service representative said Friday via email. The patch is expected to be released within one week, she said.
"The vulnerability is caused due to a boundary error in the Foxit Reader plugin for browsers (npFoxitReaderPlugin.dll) when processing a URL and can be exploited to cause a stack-based buffer overflow via e.g. an overly long file name in the URL," Secunia said. "Successful exploitation allows execution of arbitrary code."
The vulnerability has been confirmed in npFoxitReaderPlugin.dll version 2.2.1.530, which is installed by Foxit Reader 5.4.4.1128 -- the latest version of the program. However, older versions might also be affected, Secunia said.
By default, Foxit Reader installs the plug-in for Mozilla Firefox, Google Chrome, Opera and Safari Web browsers.
"We have confirmed the vulnerability using Firefox, Opera, and Safari," Chaitanya Sharma, advisory team lead at Secunia, said Thursday via email.
The Foxit representative, too, recommended avoiding using the Foxit browser plug-in for Firefox, Chrome, Opera or Safari, but instead suggested using Internet Explorer to view online PDF files.

ID: IRCNE2013011728
Date: 2013-01-13

According to "computerworld", security researchers say a patch released by Yahoo earlier this week for a serious email vulnerability did not fix the problem, leaving users at risk.
The cross-site scripting flaw was found by Shahin Ramezany, who goes by the nickname "Abysssec." The vulnerability can allow an attacker to harvest a victim's cookie for their Yahoo account if the victim is successfully tricked into clicking on a malicious link.
The vulnerability was patched by Yahoo on Monday, but penetration testing company Offensive Security and Ramezany say that the patch did not fix the problem.
"With little modification to the original proof-of-concept code written by Abysssec, it is still possible to exploit the original Yahoo vulnerability, allowing an attacker to completely take over a victim's account," Offensive Security wrote on its blog.
The company said XSS filters provide little defense against an attack and warned that people should be wary of clicking on links within emails until Yahoo fixes the vulnerability.

ID: IRCNE2013011727
Date: 2013-01-13

According to “CNET”, a new Trojan horse called Mal/JavaJar-B has been found that exploits a vulnerability in Oracle's Java 7 and affects even the latest version of the runtime (7u10).
The exploit has been described by Sophos as a zero-day attack since it has been found being actively used in malware before developers have had a chance to investigate and patch it. The exploit is currently under review at the National Vulnerability Database and has been given an ID number CVE-2013-0422, where it is still described as relatively unknown:
The malware has currently been seen attacking Windows, Linux and Unix systems, and while so far has not focused on OS X, may be able to do so given OS X is largely similar to Unix and Java is cross-platform. Additionally, the exploit is currently being distributed in the competing exploit kits "Blackhole" and "NuclearPack," making it far more convenient to criminal malware developers to use.
Even though the exploit has not been seen in OS X, Apple has taken steps to block it by issuing an update to its built-in XProtect system to block the current version of the Java 7 runtime and require users install an as of yet unreleased version of the Java runtime (release b19). Additionally, the U.S. Department of Defense has issued an advisory to disable Java on systems that have it installed.
Luckily with the latest versions of Java, users who need to keep it active can change a couple of settings to help secure their systems. Go to the Java Control Panel that is installed along with the runtime, and in the Security section uncheck the option to "Enable Java content in the browser," which will disable the browser plug-in. This will prevent the inadvertent execution of exploits that may be stumbled upon when browsing the Web, and is a recommended setting for most people to do. If you need to see a Java applet on the Web, then you can always temporarily re-enable the plug-in.
The second setting is to increase the security level of the Java runtime, which can also be done in the same Security section of the Java Control Panel. The default security level is Medium, but you can increase this to High or Very High. At the High level, Java will prompt you for approval before running any unsigned Java code, and at the Very High level all Java code will require such approval, regardless of whether or not it is signed.
Since this threat is Java-based, it will only affect systems that have Java installed. Most platforms do not come with Java, but if you have installed it and do not need or regularly use it, you might consider removing it from your system.

Related Posts:
US-CERT: Disable Java in browsers because of exploit

ID: IRCNE2013011726
Date: 2013-01-13

According to "computerworld", Internet users should consider disabling Java in their browsers because of an exploit that can allow remote attackers to execute code on a vulnerable system, the U.S. Computer Emergency Readiness Team (US-CERT) recommended late Thursday.
Security researchers reported this week that cybercriminals were using a zero-day vulnerability in Java to attack computer systems. Attackers were using the vulnerability to stealthily install malware on the computers of users who visit compromised websites, researchers said.
The US-CERT security warning said the agency is "unaware of a practical solution to this problem."
Instead, US-CERT recommended Internet users disable Java in browsers. US-CERT is part of the U.S. Department of Homeland Security.
The problem can allow an untrusted Java applet to escalate its privileges, without requiring code signing. Oracle Java 7 update 10 and earlier are affected, US-CERT said.
"This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits," US-CERT added. "Exploit code for this vulnerability is also publicly available."

ID: IRCNE2013011725
Date: 2013-01-13

According to "computerworld", Oracle is preparing to ship 86 patches covering security vulnerabilities in a wide span of its products, with 18 of the fixes aimed at the MySQL database alone.
Two of the MySQL vulnerabilities can be exploited by an attacker remotely without the need for a user name and password, according to a pre-release announcement posted on Oracle's website. The patch batch, which is scheduled for Tuesday, also includes one fix for Oracle's flagship database, including versions 10g R2, 11g R1 and 11gR2. While the vulnerability in question also has a CVSS base score of 9.0, it can't be exploited remotely without credentials, according to the announcement.
But another five patches will be shipped for Oracle Database Mobile/Lite Server, and all of them are remotely exploitable without requiring authentication, Oracle said. This grouping's highest CVSS base score is 10.0, according to Oracle.
Various components of Oracle Fusion Middleware, including WebLogic Server and Access Manager, will receive seven patches.
Some 13 patches concern Oracle Enterprise Manager Grid Control. All are exploitable remotely without credentials.
The remaining fixes set to ship Tuesday cover Oracle applications such as E-Business Suite and JD Edwards, as well as the Sun Storage Common Array Manager and Oracle's virtualization technology.
Oracle's last patch release, which came in October, fixed 109 problems.

شماره:IRCNE2013011724
تاريخ: 20/10/91

مايكروسافت در اولين سه‌شنبه اصلاحيه سال 2013، 12 آسيب‌پذيري را در قالب هفت بسته اصلاحي در ويندوز، آفيس و چندين محصول ديگر برطرف ساخته است. البته در اين اصلاحيه آسيب‌پذيري اخير در IE كه گفته مي‌شود حدود يك ماه از شروع سوءاستفاده از آن مي‌گذرد، گنجانده نشده است.
از هفت بسته اصلاحي ارائه شده، دو عدد از آنها "بسيار مهم" يا حياتي ارزيابي شده اند. در واقع از 12 آسيب‌پذيري اصلاح شده، تنها سه عدد از آنها "بسيار مهم" بوده اند و ديگر آسيب‌پذيري‌ها مهم ارزيابي شده‌اند.
متخصصان امنيتي، MS13-002 را يكي از بسته‌هاي اصلاحي بسيار مهم معرفي كرده‌اند كه نيازمند توجه فوري كاربران است. يكي از آسيب‌پذيري‌هاي اصلاح شده در اين بسته، يك باگ در هسته خدمات XML (MSXML) است كه در همه نسخه‌هاي ويندوز، از ويندوز xp يازده ساله گرفته تا ويندوز 8 و ويندوز RT دو ماهه وجود دارد.
اين آسيب‌پذيري ابتدا در MS12-043 در ماه جولاي برطرف شده بود، اما در ماه سپتامبر گذشته گزارش‌هايي مبني بر سوءاستفاده مجدد از آن دريافت شد.
اصلاحيه MS13-002 همچنين بر روي آفيس 2003 و 2007 نيز اعمال مي‌شود.

اخبار مرتبط:
آسيب پذيري zero-day در اينترنت اكسپلورر نسخه هاي 6 و 7 و 8
انتشار يك اصلاحيه براي برطرف كردن آسيب پذيري در اينترنت اكسپلورر

شماره: IRCNE2013011723
تاريخ:20/10/91

رخنه هاي امنيتي در فلش، Reader و آكروبات مي تواند منجر به از كار افتادن كامپيوترها و صدمه زدن به آن ها شود. ديروز شركت نرم افزاري ادوبی اعلام كرد كه به روز رساني هايي براي اين سه برنامه و به منظور برطرف كردن آسيب پذيري ها منتشر ساخته است.
اين شركت در يك بولتن امنيتي گفت: اين به روز رساني ها يك آسيب پذيري را برطرف مي نمايد كه مي تواند منجر به سيستم صدمه وارد نمايد و به طور بالقوه به مهاجم اجازه مي دهد تا كنترل سيستم آلوده را در اختيار بگيرد. شركت ادوبی به كاربران خود توصيه مي كند كه محصولات خود را به آخرين نسخه به روز رساني نمايند.
اين شركت در رابطه با آسيب پذيري هاي امنيتي جزئيات بيشتري ارائه نداد اما به شدت به كاربران خود كه در حال اجراي تمامي نسخه هاي ادوبی فلش پلير بر روي ويندوز، مكينتاش، لينوكس و اندرويد هستند توصيه مي كند كه برنامه هاي فلش، Reader و آكروبات رابه آخرين نسخه به روز رساني نمايند. شركت ادوبی نسخه هاي جديد Reader و آكروبات را در ماه اكتبر منتشر كرده بود.

ID :IRCNE2013011724
Date: 2013-01-09

Computerworld - Microsoft today patched 12 vulnerabilities in Windows, Office and several server and development products, but as it hinted last week, did not come up with a fix for the Internet Explorer (IE) bug that cyber criminals have been exploiting for at least a month.
Today was also a spring tide of sorts for patching, as Microsoft's updates were just some that vendors pushed to customers. Adobe also issued updates for Flash Player, Adobe Reader and Adobe Acrobat; Google shipped a new version of Chrome; and Mozilla delivered the next iteration of Firefox.
"More vendors are aligning with Patch Tuesday," said Jason Miller, VMware's manager of research and development. "That's not necessarily a bad thing, but with so many, it makes it harder to get your hands around what needs to be patched."
Two of Microsoft's seven security updates were marked "critical," Microsoft's highest-threat rating. The other five were tagged "important." Of the 12 vulnerabilities, only three were critical.
Security experts voted MS13-002, one of the two critical updates, as requiring immediate attention. The one-vulnerability update addressed a bug in XML Core Services (MSXML) in every supported edition of Windows, from the 11-year-old Windows XP to the two-month-old Windows 8 and Windows RT.
MSXML was last patched by MS12-043, another critical update, released in July. That vulnerability was one of several allegedly uncovered, then exploited, by an elite hacker group dubbed "Elderwood" by Symantec, which in September said the gang had an inexhaustible supply of "zero-day" bugs at its disposal.
MS13-002 affected not only Windows, but as Storms and Miller said, also Office 2003 and Office 2007; Expression Web, part of the Expression Studio web development suite; and SharePoint Server 2007, Groove Server 2007 and System Center Operations Manager 2007.

Related Topics
Microsoft's next Patch Tuesday won't resolve IE zero-day flaw
Microsoft issues fix for IE flaw that could allow PC hijack

ID: IRCNE2013011723
Date: 2013-01-09

According to "cnet", security flaws in Adobe Flash, Reader, and Acrobat could have been the cause of computer crashes recently. The software company announced today that it sent out updates for these three programs, which are meant to patch security vulnerabilities that cause such system crashes.
"These updates address a vulnerability that could cause a crash and potentially allow an attacker to take control of the affected system," the company wrote in a security bulletin today. "Adobe recommends users update their product installations to the latest versions."
Adobe does not give any further detail on the security vulnerabilities but does strongly recommend that users running all versions of Adobe Flash Player for Windows, Mac OS X, Linux, and Android update their programs.
Adobe launched new versions of Reader and Acrobat in October. The new XI version of Reader beefed up the Protected Mode features of the program, while the latest Acrobat updated text and image editing.