ID: IRCNE2012051484
Date: 2012-05-01

According to "computerworld", windows PCs infected with Conficker are more likely to be compromised by other malware because the worm masks those secondary infections and makes those machines easier to exploit, a security expert said.
That's the biggest reason why Conficker, although crippled and seemingly abandoned by its makers, remains a threat and should be eradicated, said Rodney Joffe, senior technologist at Neustar and a cybersecurity adviser to the White House.
Last week, Microsoft said that Conficker infected, or tried to infect, 1.7 million Windows PCs in 2011's fourth quarter. Microsoft called on users to strengthen passwords to stymie the malware.
Conficker provides the cover Joffe talked about because of two defensive tactics designed to keep it alive: The worm disables most antivirus software, including Microsoft's Windows Defender and Security Essentials, and switches off Windows' Automatic Updates, the service used by virtually all Windows users keep their PCs patched. It also blocks access to security product websites -- preventing signature updates for antivirus software -- and to the Windows Update website.
Without antivirus software, Conficker-infected systems are unlikely to detect and deflect other malware. And if Automatic Updates is disabled, the machine will not receive any new security patches from Microsoft, leaving it open to attack by new threats that exploit those underlying vulnerabilities.
Users who suspect Conficker infections can use the CWG's tool to confirm that the malware is or is not on their machines. Numerous companies, including McAfee, Microsoft, Symantec and Trend Micro, also offer free Conficker cleaning utilities.

ID: IRCNE2012041481
Date: 2012-04-28

According to "internetnews", beginning with the Firefox 12 release this week, Mozilla is baking in a silent updating mechanism – for Windows users only. There is no change on Mac and Linux users. Instead of a user manually needing to click and update to the latest Firefox release, with Firefox 12 and beyond, updates can be set to automatically occur in the background, without user delay, silently.
"This feature works via a background process that is only activated during an update," Lawrence Mandel, Engineering Program Manager at Mozilla, told InternetNews.com.
Moving to a silent update process is something that Mozilla has been talking about since the end of 2011. Mozilla moved to a rapid update process in 2011 that has generated new Firefox browser releases every six weeks. It's a process that has been more cumbersome for users, but the silent update will now help to solve that issue.

ID: IRCNE2012041449
Date: 2012-04-02

According to "computerworld", Google patched nine vulnerabilities in Chrome and boosted the speed and reach of the browser's hardware acceleration with the launch of version 18.
According to the company, Chrome 18 enables accelerated Canvas 2D on Windows and Mac machines with compatible graphics processor units (GPUs), and expands support for the WebGL 3D standard to older systems.
Canvas 2D acceleration has been part of earlier builds of Chrome, but this is the first time that Google has turned it on in a "stable" version of the browser.
Google last refreshed Chrome seven weeks ago on Feb. 8. 2012. Google generates an update to its stable channel about every six to eight weeks.
Three of the nine vulnerabilities patched today were rated "high," the second-most dire ranking in Google's threat system. Five were marked "medium" and one was tagged "low."
Chrome 18 also included the new Adobe Flash Player 11.2, which featured patches for two critical vulnerabilities in the popular media software. Chrome is the only browser to bundle Flash Player.
WebGL support has been extended to systems with older GPUs and drivers in Chrome 18, said Google.
Chrome 18 can be downloaded for Windows, Mac OS X and Linux from Google's website. Users running the browser will be updated automatically through its silent service.

ID: IRCNE2012031436
Date: 2012-03-14

According to "zdnet", even before a pair of researchers hacked into Firefox to snag second place at the CanSecWest Pwn2Own contest, Mozilla knew about the vulnerability and was working on a fix.
That fix arrived today with Firefox 11, a high-priority update that fixes a dozen security flaws that expose Windows and Mac OS X users to a wide range of hacker attacks.
“The security bug reported by ZDI is one we had already identified and fixed through our internal processes,” said Johnathan Nightingale, Senior Director of Firefox Engineering.
Mozilla had originally delayed the release of Firefox 11 to wait for the Pwn2Own vulnerability details but once the open-source group realized it was the same issue that was identified by researcher Jeff Walden, the patch was pushed out the door.
The vulnerability was described as a “memory safety problem in the array.join function” and was bundled into a security advisory that carries a critical rating.
Here’s a listing of the vulnerabilities fixed with this Firefox update:

• MFSA 2012-19 Miscellaneous memory safety hazards (rv:11.0/ rv:10.0.3 / rv:1.9.2.28)
• MFSA 2012-18 window.fullScreen writeable by untrusted content
• MFSA 2012-17 Crash when accessing keyframe cssText after dynamic modification
• MFSA 2012-16 Escalation of privilege with Javascript: URL as home page
• MFSA 2012-15 XSS with multiple Content Security Policy headers
• MFSA 2012-14 SVG issues found with Address Sanitizer
• MFSA 2012-13 XSS with Drag and Drop and Javascript: URL
• MFSA 2012-12 Use-after-free in shlwapi.dll

Firefox 11 is available for via the browser’s software update utility.

ID: IRCNE2012031423
Date: 2012-03-06

According to "zdnet", A pair of researchers in Google’s security team has found gaping holes in Adobe’s ubiquitous Flash Player software.
According to an advisory from Adobe, Googlers Tavis Ormandy and Fermin J. Serna discovered integer errors and a memory corruption vulnerability that could be used by hackers to take complete control of an affected computer.
The vulnerabilities, rated “critical,” were fixed today for Windows, Macintosh, Linux and Solaris OS users.
From Adobe’s alert:
These priority 2 updates address critical vulnerabilities in Adobe Flash Player 11.1.102.62 and earlier versions for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 11.1.115.6 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.6 and earlier versions for Android 3.x and 2.x. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe recommends users of Adobe Flash Player 11.1.102.62 and earlier versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player 11.1.102.63. Users of Adobe Flash Player 11.1.115.6 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.7. Users of Adobe Flash Player 11.1.111.6 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.7.
Adobe is urging Flash Player users to apply the update within the next 30 days.

ID: IRCNE2012021402
Date: 2012-02-13

According to "zdnet", Mozilla has shipped an urgent Firefox security update to fix a vulnerability that exposes web surfers to malicious hacker attacks.
The vulnerability, fixed with the latest Firefox 10.0.1, causes a browser crash that may be exploitable to launch code execution attacks.
Mozilla developers Andrew McCreight and Olli Pettay found that ReadPrototypeBindings will leave a XBL binding in a hash table even when the function fails. If this occurs, when the cycle collector reads this hash table and attempts to do a virtual method on this binding a crash will occur. This crash may be potentially exploitable.
Mozilla rates this a “critical” vulnerability that can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.
The open-source group said Firefox 9 and earlier browser versions are not affected by this vulnerability.

ID :IRCNE2011111322
Date: 2011-11-26

yet-to-be-patched flaw discovered in the Apache HTTP server allows attackers to access protected resources on internal networks if some rewrite rules are not defined properly.
The vulnerability affects Apache installations that operate in reverse proxy mode, a type of configuration used for load balancing, caching and other operations that involve the distribution of resources over multiple servers.
In order to set up Apache HTTPD to run as a reverse proxy, server administrators use specialized modules like mod_proxy and mod_rewrite.
Security researchers from Qualys warn that if certain rules are not configured correctly, attackers can trick servers into performing unauthorized requests to access internal resources.
In order to mitigate the problem server administrators should add a forward slash before $1 in the rewrite rule, the correct form being "^(.*) http://internal_host/$1", Parikh said.
The Apache developers are aware of the problem and are currently discussing the best method of fixing it. One possibility would be to strengthen the previous patch in the server code in order to reject such requests, however, there's no certainty that other bypass methods won't be discovered.

ID: IRCNE2011101280
Date: 2011-10-15

Microsoft’s monthly pilgrimage to the security patch altar will resume next Tuesday with fixes for gaping security holes in software products used by tens of millions of computer users.
In all, the Redmond, Wash. software maker will ship 8 security bulletins to address at least 23 documented vulnerabilities affecting the Internet Explorer browser, the Microsoft Windows operating system, .NET Framework and Silverlight, Microsoft Forefront UAG, and Microsoft Host Integration Server.
Two of the eight bulletins –affecting IE, Windows and .Net Framework and Silverlight — will be rated “critical,” Microsoft’s highest severity rating. Microsoft typically slaps a “critical” rating on vulnerabilities that can be exploited remotely to launch code execution attacks without any user action.
The other six bulletins will be rated “important,” according to an advance notice from Microsoft.
Some of these patches will require a restart after the affected machine is updated.

According to the zdnet, over a period of three months, researchers from CSIS have monitored 50 different exploit kits on 44 unique servers, and found out that 31.3 % were infected with the virus/malware due to missing security updates.
In particular, users were running outdated versions of specific applications and browser plugins. Java JRE accounted for 37 percent of the most vulnerable applications, followed by Adobe Reader/Acrobat with 32 percent and Adobe Flash with 16 percent.
Common vulnerabilities exploited by cybercriminals in their web malware exploitation kits include:

• CVE-2010-1885 Microsoft Help & Support HCP
• CVE-2010-1423 Java Deployment Toolkit insufficient argument validation
• CVE-2010-0886 Java Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE
• CVE-2010-0842 Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
• CVE-2010-0840 Java trusted Methods Chaining Remote Code Execution Vulnerability
• CVE-2009-1671 Java buffer overflows in the Deployment Toolkit ActiveX control in deploytk.dll
• CVE-2009-0927 Adobe Reader Collab GetIcon
• CVE-2008-2992 Adobe Reader util.printf
• CVE-2008-0655 Adobe Reader CollectEmailInfo
• CVE-2006-0003 IE MDAC
• CVE-2006-4704 Microsoft Visual Studio 2005 WMI Object Broker Remote Code Execution Vulnerability
• CVE-2004-0549 ShowModalDialog method and modifying the location to execute code

ID: IRCNE2011061141
Date: 2011-06-15

According to "cnet", Microsoft released 16 security bulletins today fixing 34 holes, including critical holes in Windows, SMB Client and Internet Explorer, while Adobe Systems fixed a hole in Flash Player that was reportedly being targeted in attacks.
Adobe's quarterly security bulletins include critical updates for Flash Player, Shockwave Player, and Adobe Reader and Acrobat. Meanwhile, Adobe said it will now offer users the opportunity to turn automatic update on by default.
There are four "critical-level" updates that Microsoft said in a blog post should be addressed first. They are:

• MS11-042, which fixes vulnerabilities in the distributed file system that affects all versions of Windows.
• MS11-043, which closes a hole in SMB Client on Windows.
• MS11-050, which is a cumulative bulletin resolving 11 bugs in Internet Explorer.
• MS11-052, which fixes a vulnerability in the Microsoft implementation of Vector Markup Language and affects Windows and Internet Explorer 6, 7 and 8.

Affected software includes Windows XP, Vista, Windows 7, Windows Server 2003 and 2008, Office XP, 2003, 2007, 2010, Office 2004 and 2008 for Mac, SQL Server 2005 and 2008, Silverlight 4, Visual Studio 2005, 2008 and 2010, and Forefront Threat Management Gateway 2010 Client. More details are in the related links

Related Links:
http://www.certcc.ir/index.php?module=cdk&func=loadmodule&system=cdk&sismodule=user/content_view.ph…
http://www.certcc.ir/index.php?module=cdk&func=loadmodule&system=cdk&sismodule=user/content_view.ph…