ID: IRCNE20111101313
Date: 2011-11-12

Adobe has issued a warning for a dozen serious security vulnerabilities in its widely distributed Flash Player software.
The security holes, which affect Windows, Mac OS X, Linux and Solaris users, could allow remote code execution attacks via rigged Flash Player files.
The company shipped Flash Player 11.1.102.55 with patches for the 12 documented vulnerabilities.

• This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2011-2445).
• This update resolves a heap corruption vulnerability that could lead to code execution (CVE-2011-2450).
• This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2011-2451).
• This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2011-2452).
• This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2011-2453).
• This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2011-2454).
• This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2011-2455).
• This update resolves a buffer overflow vulnerability that could lead to code execution (CVE-2011-2456).
• This update resolves a stack overflow vulnerability that could lead to code execution (CVE-2011-2457).
• This update resolves a vulnerability that could lead to a cross-domain policy bypass (Internet Explorer-only) (CVE-2011-2458).
• This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2011-2459).
• This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2011-2460).

Adobe has slapped a “critical” rating on this bulletin and recommends that all affected users apply the patch immediately.

Computerworld - The hacker group behind Duqu may have been working on its attack code for more than four years, new analysis of the Trojan revealed Friday.
Moscow-based Kaspersky Lab published some findings today from a recent rooting through Duqu samples provided by researchers in the Sudan, saying that one driver included with the attack payload was compiled in August 2007, extending the timeline of the gang's work.
Schouwenberg added that the August 2007 driver was most likely created specifically for Duqu by the group responsible for the attacks, and was not an off-the-shelf file built by others, because the driver has not been spotted elsewhere.
Other researchers have found files amongst those used by Duqu that carry build dates of February 2008, but actual attacks have been tracked back only to April 2011.
That was also the month that the Sudan-provided samples indicated attacks took place against an unnamed target in that country, according to Kaspersky, which reported two separate attempts one on April 17, the second on April 21 to plant malware on Windows PCs.
The first attack failed because the email message carrying a malicious Word document was blocked by a spam filter; the second was successful.
Microsoft has confirmed that the Duqu campaign exploits a vulnerability in a Windows kernel-mode driver -- specifically "W32k.sys," and its TrueType font parsing engine -- to gain rights on the compromised PC sufficient to install the malware.
Although Microsoft has yet to patch the bug, it has urged customers to disable the font parser to protect themselves.
Kaspersky's other notable discovery was that each of the dozen Duqu attacks it knows of used a custom-created set of files compiled immediately before the malware was aimed at a target.
Although Kaspersky's newest analysis differs in some ways from that conducted by other security firms -- notably Symantec, which was the first to disclose Duqu's existence -- neither Schouwenberg or a Symantec director saw a conflict.Symantec echoed that Duqu has been characterized by Symantec and others as a possible precursor to the next Stuxnet, the ultra-sophisticated worm that last year sabotaged Iran's nuclear program.While some have disputed that, Kaspersky is firmly in the Stuxnet-connection camp.
There are certainly differences Stuxnet was an attack tool, Duqu seems designed to be part of an intelligence-gathering operation but Schouwenberg said there were even more similarities. One such similarity: a line between Stuxnet and Duqu's infection process that, he said, showed the authors of the former learned important lessons that they then applied to the latter.
More information about Duqu (download PDF) can be found on the website of U.S.-CERT, the cyber-defense agency that's part of the Department of Homeland Security, and in an updated report from Symantec (download PDF).

Related Links:
Microsoft issues temporary 'fix-it' for Duqu zero-day

ID: IRCNE20111101311
Date: 2011-11-12

According to “ZDNet”, Apple has wasted no time fixing the code signing bypass vulnerability exposed by Charlie Miller in the recent disclosure flap.
Apple shipped the patch for Miller’s vulnerability in the new iOS 5.0.1 software update that also fixes a publicly known passcode lock issue that affected the iPad 2 device.
From the advisory:
“A logic error existed in the mmap system call’s checking of valid flag combinations. This issue may lead to a bypass of codesigning checks. This could be exploited to allow an application to execute unsigned code.”
"This issue does not affect devices running iOS prior to version 4.3", Apple posted in a security document.
Using a proof-of-concept app that masqueraded as a stock ticker, Miller was able to commandeer an iPhone device via the installed app.
The iOS 5.0.2 update also fixes some additional security problems:
· CFNetwork: An issue existed in CFNetwork’s handling of maliciously crafted URLs. When accessing a maliciously crafted HTTP or HTTPS URL, CFNetwork could navigate to an incorrect server. Visiting a maliciously crafted website may lead to the disclosure of sensitive information.
· CoreGraphics: Multiple memory corruption issues existed in FreeType, the most serious of which may lead to arbitrary code execution when processing a maliciously crafted font. Viewing a document containing a maliciously crafted font may lead to arbitrary code execution.
· libinfo: An issue existed in libinfo’s handling of DNS name lookups. When resolving a maliciously crafted hostname, libinfo could return an incorrect result. Visiting a maliciously crafted website may lead to the disclosure of sensitive information.
· Passcode Lock: When a Smart Cover is opened while iPad 2 is confirming power off in the locked state, the iPad does not request a passcode. This allows some access to the iPad, but data protected by Data Protection is inaccessible and apps cannot be launched. A person with physical access to a locked iPad 2 may be able to access some of the user’s data.

Related Links:
Malicious app in the App Store

شماره: IRCNE2011111310
تاريخ: 18/08/90

روز پنج شنبه موزيلا و مايكروسافت اعلام كردند كه تمامي گواهينامه هاي صادر شده توسط Digicert، مرجع گواهي مياني مالزيايي را باطل كردند. اين دو شركت پس از آن كه دريافتند كه اين مرجع 22 گواهينامه را با كليدهاي ضعيف 512 بيتي منتشر كرده است و پيوست هاي گواهينامه را از دست داده است، اقدام به ابطال گواهينامه هاي اين شركت كردند.
موزيلا اعتماد به تمامي گواهينامه هاي صادر شده توسط Digicert شركت مالزيايي را لغو كرده است در حالي كه مشخص شد كه اين موضوع به گواهينامه هاي فايرفاكس ارتباطي نداشته است. اين به روز رساني فايرفاكس در فايرفاكس نسخه هاي 8 و 3.6.24 اعمال مي شود.
جري برايانت، مدير گروه ارتباطات Trustworthy Computing مايكروسافت اظهار داشت: مايكروسافت اين گواهينامه ها را در به روز رساني هاي منتشر شده از طريق به روز رساني ويندوز باطل مي كند.
برايانت اضافه كرد: " هيچ نشانه اي مبني بر تقلبي بودن اين گواهينامه ها وجود ندارد، با اين حال اين كليد هاي ضعيف اجازه مي دهند تا برخي از گواهينامه ها به خطر بيافتند."
گوگل نيز شماره هاي سريال مربوط به اين 22 گواهينامه را مسدود كرده است و به عنوان يك اقدام بزرگتر، قصد دارد كه روز سه شنبه تمامي گواهينامه هاي Digicert را مسدود كند.

شماره: IRCNE2011111309
تاريخ: 18/8/90

يك حفره نرم افزاري در iPhone ها و iPad هاي Apple مي­تواند به برنامه نويسان اجازه دهد كه از دروازه هاي App Store عبور كرده و كنترل دستگاه را در اختيار بگيرند.
يك محقق امنيتي به نام چارلي ميلر، اين نقص امنيتي را كشف كرده است كه به برنامه نويسان اجازه مي­دهد از محدوديت­هاي امضاي كد عبور نمايند و به طور پنهاني، بدافزار را بر روي دستگاه­هاي Apple نصب كنند.
به گفته ميلر، اين نقص امنيتي به برنامه هاي موجود در App Store اجازه مي­دهد كه كد جديدي را دانلود كرده و آن را اجرا نمايند، حتي اگر اين كد امضا نشده و يا توسط Apple بررسي نشده باشد.
به گفته وي، تا كنون مي­توانستيد هرچه مي­خواستيد از فروشگاه Apple دانلود نماييد و در مورد خرابكاري آن نگران نباشيد. اما اكنون هيچ تضميني در مورد كاري كه يك برنامه موجود در اين فروشگاه مي­تواند انجام دهد، وجود ندارد.
اين محقق، اين نقص امنيتي را با استفاده از يك برنامه چك كردن قيمت كالا به نام InstaStock كه خودش ايجاد كرده است اثبات كرده است. اين برنامه اگرچه داراي ويژگي­هايي براي دانلود كد غيرقابل قبول است، اما توسط فروشگاه Apple مورد پذيرش قرار گرفته است.
اين كد برنامه مي­تواند به يك هكر اجازه دهد كه كتابچه آدرس را دانلود نمايد، تصاوير را مشاهده كند، به ساير داده ها دسترسي پيدا كند و حتي تلفن را در حالت لرزش (ويبره) قرار دهد.
Apple اكنون اين برنامه را از فروشگاه خود حذف كرده است.

شماره: IRCNE2011111308
تاريخ: 18/8/90

مايكروسافت يك به روز رساني امنيتي براي ترميم يك حفره بسيار خطرناك و سه حفره كم خطرتر در ويندوز عرضه كرد، ولي اين شركت همچنان در حال كار براي اصلاح نقص مورد استفاده توسط تروجان Duqu است.
اين به روز رساني، چند مساله اجراي كد از راه دور و انكار سرويس را در تمامي نسخه هاي ويندوز پوشش مي­دهد و مايكروسافت از كاربران خود خواسته است كه توجه ويژه اي به به روز رساني MS11-083 داشته باشند.
به گزارش بولتن امنيتي سه شنبه اصلاحيه، جدي­ترين به روز رساني اين دوره، MS11-083 است كه آسيب پذيري اصلاح شده در آن، مي­تواند به يك مهاجم اجازه دهد كه با ارسال تعداد زيادي بسته UDP خرابكار به يك پورت بسته شده بر روي سيستم هدف، كنترل سيستم قرباني را در اختيار بگيرد. اين به روز رساني يك آسيب پذيري را در پشته TCP/IP در ويندوز 7، ويستا و سرور 2008 برطرف مي­كند.
يك محقق شركت Qualys اظهار داشت كه از آنجايي كه اين آسيب پذيري به هيچ نوع تعامل با كاربر يا تاييد هويت نيازمند نيست، تمامي سيستم­هاي ويندوز، سيستم­هاي كاري، و سرورهايي كه بر روي اينترنت قرار دارند، به راحتي مي­توانند در معرض اين حمله قرار گيرند. نكته مثبت در اينجا اين است كه اجراي اين حمله پيچيده است و مايكروسافت نيز اين آسيب پذيري را از جهت قابليت سوء استفاده، در رده 2 قرار داده است. اين بدان معناست كه كد سوء استفاده كننده از اين آسيب پذيري ناپايدار است، ولي اين آسيب پذيري قابليت ايجاد يك كرم بزرگ را دارد.
مايكروسافت همچنين يك آسيب پذيري را در Windows Mail و Meeting Space ترميم كرده است كه در صورت باز كردن يك فايل موجود بر روي يك دايركتوري شبكه يكسان با يك فايل DLL خرابكار، مي­تواند براي ترغيب سيستم به اجراي كد دلخواه از راه دور مورد سوء استفاده قرار گيرد. اين شركت انتظار دارد كه كد سوء استفاده كننده از اين آسيب پذيري را ظرف 30 روز آينده مشاهده نمايد. همچنين يك آسيب پذيري در Active Directory و يك آسيب پذيري در Windows Kernel-Mode Drivers كه مي­توانند در صورت باز كردن يك فايل فونت TrueType خرابكار توسط كاربر، براي يك حمله انكار سرويس مورد استفاده قرار گيرند نيز ترميم شده اند.

ID: IRCNE2011111310
Date: 2011-11-09

According to "techworld", Mozilla and Microsoft said Thursday they are revoking trust in all certificates issued by Digicert, a Malaysian intermediate certificate authority, after it was found that it had issued 22 certificates with weak 512 bit keys and missing certificate extensions and revocation information.
Mozilla is revoking trust in all certificates issued by Digicert in Malaysia, while clarifying that it was not a Firefox specific issue, and the update will be in Firefox 8 and Firefox 3.6.24.
Microsoft will revoke trust in Digicert Malaysia in an update to be released through Windows Update, said Jerry Bryant, group manager of response communications for Trustworthy Computing at the company, in a blog post.
"There is no indication that any certificates were issued fraudulently, however, these weak keys have allowed some of the certificates to be compromised," Bryant said.
Google is blocking serial numbers that correspond to the 22 certificates. As a larger measure, it plans to block the Digicert certificate by Tuesday.

ID: IRCNE20111101309
Date: 2011-11-09

According to “ITPro”, a software hole in Apple's iPhones and iPads may permit developers to break through the App Store gates and control the device.
Security researcher Charlie Miller discovered the flaw, allowing developers to bypass the code signing restrictions and secretly install malware onto Apple devices.
"The flaw I found allows apps in the App Store to download new code and run it even if it's not signed or even if it hasn't been checked by Apple," Miller said.
"Until now you could just download everything from the App Store and not worry about it being malicious. Now you have no idea what an app might do," said Miller.
Miller demonstrated the flaw by using a stock price checking application he created, InstaStock, which was approved even though it contained features to download unapproved code.
The app's code could let a hacker download an address book, view pictures, access other data and even make the phone vibrate.
Apple has now removed the app from its App Store.

ID: IRCNE20111101308
Date: 2011-11-09

According to “CNET”, Microsoft released a security update to fix one critical and three less serious Windows holes but is still working on a patch for a flaw being exploited by the Duqu Trojan.
The updates address remote code execution and denial-of-service issues in all versions of Windows and Microsoft is urging its user base to pay special attention to MS11-083, which covers a gaping hole in the Windows TCP/IP stack, “ZDNet” reports.
The most serious of the updates is MS11-083, which could allow an attacker to take over a computer by sending a large number of malicious UDP packets to a closed port on a target system, the Patch Tuesday security bulletin said. It plugs a vulnerability in the TCP/IP stack in Windows 7, Vista, and Server 2008.
"Since this vulnerability does not require any user interaction or authentication, all Windows machines, workstations and servers that are on the Internet can be freely attacked," Amol Sarwate of Qualys said. "The mitigating element here is that the attack is complicated to execute, and Microsoft has given it an Exploitability index of '2,' meaning that the exploit code is inconsistent, but otherwise this has all the required markings for a big worm."
Microsoft also fixed a vulnerability in Windows Mail and Meeting Space that could be exploited to trick the system into remotely running random code if a user opens a file located in the same network directory as a malicious dynamic link library (.DLL) file. Also patched were a vulnerability in Active Directory and one in Windows Kernel-Mode Drivers that could allow a denial of service if a user opens a malicious TrueType font file as an e-mail attachment or navigates to such a file on a network share.

شماره: IRCNE2011111307
تاريخ: 15/08/90

روز جمعه مايكروسافت اظهار داشت كه هفته آينده چهار به روز رساني امنيتي براي اصلاح چهار آسيب پذيري در ويندوز منتشر خواهد شد.
مايكروسافت گفت: اين آسيب پذيري هاي بسيار مهم تنها ويندوز ويستا، ويندوز 7، سرور 2008 و سرور 2008 ويرايش دوم را تحت تاثير قرار مي دهند.
يك به روز رساني در رده امنيتي "بسيار مهم"، دو به روز رساني در رده امنيتي "مهم" و يك به روز رساني در رده امنيتي "متوسط" قرار دارند.
به روز رساني هايي كه در رده امنيتي "بسيار مهم" و "مهم" قرار دارند، آسيب پذيري هايي را برطرف مي نمايند كه مهاجمان مي توانستند براي اجراي كد دلخواه از آن ها سوء استفاده نمايند و به طور بالقوه كنترل كامپيوتر آسيب پذير را در اختيار بگيرند.
به نظر نمي رسد كه مايكروسافت مشكل بحراني هسته ويندوز را در اين اصلاحيه برطرف نمايد.
ولف گانگ كاندك گفت: جالب توجه است، اكثريت ابلاغيه ها تنها به نسخه هاي جديدتر ويندوز اعمال مي شوند و به كاربران ويندوز xp و سرور 2003 تنها ابلاغيه 3 كه رده امنيتي مهم دارد، اعمال مي شود.