ID: IRCNE2011051115
Date: 2011-05-14

“ITPRO” reports that a poisoned search engine optimization (SEO) campaign has duped over 100 million web users into visiting malicious web pages. The campaign, run by a well-known blackhat SEO operator, has used Google image search to redirect users to fake anti-virus downloads. “In just one month, this campaign was able to redirect nearly 300 million hits from 113 million visitors to the malicious landing pages,” Trend Micro explained.
“In addition to generating pages full of bad links and keywords to boost search engine results ranking, the operator also embedded images taken from legitimate sites so its pages can get a high Google Image Search index.”
To date, Trend Micro said it had identified 4,586 compromised servers connecting to the blackhat SEO command server. Using these servers, the hackers have implanted two kinds of pages inside various websites, one being a standard fake anti-virus scanning page, the other a Traffic Direction System (TDS) page.
“TDS pages are used as landing pages to direct traffic to malicious content. “This particular campaign uses the well-known SUTRA TDS.” In the past 30 days, that TDS redirected 220,175,652 hits from 82,568,468 visitors.
This campaign targeted Mac users in particular by using landing pages designed to imitate the appearance of the Mac OS.

ID: IRCNE2011051114
Date: 2011-05-14

According to “Computerworld”, Adobe has released an important update for its Flash Player software that fixes critical security flaws and gives users a better way of controlling whether they are being tracked on the Web.
The Flash Player 10.3 update, released Thursday, lets users manage Flash cookies using their browser's privacy settings or through a new control panel. Flash cookies, also called "Local Stored Objects," have been a sore spot for Adobe users since 2009, when researchers showed they were being used extensively to track Web surfers. The problem is that Flash cookies, unlike traditional cookies, historically have been hard to remove, and some sites have used them to track users who have wanted to block cookies.
The new Flash cookie management option works with the Firefox and Internet Explorer browsers. In the future, it will also be available to Chrome and Safari users. Web surfers can also manage their Flash cookies through a new control panel, designed to give users a single place where they can make sure that Flash Player isn't doing anything it shouldn't. "With Flash Player 10.3, we have created a new native control panel for Windows, Macintosh and Linux desktops that will allow end-users to manage all of the Flash Player settings, including camera, microphone and Local Shared Objects," Adobe spokesman wrote in a blog post.
The new Flash Player also includes a number of security fixes for several critical bugs. The security updates, which affect all Flash platforms, are important. Flash has been used in a lot of online attacks over the past few years, and with this latest set of patches, Adobe said it has fixed a previously unknown flaw that had been leveraged in online attacks.
"There are reports of malware attempting to exploit one of the vulnerabilities, in the wild via a Flash file embedded in a Microsoft Word or Microsoft Excel file delivered as an email attachment targeting the Windows platform," Adobe said in a note posted to its website. "However, to date, Adobe has not obtained a sample that successfully completes an attack."
Also Mac OS users will now get automatic software update notifications, just like their Windows counterparts.

ID: IRCNE2011051113
May 14, 2011

ZeroDay Blog - Timing is everything when it comes to event-based social engineering attacks. A currently spamvertised malware campaign is brand-jacking Microsoft’s Patch Tuesday for ZeuS crimeware serving purposes. What’s particularly interesting about the campaign, first observed on May 6th, is that the email message is localized to a second language in an attempt to better targeted the spamvertised audience. Moreover, the campaign is relying on a compromised domain for hosting the actual ZeuS binary.
Sample subject: URGENT: Critical Security Update
Sample download: SECURITY_FIX_0231.exe
Sample message: Dear Microsoft Customer,
Please notice that Micraosoft company has recently issued a Security Updaate for Microsoft Windows OS. The Security Update is to prevent malicious users from getting access to your computer files.
The update applies to the following OS versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft XP, Microsoft Windows 7.
Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update. Since public distribution of this Update through the official website have result in efficient creation of malicious software, we made a decision to issue this security update via e-mail.
Users are advised to avoid interacting with suspicious links and email attachments found in email messages.

ID: IRCNE2011051112
May 14, 2011

CNET reports that the stack overflow vulnerability affects the Genesis32 supervisory control and data acquisition (SCADA) and BizViz software sold by ICONICS, according to an advisory (PDF) released yesterday by the Department of Homeland Security's ICS-CERT (Industrial Control Systems Cyber Emergency Response Team). ICONICS has issued a patch to close the hole, which could allow an attacker to remotely execute code and take control of the computer.
Meanwhile, an exploit targeting the vulnerability was publicly available, the advisory said. To be successful, an attacker would need to use social engineering to lure a user with the "GenVersion.dll" (dynamic-link library) ActiveX control installed to visit a Web page that hosts malicious JavaScript. The dynamic-link library is a component of WebHMI (human machine interface) used in the ICONICS software, according to the advisory, which cited a report (PDF) by researchers at Security-Assessment.com.
"This vulnerability requires moderate skill to exploit," the warning said.
Fifty-five percent of the Genesis32 installations are in the U.S., 45 percent are in Europe, and 5 percent are in Asia, according to Foxborough, Mass.-based ICONICS.
The advisory comes less than two months after the ISC-CERT and several researchers warned of a handful of holes in different SCADA software.
Security issues with software used to monitor and control critical-infrastructure systems are cropping up more and more as those systems adopt Web-based technologies that provide channels into previously isolated networks.

شماره: IRCNE2011051111

چندين مهندس امنيت گوگل به ادعاهاي يك شركت امنيتي فرانسوي در مورد يك آسيب پذيري در Chrome كه باعث مي­شود مهاجمان كنترل سيستم قرباني را از طريق مرورگر در اختيار بگيرند پاسخ دادند. اين مهندسان مي­گويند كه اين نقص امنيتي كه توسط Vupen براي هك Chrome مورد سوء استفاده قرار گرفته است، در حقيقت در Adobe Flash قرار دارد كه مرورگر گوگل حدود يك سال است از آن استفاده مي­كند.
يك سخنگوي گوگل همچنين اظهار داشت كه از آنجايي كه Vupen هيچ جزئياتي از اين موضوع را در اختيار آنها قرار نداده است، همچنان تحقيقات اين شركت ادامه دارد.
يك مهندس امنيت در گوگل مي­گويد كه نويسندگان حوزه امنيت زحمت بررسي واقعيت را بر خود هموار نمي­كنند. به گفته وي Vupen نحوه كار sandbox در Chrome را به خوبي درك نكرده است و اين مساله صرفا يك نقص امنيتي Flash بوده است.
Vupen از به اشتراك گذاردن هرگونه اطلاعاتي در اين خصوص خودداري كرده است. مدير عامل اين شركت اظهار داشته است كه به گوگل براي پيدا كردن آسيب پذيري­ها كمك نمي­كند. وي ادعا كرد كه هيچ كس به جز خود آنها نمي­داند كه آنها چگونه از sandbox مرورگر گوگل عبور كرده اند.
به نظر مي­رسد مهندسين گوگل از محلي اطلاعاتي در مورد استفاده از حفره امنيتي Flash در حمله Vupen دريافت كرده باشند.

مطالب مرتبط:
عبور از ويژگي‌هاي امنيتي Chrome

شماره: IRCNE2011051110

فيس بوك يك حفره امنيتي را كه باعث مي­شود گروه­هاي تبليغاتي و ساير شركت­ها به طور تصادفي از طريق token هاي "spare keys" به حساب­هاي كاربران دسترسي پيدا كنند برطرف كرد. اين مشكل روز سه شنبه توسط سايمانتك افشا شده بود.
يكي از مهندسان ارشد نرم افزار در سايمانتك اظهار داشت كه اين مساله به فيس بوك اطلاع داده شده و اين شركت آن را تاييد كرده است. به گفته وي فيس بوك تغييراتي ايجاد كرده است كه از نشت اين token ها جلوگيري مي­كند.
اين مهندس سايمانتك همچنين اظهار كرد كه تخمين زده مي­شود كه تا آوريل 2011 حدود صد هزار برنامه اين نشت token را فعال كرده باشند. به گفته وي همچنين تخمين زده مي­شود كه در طول سال­هاي گذشته، صدها هزار برنامه به طور غير عمدي ميليون­هاي token دسترسي به سايرين را نشت داده باشند.
يك سخنگوي فيس بوك اظهار داشت كه اين شركت هيچ شاهدي مبني بر به اشتراك گذاشته شدن اطلاعات خصوصي كاربران با ديگران مشاهده نكرده است و الزامات قراردادي، شركت­هاي تبليغاتي و ساير توليد كنندگان را از دسترسي يا به اشتراك گذاردن اطلاعات كاربري منع مي­نمايد.
اين token ها به برنامه ها اجازه مي­دهند كه فعاليت­هاي خاصي را از طرف كاربر انجام دهند يا به پروفايل كاربر دسترسي پيدا كنند. اغلب token ها پس از مدت كوتاهي منقضي مي­شوند، ولي برنامه مي­تواند token هاي دسترسي آفلاين را درخواست نمايد كه به او اجازه مي­دهد تا زماني كه كاربر كلمه عبور خود را تعويض كند، دسترسي خود را حفظ نمايد.
اين نشت زماني كه يك برنامه از يك واسط برنامه نويسي فيس بوك قديمي به جاي پروتكل اشتراك گذاري داده OAuth 2.0 استفاده مي­كرد اتفاق مي افتاد. اگر پارامترهاي خاصي در كدنويسي مورد استفاده قرار مي­گرفتند، اين token ها در يك URL به ميزبان برنامه ارسال مي­شدند و از آنجا مي­توانستند از طريق برنامه هاي iFrame موجود در صفحه به شركت­هاي تبليغاتي و پلتفورم­هاي تحليلي نشت يابند.
به گفته اين مهندس سايمانتك، هيچ راه مناسبي براي تخمين تعداد token هاي دسترسي نشت يافته از زمان شروع به كار برنامه هاي فيس بوك در سال 2007 تا كنون وجود ندارد. ممكن است هنوز تعدادي از اين token ها در فايل­هاي لاگ سرورهاي ديگران وجود داشته باشد يا به طور فعال توسط شركت­هاي تبليغاتي در حال استفاده باشد.
كاربران فيس بوك مي­توانند كلمات عبور خود را تغيير داده و اين token هاي دسترسي را غير معتبر سازند.

ID: IRCNE2011051111
Date: 2011-05-12

According to "Computerworld", Several Google security engineers have countered claims that a French security company found a vulnerability in Chrome that could let attackers hijack Windows PCs running the company's browser. Those engineers said the bug Vupen exploited to hack Chrome was in Adobe's Flash, which Google has bundled with the browser for over a year.
"As usual, security journalists don't bother to fact check," said a Google security engineer, in a tweet earlier today. "Vupen misunderstood how sandboxing worked in Chrome, and only had a Flash bug."
But a Google spokesman said today that the investigation is ongoing because Vupen is not sharing any details with Google.
When asked to confirm the source of the vulnerabilities it exploited, Vupen was blunt in its refusal to share any information.
"We will not help Google in finding the vulnerabilities," said Chaouki Bekrar, Vupen's CEO and head of research, in an email reply to questions. "Nobody knows how we bypassed Google Chrome's sandbox except us."
While the Google engineers seemed to acknowledge that a bug in Flash was involved in Vupen's exploit, they also defended the sandbox technology -- meant to isolate Flash from the rest of the computer -- even as it apparently failed to prevent an attack.

Related Links:
Demo Attack on Chrome

ID: IRCNE2011051110
Date: 2011-05-12

“CNET” reports that Facebook has plugged a hole that was inadvertently providing advertisers and other third parties access to user accounts via tokens that serve as "spare keys". The problem was disclosed by Symantec on Tuesday.
"Facebook was notified of this issue and has confirmed this leakage," a senior software engineer at Symantec wrote in a blog post. "Facebook notified us of changes on their end to prevent these tokens from getting leaked."
"We estimate that as of April 2011 close to 100,000 applications were enabling this leakage," he wrote. "We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties."
A Facebook spokesperson told that the company could not find any evidence that private user information was being shared with unauthorized third parties. He insisted that contractual obligations prohibit advertisers and developers from obtaining or sharing user information in a way that violates the site's policies.
These tokens allow applications to perform certain actions on behalf of the user or to access the user's profile. Most tokens expire after a short time, but the application can request offline access tokens, which allow them access until the user changes the password.
The leak was happening when an application used a legacy Facebook application programming interface with older authentication schemes, instead of the new OAuth 2.0 data sharing protocol, he said. If certain parameters were used in the coding, the tokens would be sent in a URL to the application host, and from there could be leaked to advertisers and analytic platforms via iFrame applications embedded in the page, he said.
"There is no good way to estimate how many access tokens have already been leaked since the release Facebook applications back in 2007," he wrote. "We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers."
Facebook users can change their passwords to invalidate any leaked access tokens.

شماره: IRCNE2011051109
تاريخ: 21/2/90

مايكروسافت يكي از سبك ترين اصلاحيه هاي دوره اي خود را منتشر ساخت. در اين اصلاحيه يك حفره امنيتي بسيار خطرناك در ويندوز و دو حفره امنيتي كمتر خطرناك ديگر در آفيس برطرف شده اند.
در بولتن امنيتي MS11-035 يك آسيب پذيري بسيار خطرناك در سرويس نام اينترنت ويندوز (WINS) برطرف شده است كه در صورتي كه كاربر يك بدافزار را در سيستمي كه WINS بر روي آن اجرا مي شود، دريافت كند به مهاجم اجازه اجراي كد از راه دور را مي دهد. اين بولتن امنيتب بر روي ويندوز 2003 و 2008 اثر مي گذارد.
قابل ذكر است كه WINS به صورت پيش فرض بر روي ويندوز نصب نشده است و تنها كاربراني در معرض خطر هستند كه به صورت دستي اين نرم افزار را نصب كرده اند.
بنا به گفته مدير شركت امنيتي nCircle مايكروسافت تنها ريسك سوءاستفاده از اين آسيب پذيري را كاهش داده است و هنوز هم مي توان از آسيب پذيري مذكور براي اجراي كد از راه دور استفاده كرد. وي همچنين گفته است كه بسياري از شركت هاي بزرگ از WINS استفاده مي كنند و اين يعني شبكه هاي داخلي اين شركت ها همچنان آسيب پذير است.
دومين بولتن امنيتي MS11-036 دو آسيب پذيري را در powerpoint اصلاح مي كند كه در صورتي كه كاربر يك فايل خرابكار powerpoint را باز كند منجر به حمله اجراي كد دلخواه مي شود. آسيب پذيري هاي مذكور بر روي آفيس XP، آفيس 2003، آفيس 2007، آفيس 2004 و 2008 بر روي مك تأثير مي گذارند.
مايكروسافت در ماه گذشته 64 آسيب پذيري را در قالب 17 بولتن امنيتي برطرف كرده بود.

ID: IRCNE2011051109
May 11, 2011

Microsoft fixed a critical hole in Windows and two less serious holes in Office in one of the lightest Patch Tuesdays in recent history.
The critical bulletin, MS11-035, fixes a vulnerability in the Windows Internet Name Service (WINS) that "could allow remote code execution if a user received specially crafted malware on an affected system running the WINS service," according to the bulletin advisory. It affects Windows Server 2003 and 2008.
WINS is not installed on the affected operating system software by default, so only customers who manually install it are affected and will be offered the update, Microsoft said.
"Microsoft is downplaying the bug, but there is potential here for remote code execution," and thus total control of the computer, said Andrew Storms, director of security operations at nCircle. "WINS is a network-aware application that does not require authentication, and many enterprises require WINS on their networks. Taken together, these factors mean that a lot of enterprises will find their internal network servers vulnerable to a remote code bug. Initially, most attackers will probably only trigger a DoS (denial-of-service) event, but finding the remote code exploit won't be far behind."
The second bulletin, MS11-036, fixes two vulnerabilities in Microsoft PowerPoint that could allow remote code execution if a user opens a malicious PowerPoint file. The vulnerabilities affect Office XP, Office 2003, Office 2007, Office 2004 for Mac, and Office 2008 for Mac.
Microsoft also changed its Exploitability Index, the guide it uses to provide customers information on how likely a vulnerability is of being exploited. The company will be publishing two ratings per vulnerability, one for the most recent platform and a second as an aggregate rating for all older versions of the software.
Patch Tuesday has been fairly hectic recently, including last month when 17 bulletins were released to fix 64 vulnerabilities.