Microsoft Flaw Details Possibly Leaked by Partner
Plus: App makers go in front of the judge, Web app security guidelines.
Microsoft released a fix for Windows last week that took care of a Remote Desktop Protocol issue.
Two days later a proof-of-concept (POC) code hits online that could allow hackers to exploit this flaw for those who didn't yet apply the patch. While hackers coming together quickly to release an attack vector doesn't seem out of the ordinary, what was hidden in the POC was: data from an executable code created by Microsoft and sent to its partners for antivirus update purposes.
Sounds like someone forwarded a Microsoft e-mail that they shouldn't have. That's what the original security researcher that discovered the flaw thinks. And so does Microsoft, who is following the clues to the source.
"Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements," said the company in a blog post.
The problem is that with the multiple partners and security software vendors who have had their hands on Microsoft's executable code, I honestly think that finding the source of the leak will be harder than completely curing Windows of all future remote code execution flaws.
I do have a feeling that security software company Symantec is crossing its fingers that the info didn't come from someone on its side. That company has already had its fill of bad PR concerning leaked code this year. And it's only March.
App Makers Taken to Court
A class-action lawsuit in Texas is taking some big-time app makers – including Facebook, Yelp, Apple and Twitter -- to court on the grounds that their mobile entries are stealing your data and selling it to the highest bidder.
The suit argues that the app makers are sidestepping companies like Amazon's and Google's privacy policies, and taking personal information without telling the user that they are taking it. Because, according to mobile app distributers, it's only stealing if you aren't notified of the theft ahead of time.
What's interesting is that there's an actual monetary value to your stolen personal information, which includes contact info, birthdays, user names and e-mail accounts. The suit said these developers could sell your info at 60 cents per user. That's less than a candy bar!
We'll see how far this suit actually gets in the court system. A similar case was filed against Apple in California last year and was immediately thrown out after there was no direct correlation between the stolen data and actual harm to users.
I guess sifting through an inbox full of junk mail and screening calls from salespeople who purchased your information doesn't constitute as harm.
Best Practices for Securing Web Applications
MCP's sister site VirtualizationReview.com has a nice feature from guest writer Peter Silva of the Web app firm F5 Systems.
In it he runs down why your company needs to protect from application breeches. Guess what, the reason is it costs a lot of money when your infrastructure is invaded.
Check out all of Peter's thoughts on the issue here.