by John Pescatore | July 29, 2010 | Submit a Comment
Google and Mozilla recently announced they are increasing the “bounty” they pay to external parties who find vulnerabilities in their products to about $3,000 US. Both believe the bug bounty programs have been successful, but most major software vendors like Microsoft or Oracle or even Apple do not pay for bugs and don’t believe the practice [...]
Category: Uncategorized Tags:
by John Pescatore | July 27, 2010 | Submit a Comment
Autofill in software is to security as Wikileaks is to secret keeping. Apple Safari browser autofill flaw info here.
Category: Uncategorized Tags:
by John Pescatore | July 23, 2010 | Submit a Comment
Google blogged earlier this week on responsible vs. full disclosure of software vulnerabilities, suggesting that 60 days was a reasonable timeframe for allowing full disclosure if a vendor patch wasn’t available by then. Microsoft responded with a blog post on “coordinated vulnerability disclosure” that basically advocates negotiation between the vulnerability finder and the software vendor [...]
Category: Uncategorized Tags:
by John Pescatore | July 22, 2010 | Submit a Comment
If you want to skip a few paragraphs of analogy, jump ahead to LAND HERE. Many years ago, in a land far, far away, I worked for the US Secret Service Technical Development and Planning Division. I worked mainly in surveillance systems and secure communications but one of the “other duties as assigned” was going [...]
Category: Uncategorized Tags:
by John Pescatore | July 21, 2010 | Submit a Comment
The Windows Shell zero day vulnerability is the enabler of some very clever attack code that has been given the name Stuxnet. ESET and F-Secure have put out good details, the highlights: The code exploits the Windows Shell critical flaw to support remote execution. Stuxnet family basically has worm, bot and rootkit components. It uses [...]
Category: Uncategorized Tags:
by John Pescatore | July 20, 2010 | Submit a Comment
This Windows flaw is serious attack-enabler – disabling .lnk icons painful/prudent. Microsoft advisory on unpatched Windows shell vulnerability and workarounds here.
Category: Uncategorized Tags:
by John Pescatore | July 16, 2010 | Submit a Comment
Finally, some good news out of the BP oil spill disaster in the Gulf of Mexico – the latest attempt to plug the leak is currently holding. Of course, this is after 85 days of both oil spilling out of the damaged well and 85 days of billions of dollars flowing out of BP’s bottom [...]
Category: Uncategorized Tags:
by John Pescatore | July 15, 2010 | Submit a Comment
Gregg Keiser of Computerworld called me for an article he was doing on this week’s end of support for Windows XP SP2. I’ve always considered that point (August 2004) as the first time that we saw external benefit from Bill Gates’ Jan 2002 email to Microsoft employees making security a top priority for Microsoft’s software [...]
Category: Uncategorized Tags:
by John Pescatore | July 13, 2010 | Submit a Comment
Fuzzing software was a bear, fuzz-friendly software easier to bear, izzn’t it? (Blog post by Adam Shostack of Microsoft here on making software easier to fuzz test)
Category: Uncategorized Tags:
by John Pescatore | July 12, 2010 | Submit a Comment
I’ve frequently bashed Facebook for poor security and privacy practices, so it was good to see reports on major changes in Facebook’s disclosure requirements for applications. As MSNBC notes here, just like calorie counts on food, requiring disclosure of information access at least allows motivated consumers to make better decisions. So, kudos for this step [...]
Category: Security Tags:
