Security Advisor

Did a MS Partner Publically Leak a Windows Flaw?

Microsoft released a fix for Windows last week that took care of a Remote Desktop Protocol issue.

Two days later a proof-of-concept (POC) code hits online that could allow hackers to exploit this flaw for those who didn't yet apply the patch.  While hackers coming together quickly to release an attack vector doesn't seem out of the ordinary, what was hidden in the POC was: data from an executable code created by Microsoft and sent to its partners for antivirus update purposes.

Sounds like someone forwarded a Microsoft e-mail that they shouldn't have. That's what the original security researcher that discovered the flaw thinks. And so does Microsoft, who is following the clues to the source.

"Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements," said the company in a blog post.

The problem is that with the multiple partners and security software vendors who have had their hands on Microsoft's executable code, I honestly think that finding the source of the leak will be harder than completely curing Windows of all future remote code execution flaws.

I do have a feeling that security software company Symantec is crossing its fingers that the info didn't come from someone on its side. That company has already had its fill of bad PR concerning leaked code this year.  And it's only March. 

App Makers Taken to Court
A class-action lawsuit in Texas is taking some big-time app makers – including Facebook, Yelp, Apple and Twitter -- to court on the grounds that their mobile entries are stealing your data and selling it to the highest bidder.

The suit argues that the app makers are sidestepping companies like Amazon's and Google's privacy policies, and taking personal information without telling the user that they are taking it. Because, according to mobile app distributers, it's only stealing if you aren't notified of the theft ahead of time.

What's interesting is that there's an actual monetary value to your stolen personal information, which includes contact info, birthdays, user names and e-mail accounts. The suit said these developers could sell your info at 60 cents per user.  That's less than a candy bar!

We'll see how far this suit actually gets in the court system. A similar case was filed against Apple in California last year and was immediately thrown out after there was no direct correlation between the stolen data and actual harm to users.

I guess sifting through an inbox full of junk mail and screening calls from salespeople who purchased your information doesn't constitute as harm.

Best Practices for Securing Web Applications
MCP's sister site VirtualizationReview.com has a nice feature from guest writer Peter Silva of the Web app firm F5 Systems.

In it he runs down why your company needs to protect from application breeches. Guess what, the reason is it costs a lot of money when your infrastructure is invaded.

Check out all of Peter's thoughts on the issue here.

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

Featured

  • Exchange Server June Cumulative Updates Arrive, but with Red Tape

    Microsoft released its quarterly cumulative updates (CUs) for Exchange Server 2013, 2016 and 2019 products this week, but added an extra step for IT pros to consider before installing them.

  • Moving an Old VM to a New Hyper-V Host

    So you want to know whether a Hyper-V virtual machine built on a legacy host will be supported by a newer server? There's a PowerShell command for that.

  • AI-Driven Solution Tracks Packets Through the Datacenter

    Datacenter solutions vendor Kaloom this week unveiled a new offering the company says will enable the development of "self-driving" datacenter networks.

  • Microsoft Previews Azure Bastion Service for Private VM Access

    Microsoft on Tuesday announced a preview of the Azure Bastion service, which lets a user connect to an Azure virtual machine (VM) using a private Internet connection.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.