Security Advisor

Did a MS Partner Publically Leak a Windows Flaw?

Microsoft released a fix for Windows last week that took care of a Remote Desktop Protocol issue.

Two days later a proof-of-concept (POC) code hits online that could allow hackers to exploit this flaw for those who didn't yet apply the patch.  While hackers coming together quickly to release an attack vector doesn't seem out of the ordinary, what was hidden in the POC was: data from an executable code created by Microsoft and sent to its partners for antivirus update purposes.

Sounds like someone forwarded a Microsoft e-mail that they shouldn't have. That's what the original security researcher that discovered the flaw thinks. And so does Microsoft, who is following the clues to the source.

"Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements," said the company in a blog post.

The problem is that with the multiple partners and security software vendors who have had their hands on Microsoft's executable code, I honestly think that finding the source of the leak will be harder than completely curing Windows of all future remote code execution flaws.

I do have a feeling that security software company Symantec is crossing its fingers that the info didn't come from someone on its side. That company has already had its fill of bad PR concerning leaked code this year.  And it's only March. 

App Makers Taken to Court
A class-action lawsuit in Texas is taking some big-time app makers – including Facebook, Yelp, Apple and Twitter -- to court on the grounds that their mobile entries are stealing your data and selling it to the highest bidder.

The suit argues that the app makers are sidestepping companies like Amazon's and Google's privacy policies, and taking personal information without telling the user that they are taking it. Because, according to mobile app distributers, it's only stealing if you aren't notified of the theft ahead of time.

What's interesting is that there's an actual monetary value to your stolen personal information, which includes contact info, birthdays, user names and e-mail accounts. The suit said these developers could sell your info at 60 cents per user.  That's less than a candy bar!

We'll see how far this suit actually gets in the court system. A similar case was filed against Apple in California last year and was immediately thrown out after there was no direct correlation between the stolen data and actual harm to users.

I guess sifting through an inbox full of junk mail and screening calls from salespeople who purchased your information doesn't constitute as harm.

Best Practices for Securing Web Applications
MCP's sister site has a nice feature from guest writer Peter Silva of the Web app firm F5 Systems.

In it he runs down why your company needs to protect from application breeches. Guess what, the reason is it costs a lot of money when your infrastructure is invaded.

Check out all of Peter's thoughts on the issue here.

About the Author

Chris Paoli is the site producer for and


  • Spaceflight Training in the Middle of a Pandemic

    Surprisingly, the worldwide COVID-19 lockdown has hardly slowed down the space training process for Brien. In fact, it has accelerated it.

  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.