Highest number of valid bug reports came from India, followed by the U.S. and Brazil
Facebook on Friday published an update on the progress of its four-year-old bug bounty program, revealing that it paid out $1.5 million in bounties last year to take the program’s lifetime payouts beyond $2 million.
The said bug, which can be exploited using a special TrueType font, can be used to execute arbitrary code. According to Miller, Adobe first learnt of the vulnerability from Google security engineer Tavis Ormandy. "Apparently @taviso previously reported to Adobe the Reader 0-day I dropped at BH. Haha, ruined his effort at trying to be responsible," Miller quipped in a Tweet Tuesday.
Tavis Ormandy was recently in the crosshairs after he went public with a critical vulnerability in Windows' HCP protocol only a few days after notifying Microsoft about it.
Adobe is often maligned for the number of vulnerabilities in its software. Of course, one could argue that the prevalence of Adobe software has made it one of the most targeted 3rd party software vendor and there is little it can do to change that, but the fact is that the San Jose-based company has been leisurely in addressing security concerns.
Microsoft has no interest in joining the bug-bounty wars, according to ThreatPost.com. Mozilla recently increased the cash reward it offers to security researchers for nailing vulnerabilities in its software, only for Google to follow suit a few days later. All this was enough to fuel rumors of Microsoft, which doesn't have a bug-bounty program, finally getting sucked into the bug-bounty battle.
But such rumors have now been put to rest by MS. "We value the researcher ecosystem, and show that in a variety of ways, but we don’t think paying a per-vuln bounty is the best way. Especially when across the researcher community the motivations aren’t always financial. It is well-known that we acknowledge researcher’s contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update," Microsoft's Jerry Bryant told ThreatPost in an email.
The company seems satisfied with its current practice of honoring talented security researchers by enlisting their services: “We’ve had several influential folks from the researcher community join our security teams as Microsoft employees. We’ve also entered into contracts directly with many vendors and sometimes individual researchers to test our products for vulnerabilities before they’re released. Many of these vendors and individuals first came to our attention based on the high-quality and unique approaches demonstrated by the vulnerabilities they reported to the MSRC.”
This will not go down well with a growing number of security researchers that discourage fellow researchers from making free disclosures and advocate more bug-buying programs. Don't be surprised if you witness a spike in publicly-disclosed critical bugs in Microsoft software – the company openly discourages security researchers from making public disclosures?
During the Black Hat conference in Las Vegas this week, Microsoft plans to provide a progress report on the security initiatives that it launched last summer, as well as release new security tools to better equip IT professionals and security researchers.
"There's a race between attackers and defenders and if we want to win, we have to share information, said Mike Reavey, director of the Microsoft Security Response Center.
One way the software maker plans to do this is by releasing the Microsoft Office Visualization Tool, a utility which provides a graphical overview of the Office binary file format. According to Microsoft, the software will make it easier for programmers to understand how attacks target Office files, noting that most malware attacks application vulnerabilities and not the OS itself.
"In order to build protections, you have to understand how a specific file format is meant to be used, so then you can understand how it's being misused," Reavey added.
During the conference, Microsoft also plans to release Project Quant, an online information resource designed to provide organizations with a framework for evaluating the cost of patch management processes. In addition, the company also plans to release the Microsoft Security Update Guide, a publication that explains the entire Microsoft update process, and a publish a report titled, "Building a Safer, More Trusted Internet Through Information Sharing."
Despite recently announced delays in China’s requirement to include Green Dam anti-pornography software on new PCs, the initiative is far from dead. PC makers who unanimously decried the hasty July 1st deadline managed to buy themselves an extension, but are still being told they to comply with the new requirements. The Chinese Ministry of Industry and Information Technology re-affirmed its commitment to Green Dam Youth Escort on Thursday, and claims that it sees the software as being an important tool for protecting young people from pornography and violence on the internet. To further reinforce its commitment to total penetration, software publisher Jinhui has been told to write a Mac OSX version of the software, and it is currently in beta testing.
Critics of the Green Dam filtering software continue to question the motivation behind the initiative, and have accused the Ministry of using the software to further political repression. This may be a valid concern when you consider that the Ministry in charge of Green Dam’s implantation is also responsible for suppressing illegal political activity. The situation for the Chinese gets even worse when you consider that several industry tests have shown multiple security vulnerabilities in the filtering software, and it even appears to have a high occurrence of false positives in the filtering algorithm. The vulnerabilities are considered so serious in fact, that Sony is including a disclaimer with all new PCs.
Will Linux be the only safe haven for the Chinese?
The Chinese Health Ministry has been waging a very public war against pornography lately, and although they appeared to be softening their approach, new developments on Thursday have left Google scrambling. In what some people are calling “a rigged demo”, a CCTV state-owned television monopoly broadcast an interview demonstrating the dangers of the Google Suggested Search feature which attempts to auto complete simple search terms with popular related queries. At one point during the interview, when the host typed the word “son” into Google, a suggested search was returned stating, “abnormal relationship between son and mother”.
Google has formally commented on the matter, and has explained that the suggested search feature is based on popularity. In their defense, Google claims that nobody had entered this phrase for several months, but the term suddenly became popular in Beijing in the days leading up to the show. Though this is hardly conclusive evidence of a conspiracy, it certainly falls into the category of “suspicious” if true.Regardless, Google claims to be working on a new system that would help it remove all traces of pornography from its Chinese database, but describes it as “a major engineering effort”. "Google has been working to remove pornography from our search results in China, in accordance with our operating license there," the company said.
Google already filters a significant amount of political content from its search results, and critics fear that further censorship will only complicate the efforts of rights activists. It is also worth noting that the government agency charged with cracking down on pornography, is also responsible for suppressing illegal political activity. American officials have been critical of knee jerk restrictions on companies trying to comply with Chinas increasing demand for pornography censorship, and I’m sure we will hear more on this issue in the coming months.
What do you think of the ongoing developments in China?
What do Solid Oak Software's CyberSitter and China's Green Dam Youth Escort Internet filtering programs have in common? According to the BBC, the answer is CyberSitter code. The BBC reports that both Solid Oak's Brian Milburn and a report from the University of Michigan conclude that the developer of Green Dam Youth Escort, Computer System Engineering Inc, have incorporated code from CyberSitter into Green Dam - without a license.
According to the China Daily, Solid Oak is sending "cease and desist" letters to HP and Dell to stop shipping computers bundled with Green Dam, and may seek legal action against the developers. The legal-technical drama is being played out against the background of China's requirement that all new systems sold as of July 1 include Green Dam, as we reported last week.
What have the developers of Green Dam done that might help fend off legal action and improve their product's security? Join us after the jump.
The Chinese government is requiring all PC makers selling into the China market to bundle Green Dam Youth Escort web filtering software as of July 1, as we reported earlier this week. This software, already widely used in China's schools and elsewhere, has plenty of flaws, BBC News reports:
Unencrypted connections between client PCs and the company's servers, which could lead to information theft or the PCs being turned into botnet nodes for malware attacks
Filtering only Internet Explorer browsers, not Firefox
Support only for Microsoft Windows
Inaccurate web site blocking (pictures of pigs blocked, but not pictures of African women)
Potential privacy risks for users because the software logs all web pages the user attemps to access
Right now, it seems as if Green Dam Youth Escort is incapable of meeting its specified goals of "healthy development of the internet" and "effectively manag[ing] harmful material for the public and prevent it from being spread," while providing a terrific opportunity for malware providers. Have you encountered similar problems with web filtering software? Join us after the jump to sound off.
June 9th saw a rare 'double-header' in security updates: Microsoft's monthly Patch Tuesday was joined by Adobe's quarterly security updates for Acrobat and Adobe Reader. How big was this month's 10-update Patch Tuesday? According to a Microsoft spokesperson quoted by Cnet, the 31 vulnerabilities covered by updates are "the most since Microsoft started releasing updates on a regular schedule of the second Tuesday of every month in October 2003."
Users of Windows 2000 SP4 through Windows Vista SP2 (and holdouts still running Windows 7 Beta), Microsoft Office 2000, 2003, or 2007; Microsoft Office for MacOS 2004 and 2008, Microsoft Works 8.5 and 9, and IE5.01 through IE8 users have some work to do before heading off on vacation, as do users of Adobe Reader and Acrobat 7.x, 8.x and 9.x. To find out what's being changed - and why - join us after the break.
Whether you're using Windows and IE, managing Microsoft Exchange or SQL Server at work, or using Microsoft Office, this month's Patch Tuesday has a security update for you. All four security bulletins address Remote Code Execution vulnerabilities in recent and current service packs for each product listed:
IE 7: Windows XP, Windows Vista, Windows Server 2003
Microsoft Office: Visio 2002, 2003, 2007
SQL: SQL Server 2000 Desktop Engine on Windows 2000 and Windows Server 2003; Windows Internal Database (WYukon) on Windows Server 2003 and Windows Server 2008; SQL Server 2000 and SQL Server 2005
Exchange Server: Exchange 2000 Server, Exchange Server 2003, Exchange Server 2007
But Wait, There's More!
Other updates to be released tomorrow include:
Cumulative Update for Windows Vista Media Center (KB960544)
Cumulative Update for Windows Vista Media Center TVPack (KB958653)
Upgrade Rollup for ActiveX Killbits for Windows (KB960715)
February 2009 updates for Windows Mail Junk Email Filter (KB905866) and Windows Malicious Software Removal Tool (KB890830)