Companies working on a fix can now apply for a 14-day grace period after 90-day disclosure deadline
The whole fracas over Google Project Zero team’s disclosure of three Windows zero-day bugs before Microsoft could fix them may now be old news, but it seems to have done enough to get the former to revisit its bug disclosure policy. Google’s bug hunters took to the official Project Zero blog on Friday to announce a number of key changes to their disclosure policy.
Hackers have a new security hole to go phishing in
If you use Internet Explorer 11, be aware that researchers have discovered a zero-day vulnerability that could allow attackers to change content on domains remotely. The exploit could also allow hackers to inject malicious content in browsers, steal personal data, and track your online movements. That's the bad news. And the good? You're unlikely to fall prey to such an attack, according to Microsoft.
Will Microsoft ever bother to squash this security bug?
There's a zero-day security flaw in Internet Explorer that's been known for at least the last 7 months, yet Microsoft has yet to release a patch. Perhaps it never will -- after all, IE8 is the last version of Microsoft's browser to support Windows XP, which itself is now an unsupported operating system. Alternately, Microsoft might just be having a really tough time with this one -- the Redmond outfit doesn't have a whole lot to say on the matter.
Windows XP support is entering its final stages. This coming Tuesday will see the release of some of the last security patches for the operating system which, despite its advanced age, still commands a sizable share of the PC market and simply refuses to die.
Latest security bulletin addresses three vulnerabilities
February is proving to be a very busy month for those tasked with the unenviable task of plugging Flash Player holes at Adobe. The Adobe Product Security Incident Response Team (PSIRT) on Tuesday announced the availability of new security updates for the Flash Player. This is the third time this month that the company has had to release security updates for the ubiquitous plugin.
Microsoft Security Essentials has done it again. For the second time since its inception, the free antivirus software from Microsoft finds itself without German security and antivirus research outfit AV-TEST’s seal of approval, having failed in the latest of the firm’s bimonthly certification tests.
Russian security firm Group-IB claims to have uncovered a critical Adobe Reader vulnerability that is currently being exploited in the wild by attackers in order to circumvent the ubiquitous PDF viewer’s sandbox, a security feature Adobe first introduced as part of Reader X nearly two years ago. Even though this zero-day vulnerability is said to have a few “limitations”, they don’t seem to be crippling enough to stop it from being sold on the black market for anywhere between $30,000 and $50,000.
Friday saw the release of a critical out-of-band patch for Internet Explorer from Microsoft. The security update (MS12-063) addresses as many as five vulnerabilities, but none more important than the critical zero-day bug (CVE-2012-4969) that was made public by French researchers earlier this week, and one which even prompted Germany’s Federal Office for Information Security (BSI) to issue an advisory requesting German citizens to stay away from IE. The Redmond-based company has also released a security update for Adobe Flash IE 10.