“Responsible” Vulnerability Disclosure

The recent conflict between Microsoft and Google regarding Google’s adherence to their 90-day disclosure policy of software vulnerabilities has brought a debate to light that has raged on for several years now.

Responsible disclosure has been a problem that has yet to be resolved in a way that both parties can agree on. On one hand there are the researchers who discover vulnerabilities in software that criminals can exploit and use to target unwitting and innocent users; on the other hand are the companies who make the software and are responsible for patching these vulnerabilities.

The question is not who is right, for that depends upon which side you’re on.

The researchers are right to be concerned about a vulnerability that they know exists and which could potentially put those who don’t know about it at risk. Their view is that if a security researcher was able to find the bug, then criminals, who search for such bugs in order to exploit them, could find them too and use them for nefarious means.

The software developers are right to be concerned about a vulnerability becoming public before they have been able to provide a patch. Their view is that it is irresponsible to disclose an exploitable security vulnerability, complete with exploit code, prior to a patch because it is essentially inviting a criminal to exploit it.

The debate rages online at TechRepublic.com.

Google and Microsoft Miscommunication?

Google’s Project Zero posted details of a vulnerability in Windows 8.1 after waiting for Microsoft to respond, to no avail, for 90 days. Once a vulnerability is public knowledge, it can be abused by attackers. Microsoft criticized Google for publicizing the flaw too early, saying the company had put Windows customers at risk.

According to Microsoft, it had specifically asked Google to withhold details of the flaw until January 13, Patch Tuesday, when the fix would be released. Microsoft patched two Windows vulnerabilities that were exposed by Google in MS15-001 and MS15-003.

With adherence to its 90-day policy, Google disclosed two additional vulnerabilities after last week Tuesday’s patches were released. One of them does not appear to be a security issue. The next Patch Tuesday is scheduled for February 10, when presumably the more serious of the two vulnerabilities will be patched.

Secret Keys Stashed in Google Play Apps

Researchers at Columbia University have found that many Android app developers hide secret authentication keys in their code. The keys could be used to access private cloud accounts or social media profiles.

Read the story in the news.

Google Safety Center

googleWhether for work, school or personal use, you may be using Google’s products in one form or another, including an Android device, Gmail, Chrome, Google Docs or other applications. Google is committed to keeping the web safe for everyone and understands that it is a shared responsibility. They have put together a website to help you learn what you can do to protect yourself and your family online.

Topics include securing your password, managing your Google account, checking settings, and more to help you to stay secure and private when online. They also show ways to keep the bad guys out of your stuff.

There is a wealth of information included in the Google Safety Center, so it’s well worth while checking out.

Is Your Site Hacked?

Google has launched a website “Help for Hacked Sites” with information to help web masters when their sites have been hacked. The site offers a series of articles and videos to help the website owners regain control of their sites and tighten their security.

Some preventative steps include being vigilant about keeping software updated for the site and understanding security practices of all applications, plug-ins, third-party software and other applications before you use them with your site.

Your Google Account May Be Under Attack

Google is warning users of the occurrence of state-sponsored attacks attempting to compromise your account or computer. Last week the company began inserting a message at the top of affected users’ Gmail inboxes with the warning: “We believe state-sponsored attackers may be attempting to compromise your account or computer.”

If you should see this message, change your password and, if possible, enable two-factor authentication on your Google account (Google refers to this as 2-step verification). This allows you to sign in with something you know (like your password) with something only you have (a unique code that is sent to you via text to your mobile device at the moment before you sign in). You can choose to have the code sent to you each time or only when signing in from a new device.

Read the story in the news.

FTC’s Settlement With Google

The single largest penalty against a single defendant, $22.5 million, was settled against Google last week. According to the FTC, Google violated a 2011 order by representing to certain users that Google wouldn’t place tracking cookies or serve targeted ads based on those cookies. But despite what Google said, the FTC has charged that some users, specifically those using the Safari browser, did get tracking cookies and targeted ads.

The Safari browser generally allows users to choose control over targeted ads, but when Safari users tried to change this setting in the browser, Google sidestepped Safari’s default cookie-blocking setting by taking advantage of Safari’s narrow exception for forms. In other words, when a Safari user visited a Google site or a site within Google’s ad network, Google used code to tell the browser that the person was submitting information through a form. That “tricked” the system into allowing Google to place a temporary cookie for targeted ads.

More details on this case can be found at ftc.gov.