Two Google employees earned the distinction of receiving some of the first monetary rewards (a.k.a. “bounties”) issued under the company’s newly minted bounty program. Fermín Serna, a researcher in Google’s Mountain View, California headquarters, told The Security Ledger that he received a bounty issued by Microsoft this week for information on an Internet Explorer information leak that could allow a malicious hacker to bypass Microsoft’s Address Space Layout Randomization (or ASLR) technology. His bounty followed the first ever (officially) paid to a researcher by Microsoft: a bounty that went to Serna’s colleague, Ivan Fratic, a Google engineer based in Zurich, Switzerland, for information about a vulnerability in Internet Explorer 11 Preview. Fratic (@ifsecure) acknowledged the honor in a July 11 post on his Twitter account. In an e-mail exchange with The Security Ledger, Serna declined to discuss the details of his discovery until Microsoft had a patch ready to release. But […]
Software
Security Lapse Has Tumblr Asking IPhone, IPad Users To Update -Now!
Tumblr, the blogging and content sharing web site issued an urgent warning to those using its mobile application for Apple iPhones and iPads to update their Tumblr application – ASAP – after it was apparently found to be transmitting user names and passwords in the clear. In a blog post on Tuesday, Derek Gottfrid, the Vice President of Product at the New York City-based firm, said that the company had issued an update to the iOS version of Tumblr’s mobile application to fix an issue that allowed Tumblr passwords to be sniffed in transit on certain versions of the iOS Tumblr application for iPhone and iPad. Gottfrid did not explain the reason for the sudden update. However, a report by the UK publication The Register claims that the rush update came after Tumblr was made aware that the iOS versions of its application was not using SSL (Secure Socket Layer) […]
Security Start-Up, University Team On Android Patch App
The saga of the application-signing flaw affecting Google’s Android mobile phones took another turn Tuesday when a Silicon Valley startup teamed with graduate students from Northeastern University in Boston to offer their own fix-it tool for hundreds of millions of Android phones that have been left without access to Google’s official patch. Duo Security announced the availability of an Android utility dubbed “ReKey” on Tuesday. The tool allows Droid users to patch the so-called “Master Key” vulnerability on Android devices, even in the absence of a security update from Android handset makers (OEMs) and carriers who distribute the phones, according to a post on the Duo Security blog. The tool can be downloaded from the site rekey.io. “ReKey is the latest of our research projects designed to make the Internet a safer place,” said Collin Mulliner, a postdoctoral researcher at NEU SecLab in a joint press release issued by NEU […]
Emergency Alert System: Vulnerable Systems Double, Despite Zombie Hoax
You’d think that the prospect of a zombie invasion would prompt our nation’s broadcasters and others who participate in the Emergency Alert System (EAS). Just the opposite is true. Months after a bogus EAS message warning about a zombie uprising startled residents in Michigan, Montana and New Mexico, the number of vulnerable EAS devices accessible from the Internet has increased, rather than decreased, according to data from the security firm IOActive. In a blog post Thursday, Mike Davis, principal research scientist at IOActive said that a scan of the public Internet for systems running versions of the Monroe Electronics software found almost double the number of vulnerable systems in July – 412 – as were found in April, when an IOActive scan of the public Internet using the Shodan search engine found only 222 vulnerable systems. IOActive first notified Monroe Electronics about vulnerabilities in its DASDECS product in January of […]
Microsoft Set To Pay First Bug Bounty For IE Hole
Weeks after launching its first, formal bug bounty program, Microsoft is set to issue its first monetary reward, according to a blog post by Katie Moussouris, the Senior Security Strategist at Microsoft’s Security Response Center (MSRC). Writing on Wednesday, Moussouris said that the company has received “over a dozen” submissions since it launched the paid bounty program on June 26, and that “I personally notified the very first bounty recipient via email today that his submission for the Internet Explorer 11 Preview Bug Bounty is confirmed and validated. (Translation: He’s getting paid.)” Last month, Microsoft announced its new policy to pay for information about serious vulnerabilities in its products. The company had long maintained that it provided other kinds of rewards for information on software holes – mostly recognition and jobs – and didn’t need to offer bounties, as firms like Google, The Mozilla Foundation and Facebook do. In launching the new […]
