Security News

"Facebook's VDP addresses vulnerabilities of third parties, which helps to normalize vulnerability disclosure," security researcher and bug-hunter Mike Takahashi told Threatpost. While the VDP moves are net positives for cybersecurity, the juxtaposition of VDP rollouts with Giggle issue shows that VDPs aren't simply a blanket golden ticket to a harmonious vendor-researcher relationship, researchers noted.

The process of vulnerability disclosure has improved over the years, but still too many security researchers face threats when trying to report bugs. Disclosure policies that give ethical hackers clear guidelines are vast and varied and are seldom universally followed, which adds to the friction between researchers and vendors.

Facebook has implemented a fresh security vulnerability disclosure policy this week - in an effort to explain how it decides when and how to roll out details on various bugs that its team finds in third-party software and open-source projects. If Facebook determines that disclosing a security vulnerability sooner "Serves to benefit the public or the potentially impacted people," it may pull the rip cord on disclosure: For instance, if a bug is being actively exploited in the wild.

Facebook is giving third-party application developers three weeks to respond to vulnerability reports and three months to patch bugs before public disclosure. As part of the responsible disclosure process, Facebook will make a reasonable effort to contact the impacted third-party and will provide them with the information required to understand the reported problem.

The U.S. government's cybersecurity agency is now requiring federal agencies to implement vulnerability-disclosure policies, which would give ethical hackers clear guidelines for submitting bugs found in government systems, by next March. The new directive by the Cybersecurity and Infrastructure Security Agency aims to change this by requiring agencies to publish policies with detailed descriptions of which systems are in scope, the types of testing that are allowed and how ethical hackers can submit vulnerability reports.

Google released a patch for an email spoofing vulnerability affecting Gmail and G Suite seven hours after it was publicly disclosed, but the tech giant knew about the flaw since April. "I chose to send to another G Suite account to demonstrate that Google's strong mail filtering and anti-spam techniques do not block or detect this attack," the researcher explained.

A shared memory vulnerability that IBM addressed in its Db2 data management products could allow malicious local users to access sensitive data. Trustwave, which identified the vulnerability and reported it to IBM, says that the issue exists because the developers forgot to include explicit memory protections for the shared memory that the Db2 trace facility uses.

The actively exploited Windows spoofing vulnerability patched last week by Microsoft has been known for more than two years, researchers pointed out. Microsoft's August 2020 Patch Tuesday updates addressed 120 vulnerabilities, including an Internet Explorer zero-day that has been chained with a Windows flaw in attacks linked to the threat actor named DarkHotel, and a Windows spoofing issue tracked as CVE-2020-1464.

Chinese drone giant Da Jiang Innovations on Thursday responded to the disclosure of security issues discovered by researchers in one of its Android applications. DJI has always denied these accusations and it has pointed to analysis conducted by the U.S. Department of Homeland Security and Booz Allen Hamilton, which shows that there is no evidence the company's government and professional drones send user data to DJI, China or other third parties.

Cisco this week informed customers that it has patched a high-severity path traversal vulnerability in its firewalls that can be exploited remotely to obtain potentially sensitive files from the targeted system. Cisco has also highlighted that exploiting the vulnerability only allows the attacker to access files on the web services file system, not ASA or FTD system files or files on the underlying operating system.