Security News
Facebook has implemented a fresh security vulnerability disclosure policy this week - in an effort to explain how it decides when and how to roll out details on various bugs that its team finds in third-party software and open-source projects. If Facebook determines that disclosing a security vulnerability sooner "Serves to benefit the public or the potentially impacted people," it may pull the rip cord on disclosure: For instance, if a bug is being actively exploited in the wild.
Facebook is giving third-party application developers three weeks to respond to vulnerability reports and three months to patch bugs before public disclosure. As part of the responsible disclosure process, Facebook will make a reasonable effort to contact the impacted third-party and will provide them with the information required to understand the reported problem.
The U.S. government's cybersecurity agency is now requiring federal agencies to implement vulnerability-disclosure policies, which would give ethical hackers clear guidelines for submitting bugs found in government systems, by next March. The new directive by the Cybersecurity and Infrastructure Security Agency aims to change this by requiring agencies to publish policies with detailed descriptions of which systems are in scope, the types of testing that are allowed and how ethical hackers can submit vulnerability reports.
Google released a patch for an email spoofing vulnerability affecting Gmail and G Suite seven hours after it was publicly disclosed, but the tech giant knew about the flaw since April. "I chose to send to another G Suite account to demonstrate that Google's strong mail filtering and anti-spam techniques do not block or detect this attack," the researcher explained.
A shared memory vulnerability that IBM addressed in its Db2 data management products could allow malicious local users to access sensitive data. Trustwave, which identified the vulnerability and reported it to IBM, says that the issue exists because the developers forgot to include explicit memory protections for the shared memory that the Db2 trace facility uses.
The actively exploited Windows spoofing vulnerability patched last week by Microsoft has been known for more than two years, researchers pointed out. Microsoft's August 2020 Patch Tuesday updates addressed 120 vulnerabilities, including an Internet Explorer zero-day that has been chained with a Windows flaw in attacks linked to the threat actor named DarkHotel, and a Windows spoofing issue tracked as CVE-2020-1464.
Chinese drone giant Da Jiang Innovations on Thursday responded to the disclosure of security issues discovered by researchers in one of its Android applications. DJI has always denied these accusations and it has pointed to analysis conducted by the U.S. Department of Homeland Security and Booz Allen Hamilton, which shows that there is no evidence the company's government and professional drones send user data to DJI, China or other third parties.
Cisco this week informed customers that it has patched a high-severity path traversal vulnerability in its firewalls that can be exploited remotely to obtain potentially sensitive files from the targeted system. Cisco has also highlighted that exploiting the vulnerability only allows the attacker to access files on the web services file system, not ASA or FTD system files or files on the underlying operating system.
The number of vulnerabilities disclosed in Q1 2020 has decreased by 19.8% compared to Q1 2019, making this likely the only true dip observed within the last 10 years, Risk Based Security reveals. "Although the pandemic has already brought unprecedented changes to all walks of life, it is difficult to predict precisely how it will impact vulnerability disclosures this year," commented Brian Martin, Vice President of Vulnerability Intelligence at Risk Based Security.
A pair of vulnerabilities in Oracle's iPlanet Web Server have been disclosed that can lead to sensitive data exposure and image injections onto web pages if exploited. The bugs are specifically found in the web administration console of iPlanet version 7, which has reached end-of-life and is no longer supported - hence no patches.