The VAR Guy’s Security Round-Up: Week Ending April 22
There was plenty of action in security news this week, with vulnerabilities taking center stage. Microsoft patched one that recently made headlines in its weekly security update, while Google admitted its website had a pretty major one for about 24 hours.
There was plenty of action in security news this week, with vulnerabilities taking center stage. Microsoft patched one that recently made headlines in its weekly security update, while Google admitted its website had a pretty major one for about 24 hours. The latter also acknowledged in its second annual security report for its Android mobile platform that the widely used platform remains inherently insecure, troubling news for its users. But the week wasn’t all about vulnerabilities, so check out what else happened on the security front in The VAR Guy’s weekly security round-up.
Google Releases Second Android Security Report, News Isn’t Very Good
Google (GOOG) released its second annual security report on the Android mobile platform, and the news remains bleak for some users. Having been dubbed a “toxic hellstew of vulnerabilities” by one publication two years ago because of platform fragmentation among companies that has left numerous potentially dangerous bugs unpatched, it seems Google is still having difficulty in ensuring Android users are safe. The report found that 29 percent of devices can’t even be patched by the company, even as it’s begun pushing monthly security updates. Google said it’s going to keep pushing partners to get with the program and send the updates to users to help ensure the security of their devices.
Microsoft Patches Badlock Bug in “Important” Patch in Monthly Security Update
Last month, news and fears about a mysterious bug called “Badlock” began making the rounds. The bug affected unknown versions of the Windows operating system and Samba, free open-source software that integrates Linux or Unix servers and Windows computers across a network. Well, Windows users at least can breathe easy about Badlock for now, as Microsoft (MSFT) has issued a patch for the bug, one that curiously has been rated merely as “important”—rather than the more urgent “critical” rating—in its monthly “Patch Tuesday” security update. In all, the company issued 13 security bulletins in its April batch of security fixes, six being rated as critical—and thus more relevant than the Badlock fix—for remote code execution flaws.
Google Admits Its Own Website Has Security Flaws
With so many people using Google as their initial homepage for the Web on computers and other devices, it seems rather vital that the tech giant keep its own website as secure as possible. Well, the company admitted that this isn’t necessarily the case in a transparency report released this week. The report acknowledged that browsing the web on Google.com can infect computers with malware and connect users to thieves who steal passwords and credit card information. In the report, the company called its search engine site “partially dangerous,” acknowledging that “some pages on Google.com contain deceptive content right now.” “Some pages on this website install malware on visitors' computers," the company said. “Attackers on this site might try to trick you to download software or steal your information (for example passwords, messages or credit card information).”
MIT Launches Bug Bounty Program, Paying Hackers to Keep Its Domains Safe
Leading research and development university MIT became among the first educational institutions to launch a bug bounty program aimed at bolstering the security of its online properties. The program is open to MIT affiliates—that is, primarily undergraduate and graduate students—and rewards contributors who disclose severe vulnerabilities with TechCASH, a program that can be used for purchasing goods and services at MIT. The university also will allow top contributors to retain their Kerberos MIT email accounts after graduation as a thank-you for their participation. In addition to being open only to those affiliated with MIT, there are other rules to the program. Participants are prohibited from reading, writing, or accessing any private data they may come across when chasing down a bug, and they also must refrain from publicly disclosing details of any bug they might discover until it has been fully addressed.
Microsoft Sues DoJ for Right to Tell Customers the Government Wants Their Data
Microsoft and the Department of Justice (DoJ) appear to be at it again. The company this week filed a civil suit against the DoJ, asking a federal judge in Seattle to strike down a law allowing courts to prohibit a tech company from telling customers the government has sought their data. In the suit, Microsoft revealed that federal courts have issued almost 2,600 orders preventing Microsoft from telling its customers their data has been obtained in criminal probes in the past 18 months alone. Moreover, more than two-thirds of those orders—or about 1,750—had no fixed end date, meaning the company is “forever barred from speaking” and customers are “forever barred from hearing” that the government has been accessing e-mails or other private customer data, said Brad Smith, Microsoft’s president and chief legal officer.