Infosecurity Weekly News Update

Despite there being seven months until Microsoft support for the Windows XP operating system ends, the OS hit the headlines in the last week as Microsoft warned users on the end of support.

The End of XP Support

In a statement released on the Microsoft blog, Trustworthy Computing director Tim Rains warned that users will not be protected from any new vulnerabilities in XP as they will no longer receive new security updates, non-security hot fixes, free or paid assisted support options or online technical content updates for Service Pack 3 from the 8th April 2014.

The major challenge for an upgrade from XP will be for businesses who are running many thousands of endpoints on the legacy OS. Consider this; next time you walk around a supermarket or library where there are PCs, have a look at the screen saver, and ask yourself how close they are to upgrading. That, potentially, is the greatest challenge.

Hello Zuckerberg

Sticking with fixing bugs, researcher Khalil Streath decided that he would attract more attention to his Facebook bug by 'demonstrating' its impact, which allows a Facebook user to post to all users' timelines including those not on their friends, on the personal wall of founder Mark Zuckerberg.

Facebook denied that it was a bug initially, and refused to pay as part of its bug bounty program, which it launched in 2011. After Streath publicly demonstrated the flaw to such a high level, Facebook temporarily suspended his account and said it was not able to pay him because his actions violated its Terms of Service.

Of the major coverage achieved for this, the Daily Mail reported that the method of disclosure did cause Facebook to patch the problem, while v3 said that researchers on the Y Combinator Facebook forum said that whilst the research was valid, the company cannot pay Streath for his alert as he actively exploited the vulnerability when trying to prove its existence.

"The more important issue here is with how the bug was demonstrated using the accounts of real people without their permission. Exploiting bugs to impact real users is not acceptable behaviour for a white hat”, it said.

This led Facebook CSO Joe Sullivan to say in a blog that while he understood Streath's frustration, it was 'too hasty and dismissive in this case' and it 'should have explained to this researcher that his initial messages to us did not give us enough detail to allow us to replicate the problem'. Although he did not confirm that Streath will be paid, it has caused Facebook to review and change wording on its Terms and Conditions. New wording intends to improve its email messaging to make sure it clearly articulates what it needs to validate a bug, and update its whitehat page with more information on the best ways to submit a bug report.

Streath will not leave this incident empty-handed though, with a fund set up by Beyond Trust CTO Marc Maiffret to “support future security research” raising more than the $10,000. Maiffret said that he hope this has raised awareness of the importance of independent researchers and to “never forget the greater goal; to help the internet community at large”.

Read the T&C’s

However Bugcrowd, who run managed bug bounty programs for web and mobile, were among those critical of the actions taken by Streath, saying on Twitter that Streath not only filed a 'terrible' first report, he also completely violated the Facebook Whitehat Terms of Service “and exposed himself to legal action. Think twice before you do likewise.”

The issue here is that Streath found a serious bug and had he shown the patience and proof of concept in the correct manner, he would have likely been rewarded by Facebook for his efforts. But by demonstrating the flaw on the personal wall of the founder - arguably not a good idea, akin to showing the chief executive of Microsoft how your remote code execution flaw works by directing his web traffic – he divided opinion among his peers.

Bye Bye Ballmer

Who that Microsoft chief executive will be by the end of 2013 is up for debate, after Steve Ballmer resigned his position. In a letter, published in full by v3, it was revealed that Ballmer called the new senior leadership team 'amazing' and the strategy 'first class', while he said that the new organization, which is centred on functions and engineering areas, 'is right for the opportunities and challenges ahead'.

Let’s hope that whoever takes over from Ballmer has the foresight to watch what has happened with bug bounties, and takes note of the need to ensure the right patches are released after one was forced to be reissued after some Active Directory Federation Services stopped working as a result of the patch being applied.


What’s hot on Infosecurity Magazine?