Month: January 2015

Here’s Why Google Announces No Security Updates for Android 4.3 and Below Versions

A major security flaw has been found in the WebView component of Android 4.3 and below.  It is an embeddable browser control powered by a version of the WebKit to show web pages in apps. At the same time, Android 4.4 and 5.0 – which use Blink instead of WebKit to view the webpages in apps, are unaffected. However, going by the Google’s own number – around 60 percent of users’ device and sensitive information are at risk. Though the severity of the bug is high as it could allow hackers to gain full control of a device and the Android Security team was notified of the same, however, their response towards the issue came as a shock to many. Google knows the repercussion of the flaw in its software; however, it has shown no interest in getting that fixed.  “If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch,” stated the Android Security Team. Why Google Stopped Securing its Own Software? It might be looking as Google is fond of facing flaks for its unprofessional approach – whether it is about disclosing the Windows bug...

Read More

Microsoft Issues a Call to Google and Others for ‘Better Coordinated Vulnerability Disclosure’

  Google’s decision to disclose the security vulnerability in Windows 8.1 hasn’t been welcomed by Microsoft. Disagreeing with the method opted by Google, Microsoft issued a call ‘for ‘better coordinated vulnerability disclosure’. In an official blog, Microsoft’s Chris Betz said, “Those in favor of full, public disclosure believe that this method pushes software vendors to fix vulnerabilities more quickly and makes customers develop and take actions to protect themselves. We disagree. Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment”. In fact, the Microsoft believes that the software company should be given a time period under which it is able to fully assess the potential vulnerability, evaluate the issue against the threat landscape and issue a fix for the vulnerability, before making it public. According to Microsoft, following the stated pattern will definitely keep the attackers at bay from utilizing the vulnerability when there is no particular patch found. Further emphasizing the point, Microsoft stated that only the software development company knows how stressful the entire process of fixing the vulnerability is. It is not only complex, extensive, but definitely a time-consuming process, which cannot be attempted and resolved in a given period of time. Making its demand stronger, Microsoft urges Google as well as other companies to come together and work on the deadline time given to the company...

Read More

Google Researcher Exposes Windows 8.1 Vulnerability; Microsoft Defends Inability to Patch the Flaw

Google researcher exposes the presence of bug in the Windows 8.1 after Microsoft didn’t fix the mentioned security flaws in the given period of time (90 days). Google considers 90-days-a fair amount of time to warn a competitor about an exploit taking place in its system. However, despite having enough time, Microsoft sounded little slow to fix up the recent flaw that Google team came across in its Windows 8.1. As a result, Google has publicly disclosed the Windows 8.1 vulnerability as well as the code required to take full advantage of the exploit. The bug detected by the Google researcher – Forshaw, allows local user of a machine to gain administrator privileges – which further opens up the door to other malicious acts with computer and its settings. In a response to a threat disclosed by the Google, Microsoft spokesperson said, “We are working to release a security update to address an Elevation of Privilege issue. It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer.” The statement by Microsoft might be relaxing, but it is not yet clear whether...

Read More