Here's a collection of recent security vulnerabilities, alerts, and news, which covers news that Microsoft will not prosecute ethical hackers probing its Web site for security holes, an exploitable flaw in the DivX Player involving subtitle files, and minor updates available for both Firefox and Safari Web browsers.
Here’s a collection of recent security vulnerabilities, alerts, and news, which covers news that Microsoft will not prosecute ethical hackers probing its Web site for security hole; an exploitable flaw in the DivX Player involving subtitle files; and minor updates available for both Firefox and Safari Web browsers.
- Microsoft says it is okay to probe its Web site for security holes
Microsoft has publicly pledged not to prosecute ethical hackers who find security flaws on its Web site. This announcement was made at the ToorCon security conference in Seattle. This attempt to be more responsive to security researchers comes in contrast to legal action taken against similar activities by other organizations.
Alex Stamos, a founding partner at iSEC Partners, a firm that provides penetration-testing services noted: "There's definitely a lot of trepidation among legitimate researchers to find flaws in public-facing web applications because you never know how [companies] are going to react. That hurts us because the only people finding these flaws are the bad guys."
In all, this is a very bold move given just how vast the Microsoft Web site is. It remains to be seen if this proclamation will be followed by other large Web properties.
- DivX Player trips up over subtitles
The player bundled with the highly popular DivX codec has a flaw that causes it to crash over maliciously crafted subtitle files, potentially opening it to the arbitrary injection of code.
Version 220.127.116.11 of the DivX Player, which is included in DivX 6.8 is affected. Users are advised not to open .srt files from untrusted sources until the flaw is patched. Note that corresponding .srt files of the same base filenames are automatically opened by the player if they are present in the same directory.
You can check out the proof of concept (POC) here.
- Updates available for Firefox, Safari Web browsers
[This version] fixes four flaws in the Windows version of Safari and two in the Mac version. Of those patched, the most serious are the two flaws that affect WebKit on both platforms. WebKit, the engine behind Safari, also powers some elements of Apple Mail, Dashboard and numerous third-party applications.