07.24.10
Google and Mozilla Encourage Bug Spotting, Microsoft Does Not
Summary: Google and Mozilla offer bounties for spotting bugs; Microsoft says no to the idea (proof that proprietary software is embarrassed about showing weaknesses)
THE company that made silent patching (and deceitful security reports) seemingly acceptable is continuing to show why it lags behind in terms of security. While Mozilla offers a $3,000 bug bounty to make Firefox more secure, Microsoft does not, as a matter of principle.
Microsoft has no plans to follow in the footsteps of Mozilla and Google and pay researchers cash rewards for the bugs that they find in Microsoft’s products.
Only weeks ago Microsoft was criticised for attacking researchers who report bugs in its software. How heart-warming.
For what it’s worth, Apple’s proprietary software is not secure, either. This time it’s Safari with a gaping hole.
Right at the moment a Safari user visits a website, even if they’ve never been there before or entered any personal information, a malicious website can uncover their first name, last name, work place, city, state, and email address. Safari v4 & v5, with a combined market browser share of 4% (~83 million users), has a feature (Preferences > AutoFill > AutoFill web forms) enabled by default. Essentially we are hacking auto-complete functionality.
Apple with its sheer arrogance will probably try to sweep this one under the carpet, judging by the way it treated major manufacturing/design issues in hypePhone 4. Rather than issue an apology Apple is quietly offering cases (without exactly acknowledging the problem). █
Needs Sunlight said,
July 25, 2010 at 8:12 am
Kudos to Google and Mozilla for designing and building so well.