On the heels of last week’s “news” that Google was purging the Windows OS, as if that decision was independent of the forthcoming roll-out of the Chrome OS, we have more Google versus competitor security pseudo-news. Google employee Tavis Ormandy felt compelled to announce a new vulnerability in Windows Help and Support Center.  Some feel this was rude, but Tavis had the courtesy to acknowledge, in his own words, “all my other pimp colleagues.” In April, it was also Tavis who “outed” a vulnerability in Oracle’s Java Deployment Toolkit. The Risk Team continues to be unimpressed by Tavis and his “pimp colleagues.” Help and Support Center vulnerabilities have failed to manifest themselves as attacks, at least 1 , 2 , 3 , 4, 5 , 6 and 7 times before, but perhaps “eight is the charm.” So far the risk lessons are more about corporate reputation and individual socialization than technical issues.  Similarly, breach of about 5% of iPad user’s e-mail addresses is less about Apple and more about AT&T’s image.  The risk lesson is another reminder of the necessity to bulletproof web applications and monitor them for attacks.  Everyone on the Risk Team got  new “been there, done that” T-Shirts when new vulnerabilities in Adobe Flash, Acrobat and Reader were used in attacks and a new Flash version emerged from Adobe in response. Microsoft Tuesday delivered on the forecast for 10 bulletins, but the Risk Team’s recommendations to Verizon Business Cybertrust Security customers was less urgent than those of the MSRC.

Tags: INTSUM

This entry was posted on Friday, June 11th, 2010 at 9:13 pm and is filed under Analysis. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.