Microsoft frowns on iDefense hacking challenge
Microsoft is upset by a hacking challenge being offered up by Reston, Va.-based iDefense Labs, a division of VeriSign Inc. iDefense is offering a $10,000 reward to anyone who can uncover a wormable flaw in the software giant's products, but Microsoft said paying for flaws is the wrong way to approach security.
"We do not believe that offering compensation for vulnerability information is the best way [researchers] can help protect customers," a Microsoft spokesperson told eWEEK.com. "Microsoft believes that responsible disclosure, which involves making sure that an update is available from software vendors the same day the vulnerability is first broadly known, is the best way to protect the end user."
The hacking challenge is part of iDefense's controversial VCP (Vulnerability Contributor Program), in which underground researchers are paid to supply information on new software vulnerabilities.
Michael Sutton, director of iDefense Labs, defended the new program in an interview with eWEEK.com, insisting that it promotes responsible disclosure and keeps information on critical zero-day flaws away from attackers.
"We want to use [the quarterly hacking challenge] to inspire our contributors to target their research in specific areas," Sutton said. "We have a lot of clients running Microsoft products and they want to be protected from critical vulnerabilities."
He said the $10,000 would be paid as a bonus on top of fees paid for the initial vulnerability submission, and only for those bugs that result in a "critical" security bulletin from Microsoft.
Google Desktop Beta has security risk
Google has acknowledged a security risk in Google Desktop Beta, following a warning from Stamford, Conn.-based consultancy Gartner Inc. that the program carries an "unacceptable security risk."
Google rolled out Google Desktop 3 Feb. 9. It's a free, downloadable program with an option that allows users to search across multiple computers for files. As part of that option, the application automatically stores encrypted copies of files on Google servers for up to a month. After that, copies -- still encrypted -- are transferred to the user's other computers for archiving.
Gartner said in a report last week that the 30-day storage period, when the data can be shared between users, poses a risk to enterprises. "[The] mere transport [of data] outside the enterprise will represent an unacceptable security risk to many enterprises," Gartner said, as intellectual property could be taken from the business.
Google acknowledged the risk Monday to ZDNet UK, and recommended that companies take action. "We recognize that this is a big issue for enterprise. Yes, it's a risk, and we understand that businesses may be concerned," said Andy Ku, European marketing manager for Google. The search giant confirmed to ZDNet UK that data was temporarily transported outside of businesses when the "Search Across Computers" feature was used, and that this represented "as much of a security risk as e-mail does."
But Google said security is ultimately the concern of individual businesses. "The burden falls on enterprises to look after security issues," Ku said. "Companies can disable the Search Across Computers facility."
Gartner recommended businesses use Google Desktop for Enterprise, which allows IT shops to centrally turn off the "Search Across Computers" feature, which it said should be "immediately disabled."
Sophos update leads to false positives for Mac malcode
UK-based AV firm Sophos was forced to issue a revised detection update for the OSX.Inqtana-B worm Tuesday, after an error in the first update sparked false positives for some Mac OS X users.
"Unfortunately, this update was flawed, and Mac OS X users may have been mistakenly warned by Sophos Anti-Virus for Mac OS X that some files on their computers were infected with the worm," Sophos said on its Web site. The company said it quickly discovered the problem and issued a revised update less than two hours later. "Measures have been put in place to ensure that the problem does not occur again," Sophos said. "Sophos would like to remind customers that the OSX.Inqtana-B worm is not in the wild and is unlikely to be encountered.
Kaspersky glitch causes e-mail trouble for Microsoft customers
Microsoft and Russian AV firm Kaspersky Lab have fixed a glitch that caused problems for those using the software giant's Antigen e-mail security software. Some users lost their e-mail service for up to 10 hours last week because of an error in a routine update to the Kaspersky AV engine that was distributed early Thursday morning. That afternoon Microsoft offered the previous version of the engine for download to solve the problem. "As soon as we were aware that our customers were experiencing e-mail problems due to the Kaspersky update, we escalated through the appropriate channels across Kaspersky and Microsoft, and were able to define, test and provide a resolution," a Microsoft spokesperson told CNET News.com.