Tag Archives: bug bounty

Malwarebytes Releases Security Update For Consumer Products

As originally discussed in a previous blog post, Malwarebytes last Friday made available a security update for their Anti-Malware product used by consumers. The update brings it to version 2.2.1.

While Malwarebytes originally mentioned that the products client had more than one vulnerability, the release notes of v2.2.1 only mention one vulnerability being resolved.

In order to resolve the reported vulnerability(ies), please install the updated version of Malwarebytes Anti-Malware (available from the above v2.2.1 link) as soon as possible. Automatic upgrades will take place later this week.

Thank you.

Malwarebytes Announces Upcoming Security Update / Bug Bounty Programme

Update: 20th March 2016:
A more recent blog post provides details of the now released security update.

Thank you.

=======================
Original Post
=======================
On Wednesday of last week the anti-malware organization Malwarebytes published a blog post to inform it’s customers that they are working to resolve several security vulnerabilities responsibly disclosed (defined) to them.

The well-known Google security researcher Tavis Ormandy disclosed these issues to them in November 2015. Malwarebytes is currently working to have an updated version of it’s anti-malware product version 2.2.1 available in the next 3 to 4 weeks.

If you are a Malwarebytes business or consumer customer/or make use of their free anti-malware software please monitor the Malwarebytes blog for announcements as well continuing to keep your Malwarebytes product up to date in order to be protected against these security issues. Users of the Premium version of Malwarebytes can enable self-protection in mitigate (protect against) these issues until the appropriate update is made available. Further details of how to enable this security feature are available here.

Malwarebytes also took the opportunity within the above mentioned blog post to announce their Bug Bounty program. This should ensure that such vulnerabilities are disclosed and resolved sooner in the future. Further details of their bug bounty program are available here.

I will update this post when version 2.2.1 of Malwarebytes is made available.

Thank you.

Microsoft Extends Bug Bounty Program to ASP.NET and .NET Core

In late October Microsoft extended it’s Bug Bounty for security vulnerabilities within it’s Core CLR (Common Language Runtime), the execution engine for .Net Core, and ASP.Net (both technologies are open source and currently in late beta testing). These technologies are used to build web applications and in the implementation of websites.

As with previous bug bounties security researchers will be rewarded financially for discovering and responsibly disclosing (defined) these flaws to Microsoft. Their submissions need to include both a functioning exploit and a high quality white-paper. The newly extended bounty program which includes the above mentioned technologies will run from the 20th of October 2015 until the 20th of January 2016.

I’m very pleased to see that Microsoft continues to extend their bug bounty program to include the fundamental frameworks used to create web apps and websites. Any successful submissions will not only benefit the researchers but all of the customers who use and will use these technologies in the future.

Bounties for Online Services, Microsoft Edge and Internet Explorer 11 Technical Preview have been paid out in the past illustrating the success of such programs which benefits everyone.

Further details of the bug programme for ASP.NET and .NET Core are available within the following links:

Microsoft Bounty Programs Expansion – .NET Core and ASP.NET Beta Bounty
Microsoft Bounty Programs
Microsoft CoreCLR and ASP.NET 5 Beta Bug Bounty Program Terms

Thank you.

Microsoft Announces Edge (formerly Spartan) Bug Bounty

Following on from the success of the bug bounty program for Internet Explorer (IE) 11 in 2013 Microsoft has now created a bug bounty for the upcoming web browser; Spartan to be bundled with Windows 10.

The Project Spartan bug bounty programme will last for 2 months (this is double the length that the bounty programme for Internet Explorer 11 lasted). Further details of the success of the IE 11 bug bounty programme are provided in this blog post.

I’m very excited about this bug bounty since the IE 11 bug bounty made an excellent, worthwhile impact in 2013 and earlier this year flaws found in IE’s newest defenses were demonstrated to Microsoft earning a group of three researchers $125,000. I really hope that flaws are found since like the Pwn2Own competition any flaws found will make a widely used application more secure for all of its users. I will provide details of any flaws found on this blog.

Aside: What is Spartan and why does it matter?

Update: 30th April 2015: Microsoft confirmed yesterday that Edge is the new name of its browser for Windows 10.

Spartan (this is a code name, its final name has not yet been announced) will replace Internet Explorer 11 as the default web browser of Windows 10 for all but enterprise customers who wish to use legacy web applications or internal websites that rely on functionality only available in Internet Explorer 8 and older IE versions. Spartan may receive its final name at the upcoming Build conference next week, but this is uncertain right now.

For non-enterprise customers Spartan will be the default, lightweight and standards compliant web browser that is set to be used by the vast majority of people who upgrade to Windows 10 (assuming they choose Spartan over alternatives such as Mozilla Firefox, Google Chrome, Opera etc.). For the first time in many years code has been removed from Microsoft’s web browser to remove features that are no longer needed e.g. document modes, VBScript to name but a few. Further details on the changes made to the rendering engine and how IE will be available for enterprise customers are available in two separate blog posts, here and here.

Update: 8th May 2015:
Microsoft have provided more details in a blog post of the changes being made to the rendering engine of Edge, the features being removed (with explanations of why they are no longer needed) as well as detailing how many lines of code have been removed.

While Spartan will replace IE, IE will still be with us for quite some time to come, however only more recent versions are set to still receive security updates as of January 2016 (most systems will run IE 9 or later). With the scheduled end of support for Windows Server 2003 in July 2015, IE 6 will no longer receive security updates (without a paid for custom support agreement with Microsoft). If IE 11 receives the standard 10 years of support (5 standard + 5 extended support), IE 11 will be with us until late in 2023.

Further details on the changes to the versions of IE that will be supported in January 2016 can be found within the following link:

Microsoft slashes IE support, sets ‘huge’ edict for Jan. 2016

Update: 10th November 2015:
The honor roll for Microsoft Edge and Internet Explorer 11 (while they were both in their Technical Preview stages) has been updated to include a large number of security researchers who successfully submitted bugs in 2013 and 2015. By doing so they make every person using these widely used browsers more secure. Their work is much appreciated. Very well done to them!

Thank you.