[English readers: you can find English links in this post for your convenience]
… ma le segnala in modo responsabile dopo che i rispettivi vendor le hanno adeguatamente corrette: questo è in breve il senso del Microsoft Vulnerability Research (MSVR) program (di cui temo di non avervi parlato lo scorso aprile, sorry ) nato a valle del nuovo approccio di Coordinated Vulnerability Disclosure (CVD):
Gli ultimi due Microsoft Vulnerability Research Advisories sono proprio relativi a vulnerabilità, già corrette, in Facebook e Google Picasa:
MSVR11-007 – Clickjacking Vulnerability in Facebook.com Could Allow Account Compromise
A vulnerability exists in the way that Facebook.com had previously implemented protection against clickjacking attacks. An attacker could exploit this vulnerability to circumvent Facebook privacy settings and expose potentially sensitive user information. An attacker who successfully exploited this vulnerability could take complete control of a user’s Facebook.com account and could perform any action on behalf of the user, such as read potentially sensitive data, change data, and delete contacts.
MSVR11-008 – Vulnerability in Google Picasa Could Allow Remote Code Execution
A vulnerability exists in the wasame user rights y that Picasa handles certain specially crafted JPEG images. An attacker could exploit this vulnerability to cause Picasa to exit unexpectedly and execute arbitrary code. An attacker who successfully exploited this vulnerability could gain the as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Other related posts/resources:
- Miei post su Coordinated Vulnerability Disclosure (CVD)
- [EN] Microsoft Vulnerability Research Advisories
- [EN] Microsoft Vulnerability Research (MSVR) Advisories Archive
- [EN] Microsoft Security Response Center (MSRC) Web Portal
- [EN] How to Report a Vulnerability to the MSRC
- [EN] MSRC Blog
- [EN] MSRC Ecosystem Strategy Team Blog
- [EN] @MSFTSecResponse