Chatter Has Value: An Informed IT Workforce Is An Important Cybersecurity Prevention Strategy

November 5, 2020

A security researcher recently published details about a Safari browser bug after Apple delayed creating a patch.

The bug is contained in Safari's implementation of the Web Share API, a cross-browser API for sharing text, links, files, and other content. The bug could be used to leak or steal files from users' devices. For example, malicious web pages could invite users to email an article to their friends then secretly steal a file from their device.

The researcher who discovered the bug said that it is "not very serious" because social engineering and user interaction is necessary for files to be leaked. However, he did say that it is easy for cybercriminals "to make the shared file invisible to the user."

The researcher first reported the bug to Apple in April 2020. However, Apple delayed patching the bug until spring of 2021. Apple also allegedly tried to stop the researcher from publishing his findings until next spring.

Others have accused Apple of delaying patches and trying to silence security researchers. Google's Project Zero security team refused to participate in Apple's Security Research Device program because it claimed the rules were designed to limit public disclosure and keep researchers silent about their findings.

The infosec industry generally accepts a standard 90-day vulnerability disclosure deadline. Catalin Cimpanu "Security researcher discloses Safari bug after Apple delays patch" zdnet.com (Aug. 25, 2020).

 

Commentary

Often, before an official announcement, others chatter about risks discovered. Cybersecurity companies will often announce when they find flaws in software that could lead to a future breach.

Following forums and chatrooms that are security-orientated is an early warning strategy that can help prevent risks sooner. Preventing risks sooner limits damages.

Consequently, it is important to monitor cybersecurity news sources in order to stay current. Although you can often count on software companies to release patches to protect you from the latest threats, it is not a guarantee.

There are a number of quality news sources for information about cyber risks. You can also follow the Department of Homeland Security’s Cybersecurity News and Updates.

In addition, this website provides information on many recent cybersecurity threats.

Of course, installing patches as soon as they become available is still essential to a strong cybersecurity practice. Set computers and devices to update automatically, or always install updates as soon as you are notified.

Finally, your opinion is important to us. Please complete the opinion survey:

News

Credential Stuffing: A Singular Reason Why You Need To Have Different Passwords For Your Accounts

The FBI warns businesses of the growing threat of compromised login credentials. User password behavior is a big part of the cause. We examine. Read More

Is Having A "Gold Image" The Key To Defeating Ransomware?

A hospital employer says a cyberattack led to the death of a patient. Read how quality backups keep clients safe and allow you to say "no" to paying cybercriminals. Read More

Cybersecurity Training Remains Important Even In Lockdowns

Minimizing administrator privileges and conducting annual training are two ways to keep data safe. Learn more. Read More