print   email   Share

Chatter Has Value: An Informed IT Workforce Is An Important Cybersecurity Prevention Strategy

November 5, 2020

A security researcher recently published details about a Safari browser bug after Apple delayed creating a patch.

The bug is contained in Safari's implementation of the Web Share API, a cross-browser API for sharing text, links, files, and other content. The bug could be used to leak or steal files from users' devices. For example, malicious web pages could invite users to email an article to their friends then secretly steal a file from their device.

The researcher who discovered the bug said that it is "not very serious" because social engineering and user interaction is necessary for files to be leaked. However, he did say that it is easy for cybercriminals "to make the shared file invisible to the user."

The researcher first reported the bug to Apple in April 2020. However, Apple delayed patching the bug until spring of 2021. Apple also allegedly tried to stop the researcher from publishing his findings until next spring.

Others have accused Apple of delaying patches and trying to silence security researchers. Google's Project Zero security team refused to participate in Apple's Security Research Device program because it claimed the rules were designed to limit public disclosure and keep researchers silent about their findings.

The infosec industry generally accepts a standard 90-day vulnerability disclosure deadline. Catalin Cimpanu "Security researcher discloses Safari bug after Apple delays patch" zdnet.com (Aug. 25, 2020).

 

Commentary

Often, before an official announcement, others chatter about risks discovered. Cybersecurity companies will often announce when they find flaws in software that could lead to a future breach.

Following forums and chatrooms that are security-orientated is an early warning strategy that can help prevent risks sooner. Preventing risks sooner limits damages.

Consequently, it is important to monitor cybersecurity news sources in order to stay current. Although you can often count on software companies to release patches to protect you from the latest threats, it is not a guarantee.

There are a number of quality news sources for information about cyber risks. You can also follow the Department of Homeland Security’s Cybersecurity News and Updates.

In addition, this website provides information on many recent cybersecurity threats.

Of course, installing patches as soon as they become available is still essential to a strong cybersecurity practice. Set computers and devices to update automatically, or always install updates as soon as you are notified.

Finally, your opinion is important to us. Please complete the opinion survey:

News

New Fax Number for Best Practice Help Line

The fax line for Best Practice Help Line consultation requests is now 918-712-5965.

Identifying Employee Personality Typing May Help Blunt Cybercrime

New research finds that personality type may determine an employee's strengths and weaknesses as it relates to cyber threats. We examine.

Bad State Actors And Criminals Are Focusing On Updates After SolarWinds Hack

Cybercriminals often hack organizations or spoof software updates to spread malware. We examine.

Knowing Internal Online Habits Helps Limit The Risk Of Cloud-Based Malware Attacks

McAfee's second quarter report reveals a significant rise in malware attacks, particularly in cloud-based user accounts. We examine.