Fixing Flaws: The Art of Bug Fixing in the Business World. Issue 2
No software is perfect. Even the most meticulously crafted programs can encounter flaws and issues — it’s part of the software development process.
However, what truly matters is how these imperfections are addressed, how they are communicated to users, and if any proactive measures are taken to prevent their recurrence. These lessons are valuable for all of us to learn.
In our series of articles Fixing Flaws, we are exploring how companies who faced various software bugs and vulnerabilities figure out what to do next.
We hope these stories will inspire and motivate you to move forward despite occasional flaws and uncertain business environments.
Microsoft fixes Azure AD auth flaw that allows account takeover
The flaw could allow hackers to gain more privileges and potentially take control of someone’s account. The issue involves a misconfiguration called nOAuth, which allows attackers to change the email address on their Azure AD admin account to the victim’s email address. By using the “Log in with Microsoft” feature on a vulnerable app or website, the attacker could fully control the victim’s account if the app or website allows using email addresses for authorization.
This attack method can even be used when the victim doesn’t have a Microsoft account.
Microsoft addressed the nOAuth configuration by implementing mitigations after receiving an initial report from Descope in April 2023. They deployed measures to omit token claims from unverified domain owners for most applications. Additionally, they advised developers to assess their app’s authorization business logic and follow guidelines to prevent unauthorized access.
Nickelodeon investigates breach after leak of ‘decades-old’ data
Nickelodeon, a popular American pay-TV channel known for producing content for children and family audiences, has confirmed the user data leakage. However, some of it seems to be from several decades ago.
Reports indicate that around 500GB of documents and media files were leaked, and these files were initially shared on a private Discord server and are now being reposted on various platforms.
A Nickelodeon spokesperson stated that an investigation is ongoing, but the leaked data does not seem to be the result of a recent breach. The spokesperson assured that the leaked information does not include user or employee data but is primarily production resources and other intellectual property.
While it may take time to fully analyze the entire data dump, based on Nickelodeon’s statement, there are no indications of a significant compromise to the company’s systems.
It’s important to note that redistributing copyright-protected intellectual property, even if it is old and does not cause immediate harm to Nickelodeon’s business, is illegal. Those who engage in such activities may face legal consequences, and we believe that Nickelodeon will investigate this issue properly.
After fixing a browsing bug, Apple re-releases a zero-day patch
It seems that Apple is a regular star in our bug digests and success stories. An amazing example is that you can have issues with your product but still remain one of the most successful companies in the world.
This time, zero-day vulnerability in WebKit was exploited in attacks. Apple released emergency security updates that addressed the problem. The initial patches had to be withdrawn due to browsing issues experienced on certain websites.
Apple acknowledged the problem and stated that recent Rapid Security Responses might cause some websites to display incorrectly. The company assured customers that fixed versions of the updates would be released soon and advised those experiencing browsing issues to remove the problematic updates.
The specific reason why some websites were affected was not disclosed by Apple. However, it is likely that the issue arose from the new Safari user agent, which included an “(a)” string that prevented websites from recognizing it as a valid version of Safari. As a result, some websites displayed error messages stating “browser not supported.”
To resolve these browsing issues, Apple has begun pushing new Security Response updates labeled iOS 16.5.1 ©, iPadOS 16.5.1 ©, and macOS 13.4.1 ©.
The zero-day vulnerability impacts the WebKit browser engine and allows attackers to execute arbitrary code by tricking users into opening maliciously crafted web pages.
Apple advises all users to install emergency security updates as they contain important security fixes.
Android July security updates fix three actively exploited bugs
Google has recently released its monthly security updates for the Android operating system, featuring fixes for 46 vulnerabilities. Among them, three are believed to be actively exploited in real-world attacks.
The first vulnerability is a memory leak flaw found in the Arm Mali GPU driver for certain chipsets. This vulnerability was utilized in an exploit chain to deliver spyware to Samsung devices in December 2022.
The second vulnerability is classified as critical. It is an integer overflow bug in Skia, Google’s 2D graphics library used in Chrome. This vulnerability was fixed in April but may still impact other systems using Skia.
The most severe vulnerability addressed in this update affects Android versions 11, 12, and 13 and could potentially lead to remote code execution without any user interaction or additional privileges.
It’s worth noting that older Android versions, which are no longer supported, may still be impacted by some of the addressed vulnerabilities. In such cases, it is advisable to consider upgrading to a newer device or installing a third-party Android distribution that provides security updates for older devices.
Summing up
Even during uncertain times in the business environment, prioritizing rigorous testing can significantly enhance the security and reliability of software systems. By collaborating with independent QA providers, organizations can safeguard themselves and their users from potential bugs and breaches.
If you’re searching for a reliable QA services provider, we would be happy to connect with you! Our QA specialists can assist you in establishing and sustaining your QA process, safeguarding your business against any potential bugs.
Get in touch with us, and we can tailor a QA solution that meets your unique needs.