Sophos has plugged security holes in its Web Protection Appliance that could place its customers' internet connections in the hands of eavesdroppers. The equipment is supposed to filter out suspicious or harmful web traffic for businesses. But the flaws allowed any unauthenticated user to access sensitive configuration files …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Thursday 4th April 2013 14:30 GMT Ian 62

Well done all round

Seems like everyone was very grown up about it.

Studied, found, reported, fixed, deployed, thanked.

No one unleashed the WTFBBQLawyerMissiles! Or went to the blackhats or greyhats to embarrase someone.

Wonder why others make it so 'dramatic'?

0 0
1. Thursday 4th April 2013 14:42 GMT Anonymous Coward
  
  Re: Well done all round
  
  Well done? It seems to me that they haven't done what they are preaching. When will people understand that the applications these 'security companies' try to sell are no more secure than any other application out there.
  
  I for one think that the security industry needs a security industry.
  
  3 0
  1. Thursday 4th April 2013 21:57 GMT Anonymous Coward
    
    Re: Well done all round
    
    -> "...and will be made available to all remaining customers on April 1."
    
    Perfectly timed?
    
    0 0
Thursday 4th April 2013 15:33 GMT frank ly

Shakes head

Is it actually possible to create an OS/app/device/appliance or website/etc that does not have security holes in it? You'd think that large corporations who specifically operate in the subject area would know what they are doing, .... but no. I'd have thought that all the potential security vulnerabilities would be known and understood by now?

0 0
1. Thursday 4th April 2013 15:46 GMT Anonymous Coward
  
  Re: Shakes head
  
  What i find hilarious is that they wrote the interface in php and named it 'web protector', the irconic-meter goes off the scale on that one.
  
  1 0
2. Thursday 4th April 2013 16:27 GMT Christian Berger
  
  Re: Shakes head
  
  Sophos is a company that _claims_ to know about security. Not a company that actually knows about security.
  
  Yes you can drastically reduce the number of security holes by carefully engineering the software and by making sure your developers understand the problem of security. Typically companies don't bother with that.
  
  1 0
3. Thursday 4th April 2013 18:02 GMT Don Jefe
  
  Re: Shakes head
  
  You can no more create a system with zero vulnerabilities than you can create a perpetual motion machine. The idea is to minimize them and correct them when they are located.
  
  3 0

This topic is closed for new posts.

Topics

Special Features

Vendor Voice

Resources

User topics

Article topics

User topics

Article topics

Got a Sophos Web Protection box? Make sure it's up to date

COMMENTS

Well done all round

Re: Well done all round

Re: Well done all round

Shakes head

Re: Shakes head

Re: Shakes head

Re: Shakes head

Other stories you might like

Microsoft squashes SmartScreen security bypass bug exploited in the wild

Delinea Secret Server customers should apply latest patches

Ivanti commits to secure-by-design overhaul after vulnerability nightmare

US government excoriates Microsoft for 'avoidable errors' but keeps paying for its products

OpenAI's GPT-4 can exploit real vulnerabilities by reading security advisories

CISA in a flap as Chirp smart door locks can be trivially unlocked remotely

Zero-day exploited right now in Palo Alto Networks' GlobalProtect gateways

Cisco creates architecture to improve security and sell you new switches

Rust rustles up fix for 10/10 critical command injection bug on Windows in std lib

Exploit code for Palo Alto Networks zero-day now public

Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online

H-1B visa fraud alive and well amid efforts to crack down on abuse

About Us

Our Websites

Your Privacy