Security Watch

Keeping Track of patches and hacks in the IT security world.

Microsoft Improves Yammer Security

Microsoft wasn't always known or particularly well-respected for its security practices, but those days just might be mostly gone.

Microsoft Security

When one company buys another, a lot of things are in motion, and one area that is often overlooked in my experience is security. In the case of Microsoft's acquisition last year of enterprise social networking vendor Yammer, that apparently does not seem to be the case.

Microsoft acquired Yammer in July 2012 for $1.2 billion and has spent the last year building out a solid road map. Aside from growing the user and features base, Microsoft has also helped secure Yammer.

A security report from researchers at Vulnerability Laboratory this week, details a remote authorization bypass vulnerability in Yammer. The vulnerability potentially could have been exploited by a remote attacker without having a privileged application user account or there being any user interaction. The flaw was related to an insecure implementation of the OAuth authorization technology Yammer uses.

"It is possible to steal other user profiles by simply requesting a leaked access token, which can be acquired from publicly accessible search engine results [Google's Cache] and or by other possible means," Vulnerability Laboratory warned. "During the testing, the researcher was able to acquire sensitive information [valid access_tokens] using the Google search engine, and upon further testing, it was revealed that by including the access token directly in the browser through an HTTPS request, it is possible to log on to Yammer as the affected user."

That's a very serious vulnerability.

Vulnerability Laboratory reported the flaw to the Microsoft Security Response Center July 10 and got a response back July 11. According to Microsoft, an automatic update for the flaw was pushed out July 30. That's a pretty solid response time in my book.

What's even better is the fact that apparently Yammer users were never really at risk from any attacks.

"We have not detected any attacks, and there is no action for customers, as they are automatically protected," a Microsoft spokesperson told eWEEK.

Now I know full well that in addition to the Microsoft Security Response Center, Microsoft also has a very robust and strict security program in place for products. Known as the Security Development Lifecycle (SDL), the program is in some respects the envy of many tech vendors, and Cisco and others have emulated it. The SDL process bakes security practices into every step of the development and productization process, and it is now one that Yammer benefits from as well.

"When Microsoft acquires a company, we begin a process of on-boarding that company and its products to our Security Development Lifecycle," Microsoft's spokesperson said.

So there you have it. Being acquired by Microsoft has more benefits than just size and scale. It might just also help a company develop even more secure products and services.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.