Google released details of a second unpatched privilege escalation flaw in Windows 8.1 in less than a month, drawing criticism from Microsoft.
Microsoft is unhappy with the 90-day public disclosure deadline enforced by Google’s security research team known as Project Zero.
Project Zero members routinely find vulnerabilities in products from other companies. These flaws get reported to the affected software vendors and if they are not patched in 90 days, Google automatically makes the vulnerability details public.
On Dec. 29, Google Project Zero disclosed an elevation of privilege (EoP) vulnerability affecting Windows 8.1 that Microsoft hadn’t yet patched. The vulnerability was reported to Microsoft on Sept. 30, so the 90-day deadline expired, Google said at the time.
On Sunday, the company’s researchers disclosed yet another unpatched EoP flaw in Windows 8.1, which had been reported to Microsoft on Oct. 13. This time the disclosure irked Microsoft, which planned to fix the vulnerability tomorrow. Microsoft releases security patches on the second Tuesday of every month, which has come to be known as Patch Tuesday in the industry.
As the name suggests, an EoP flaw can be exploited to gain administrator privileges on a system from a low privileged account. They are not critical vulnerabilities, like those that allow for arbitrary code execution, but they can make such flaws even more dangerous and should be patched.
“We asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix,” said Chris Betz, senior director with Microsoft’s Security Response Center, in a blog post Sunday. “Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha’, with customers the ones who may suffer as a result.”
The entry corresponding to this vulnerability on Google’s security research tracker confirms that Microsoft was denied a deadline extension.
“Microsoft were informed that the 90 day deadline is fixed for all vendors and bug classes and so cannot be extended,” the entry reads. “Further they were informed that the 90 day deadline for this issue expires on the 11th Jan 2015.”
In practice, companies like Microsoft, which follow monthly or quarterly patching cycles and only rarely deviate from them to fix actively exploited, high-risk flaws, have less than 90-days to push out fixes to security issues reported by Google.
For example, if Google’s researchers contact Microsoft about a flaw a few days after the company released its latest monthly batch of security updates, the company will have to develop a patch and have it ready for the next Patch Tuesday or the one after that—in around 60 days. If it waits longer, the deadline will expire before it’s next scheduled patch release, like it happened in this case.
“We believe those who fully disclose a vulnerability before a fix is broadly available are doing a disservice to millions of people and the systems they depend upon,” Betz said. “Other companies and individuals believe that full disclosure is necessary because it forces customers to defend themselves, even though the vast majority take no action, being largely reliant on a software provider to release a security update. Even for those able to take preparatory steps, risk is significantly increased by publicly announcing information that a cybercriminal could use to orchestrate an attack and assumes those that would take action are made aware of the issue.”
Microsoft, whose researchers also find vulnerabilities in products from other companies, encourages and practices what it calls “Coordinated Vulnerability Disclosure” (CVD), a policy where those who find vulnerabilities work with the vendor until fixes are made available and only then share details about those flaws publicly.
This might sound like the responsible thing to do, but software vendors are not equal in how they handle vulnerability reports. Some may take months or years to fix a particular flaw, and some are very bad at communicating with external security researchers.
There have been many cases in the past where different researchers independently discovered the same vulnerability, which means that given enough time malicious hackers might also find and exploit flaws found by researchers, but not yet patched by vendors. Google’s deadline attempts to strike a balance between the vulnerability remediation needs of software vendors and the public interest.
“Project Zero believes that disclosure deadlines are currently the optimal approach for user security—it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face,” said Project Zero researcher Ben Hawkes in December following the disclosure of the first EoP flaw. “By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner, and to exercise their power as a customer to request an expedited vendor response.”
Google is right, said Robert Graham, the CTO of security research firm Errata Security, in a blog post. “Since we can’t make perfect software, we must make fast and frequent fixes the standard. Nobody should be in the business of providing ‘secure’ software that can’t turn around bugs quickly. Rather than 90 days being too short, it’s really too long.”