The endless loop that is the disclosure debate got a jolt of energy yesterday when Google said it would support researchers’ disclosure of details on actively exploited critical vulnerabilities just seven days after the researcher has notified the vendor in question.
Google hopes the policy change—almost three years ago Google was all for a 60-day window between notification and disclosure–prompts vendors to react quicker to big bugs and stifles zero-day attacks.
In the meantime, it will be interesting to watch from the sidelines whether this decision strains relationships between vendors and researchers. Google engineers, for example, are often cited in Microsoft security advisories when patches and cumulative security updates are released for Windows, Internet Explorer and other products.
Windows’ dominant desktop share and IE’s large presence in the browser market make Microsoft a perennial target. And through Trustworthy Computing and Microsoft’s coordinated vulnerability disclosure policies, the company has worked hard to improve its public and internal position on security and the priority it places on secure development in its products.
A seven-day turnaround is admittedly tricky, Google engineers Chris Evans and Drew Hintz said in announcing the change yesterday. They did couch it a bit saying that vendors would have seven days to respond with either a patch or security advisory.
“This is certainly an interesting move by Google. And I can see their reasons behind doing this, especially if people are currently targeted by a certain vulnerability,” said Nils, head of research with MWR InfoSecurity of the UK. Nils has made more than $100,000 writing successful exploits for vulnerabilities in Google’s Chrome browser, Firefox and Internet Explorer during Pwn2Own contests, and is a noted bug-hunter.
Google reconsidered its 60-day timeline in light of an unabating rash of zero-day exploits, Evans and Hintz said.
“Our standing recommendation is that companies should fix critical vulnerabilities within 60 days — or, if a fix is not possible, they should notify the public about the risk and offer workarounds,” Evans and Hintz said. “We encourage researchers to publish their findings if reported issues will take longer to patch. Based on our experience, however, we believe that more urgent action — within seven days — is appropriate for critical vulnerabilities under active exploitation. The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised.”
Nils, for one, said few researchers would be in an appropriate position to understand whether vulnerabilities could be immediately exploited in certain products.
“This might lead to cases where a vulnerability is disclosed early using the potential for public exploitation as an excuse, putting end-users at risk,” Nils said.
Microsoft declined an opportunity to comment for this article, as did Adobe, which has joined Microsoft atop the hackers’ hit parade. Vulnerabilities in Adobe Flash and Reader have been exploited in numerous high-profile attacks and even Adobe’s own infrastructure was attacked last year and a valid certificate was stolen and used to sign malicious utilities often used in targeted attacks. Adobe’s Connect User site was also compromised late last year.
An Adobe spokesperson did offer a statement that the company’s policy is to patch zero day vulnerabilities as quickly as possible, often before seven days.
“We don’t foresee this changing our relationship with outside researchers. Again, our policy has always been to respond as quickly as we possibly can to 0-day issues,” the Adobe statement said.
Microsoft’s coordinated vulnerability disclosure principle deems that researchers privately disclose new vulnerabilities to the vendors or a central coordinator such as a CERT, enabling the vendor in question time to analyze the vulnerability and prepare a patch. Microsoft’s stance is that once a patch is released, the researcher would then share his findings.
“If attacks are underway in the wild, and the vendor is still working on the update, then both the finder and vendor work together as closely as possible to provide early public vulnerability disclosure to protect customers,” Microsoft said in a post on its Security Response Center. “The aim is to provide timely and consistent guidance to customers to protect themselves.”
Google’s own security researchers have been in the middle of some interesting exchanges on this subject. Tavis Ormandy has disclosed Microsoft vulnerabilities publicly before the company has released a patch, the first time in 2010 giving the company only five days notice regarding a flaw in the company’s Security Help Center product. That angered Microsoft’s security team, but Ormandy said he published the details because he thought attacks against the flaw were likely as attackers had studied weaknesses in protocol handlers before and making details public would help organizations defend themselves more effectively.
Just last week, Ormandy posted to the Full Disclosure mailing list details on a Windows memory vulnerability, looking for help from the community with an exploit. “I don’t have time to work on silly Microsoft code, so I’m looking for ideas on how to fix the final obstacle for exploitation,” Ormandy wrote on Full Disclosure. He also wrote on his personal blog that Microsoft treats researchers with hostility and are difficult to work with.
“I would advise only speaking to them under a pseudonym, using Tor and anonymous email to protect yourself,” he wrote.
Google, meanwhile, said it will hold itself to the same seven-day standard, something Nils noted as well.
“It will be very interesting to see how Google will deal with the issues if Android is the affected platform, without a good patching infrastructure in place,” Nils said.