Google is unstoppable. Within less than three weeks, Google revealed a total of four zero day vulnerabilities affecting Windows, two of them just days before Microsoft was ready to release a patch. Microsoft was not amused and judging by Google’s reaction, more such cases are likely to follow.
Is this Google’s way of teaching their competition to be more efficient? And what about the users? Is Google’s strict adherence to arbitrary deadlines in our best interest?
Why Is Google Reporting Windows Vulnerabilities?
Project Zero, a team of Google security analysts, has been researching zero day exploits since 2014. The project was founded after a part-time research group had identified several software bugs, including the critical Heartbleed vulnerability.
In their Project Zero announcement, Google stressed that their top priority was to make their own products secure. Since Google isn’t operating in a vacuum, their research extends to any software their customers are using.
So far, the team has identified over 200 bugs in various products, including Adobe Reader, Flash, OS X, Linux, and Windows. Each vulnerability is reported to the software vendor only and receives a 90 days grace period, after which it is made public via the Google Security Research forum.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
That’s what happened to Microsoft. Four times. The first Windows vulnerability (issue #118) was identified on September 30, 2014 and was subsequently published on December 29, 2014. On January 11, just days before Microsoft was ready to push out a fix via Patch Tuesday, the second vulnerability (issue #123) was made public, launching a debate about whether Google couldn’t have waited. Only days later, two more vulnerabilities (issue #128 & issue #138) appeared on the public database, escalating the situation further.
What Happened Behind The Scenes?
The first issue (#118) was a critical privilege escalation vulnerability, shown to affect Windows 8.1. According to The Hacker News, it “could allow a hacker to modify contents or even to take over victims’ computers completely, leaving millions of users vulnerable“. Google didn’t reveal any communication with Microsoft regarding this issue.
For the second issue (#123), Microsoft asked for an extension, and when Google denied it, they made efforts to release the patch a month earlier. These were James Forshaw’s comments:
Microsoft confirmed that they are on target to provide fixes for these issues in February 2015. They asked if this would cause a problem with the 90 day deadline. Microsoft were informed that the 90 day deadline is fixed for all vendors and bug classes and so cannot be extended. Further they were informed that the 90 day deadline for this issue expires on the 11th Jan 2015.
Microsoft released patches for both issues with Update Tuesday in January.
With the third issue (#128), Microsoft had to delay a patch due to compatibility issues.
Microsoft informed us that a fix was planned for the January patches but has to be pulled due to compatibility issues. Therefore the fix is now expected in the February patches.
Even though Microsoft informed Google they were working on the issue, but facing difficulties, Google went ahead and published the vulnerability. No negotiation, no mercy.
For the last issue (#138), Microsoft decided not to fix it. James Forshaw added the following comment:
Microsoft have concluded that the issue does not meet the bar of a security bulletin. They state that it would require too much control from the part of the attacker and they do not consider group policy settings as a security feature.
Is Google’s Behavior Acceptable?
Microsoft doesn’t think so. In a thorough response, Chris Betz, Senior Director of the Microsoft Security Research Center, calls for a better coordinated vulnerability disclosure. He emphasizes that Microsoft believes in Coordinated Vulnerability Disclosure (CVD), a practice in which researchers and companies collaborate on vulnerabilities to minimize risk for customers.
Regarding the recent events, Betz confirms that Microsoft specifically asked Google to work with them and withhold details until fixes were distributed during Patch Tuesday. Google ignored the request.
Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result.
According to Betz, publicly disclosed vulnerabilities experience orchestrated attacks from cyber criminals, an act hardly seen when issues are disclosed privately through CVD and patched before the information becomes public. Further Betz says, not all vulnerabilities are made equal, meaning the timeline within which an issue gets patched depends on its complexity.
His call for collaboration is loud and clear and his arguments are solid. The reflection that no software is perfect because it’s made by simple humans operating with complex systems, is endearing. Betz hits the nail on the head when he says:
What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.
The other point of view is that Google has an established policy and doesn’t want to give way to exceptions. This is not the kind of inflexibility you’d expect from an ultra modern company like Google. Moreover, publishing not only the vulnerability, but also the exploit code is irresponsible, given that millions of users could get hit by a concerted attack.
If This Happens Again, What Can You Do To Protect Your System?
No software will ever be safe from zero day exploits. You can increase your own safety by adopting a common sense security hygiene. This is what Microsoft recommends:
Our Verdict: Google Should Have Cooperated With Microsoft
Google stuck to its arbitrary deadline, rather than being flexible and acting in the best interest of their users. They could have extended the grace period for revealing the vulnerabilities, especially after Microsoft communicated that patches were (almost) ready. If Google’s noble aim is to make the Internet safer, they must be ready to cooperate with other companies.
Meanwhile, Microsoft could possibly have thrown more resources at developing patches. 90 days is regarded as a sufficient time frame by some. Due to pressure from Google, they did in fact push one patch out one month earlier than estimated initially. It almost looks like they didn’t prioritize the issue highly enough originally.
Generally, if the software vendor signals that they’re working on the issue, researchers like Google’s Project Zero team should cooperate and extend grace periods. Keeping a soon to be patched vulnerability secret appears to be safer than attracting the attention of hackers. Shouldn’t customer safety be any company’s top priority?
What do you think? What would have been a better solution or did Google do the right thing after all?