Governance & Risk Management , Next-Generation Technologies & Secure Development
Google Reveals More Microsoft Zero Days
Should All Flaws Get Fixed Within 90 Days?After laying off an unspecified number of its testing-focused Windows and Office software engineers over the summer, in recent months Microsoft has botched two major patches, to the consternation of numerous Windows users. It also failed to patch several different Windows flaws within 90 days of learning about them via Google's dedicated bug-hunting Project Zero team. As a result, Google has been releasing full bug details to the public (see Google Discloses Microsoft Zero Day Flaw).
See Also: Webinar | Securing Cloud Architectures: Implementing Zero Standing Privileges
Adding potential fuel to the fire, Microsoft recently ceased the bulk distribution of its patch information, except for customers who pay for premium support. But much of the same information will reportedly still be available, for free, via Microsoft's Security TechCenter.
Google's recent release of details on multiple, previously unknown Windows bugs - including proof-of-concept exploit code that could be "weaponized" and turned into working attacks - comes after the search giant declared that any software developer should be able to fix any software flaw within 90 days.
One of Google's recent Windows bug reports centered on a privilege-escalation vulnerability in Windows 8.1 that an attacker might use to execute malicious code. The release of those bug details led to "a call for better coordinated vulnerability disclosure" from Chris Betz, senior director of the Microsoft Security Response Center, which is part of its Trustworthy Computing Group.
Betz says Microsoft requested that Google delay its planned Jan. 11 disclosure of the flaw until Jan. 13, when Microsoft would release the fix as part of its regularly scheduled, monthly "Patch Tuesday" slew of updates. Microsoft has long used the second Tuesday of every month to release all of its patches for the month at once, although it sometimes also issues "out of band" emergency fixes to address flaws that are being actively exploited in the wild.
But Google declined to wait, leading Microsoft's Betz to note: "Although following through keeps to Google's announced timeline for disclosure, the decision feels less like principles and more like a 'gotcha,' with customers the ones who may suffer as a result. What's right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal."
The war of words has continued to escalate, with Google subsequently making public - again, 90 days after having privately notified Microsoft - details on more Windows flaws. Microsoft had planned to fix one of those bugs - in CryptProtectMemory - as part of its January Patch Tuesday, but discovered compatibility problems just before the update's release, and now expects to ship a fix in February instead.
Microsoft responded to Google's bug report with this statement: "We are not aware of any cyber-attacks using the CryptProtectMemory bypass. Customers should keep in mind that to successfully exploit this, a would-be attacker would need to use another vulnerability first." Of course, details of the flaw - plus proof-of-concept exploit code - have already been made public by Google.
Google's Policy: Who Benefits?
Google's vulnerability policy has been criticized by some security experts, who note that the company competes with Microsoft on several fronts, and is not a neutral third party.
"I am very uncomfortable with technology organizations publishing details of vulnerabilities in the software of their peer organizations," London-based Fayaz Khaki, associate director of information security for market research firm IDC, tells Information Security Media Group.
Some commentators have also noted that Google employs agile development processes for its products, which makes them relatively easy and quick to update. Likewise, it maintains a browser built to automatically receive updates. Also, Google has created a mobile operating system that's open source, and thus absolves it from having to update most of the estimated 930 million devices that are running outdated versions of Android, which contain known vulnerabilities.
A Stark Twist
Microsoft being under fire for failing to patch promptly represents a stark twist for the technology giant, and is being heralded by some security researchers as a long-delayed comeuppance. "A decade ago in the cybersecurity industry, Microsoft dictated terms," Robert David Graham, who heads information security research firm Errata Security, says in a blog post. "Today, the proverbial shoe is on the other foot."
Microsoft's market dominance a decade ago enabled the company to set - and enforce - "responsible disclosure" policies for bugs identified by third-party information security researchers. In the Microsoft dictionary, "responsible" meant researchers would give technology vendors as much time as they needed to fix software or hardware flaws, and remain mum until given the green light by the vendor in question. Researchers who balked at those terms did so at their peril, Graham says, noting that in 2007, when he planned to give a Black Hat conference talk on vulnerabilities in TippingPoint's intrusion prevention system, Microsoft issued a legal threat, and Graham began receiving visits from FBI agents.
Much has changed since then. For starters, numerous information security researchers - if not always vendors - have argued that any bug they find may have already been found by others, and thus should be publicly disclosed in a timely manner. At the same time, there's been a growth in zero-day vulnerability brokers, who sell information about bugs to the highest bidder, although some restrict sales to only Western governments. Those involved include HP TippingPoint's Zero Day Initiative and the security firm Vupen, as well as defense contractors Northrop Grumman and Raytheon.
These vulnerability buyers and brokers underpin an ecosystem that remunerates security researchers for privately disclosing vulnerabilities and staying quiet. Critics, however, accuse these bug buyers and sellers of putting average users at risk.
Target: Zero-Day Economy
One potential way to undercut that zero-day economy, however, is to patch flaws as quickly as possible, and some security experts say 90 days is probably a good benchmark. Google, furthermore, has said that the vast majority of its notifications result in fixes in less than 90 days.
But some fixes are apparently easier to build than others. Indeed, Microsoft had to reissue a bad Windows 7 patch in November 2014, following it botching a Windows 8.1 update in August. Those bug-fix missteps followed Microsoft CEO Satya Nadella announcing in July that the company would lay off 14 percent of its workforce, including some of the company's Windows and Office software-testing engineers. A Microsoft spokeswoman declined to comment about how many such staff were laid off, or whether that accounts for the recent problems.
The imperative for Microsoft to patch more quickly has potentially been complicated by the company having more flaws to fix. Vulnerability and patch management vendor Secunia, for example, reports that in 2013, 126 new bugs were discovered in IE. But in 2014, the number of new bugs discovered in supported versions of IE nearly doubled. "It is too early to conclude whether it is a bad or a good sign," says Kasper Lingaard, Secunia's director of research and security. "Is it because Microsoft is becoming more focused on browser security? Is it a result of the 'Internet Explorer 11 Preview Bug Bounty'? Or is it just where both sides of the industry has directed its focus in 2014?"
As Lingaard suggests, paying more attention to security - for example via a public bug bounty program for a still-in-beta version of IE - can have the effect that more bugs will get found, and thus must be fixed. But the question remains: How quickly?
Update: This story originally stated that the Bangkok-based security researcher who calls himself "the Grugq" works as an independent exploit broker. The Grugq contacted Information Security Media Group to say that he no longer works as an exploit broker.