Google cuts Microsoft and pals some slack in zero-day vuln crusade – an extra 14 days tops Google has adjusted the terms of its controversial Project Zero vulnerability scouting effort, loosening its 90-day disclosure policy somewhat to give companies a better chance of fixing their security bugs before they become public knowledge. Among the changes, Google says it will no longer disclose bugs on weekends and …
"Google, meanwhile, said that an arbitrary deadline, albeit a nondiscriminatory one, is the best vendors can hope for."
Well, they have this one hammer, so they will be beating people with it for a while. What's it called again when someone decides what's right for everybody else and takes preemptive action based on that arbitrary decision? Vigilantism? Tyranny? It makes me wonder if Google is trying to redefine the way people use their name in conversations from "I needed to do some research so I googled the subject," to "Wow! He really googled that! I bet he never does that again."
The thing that annoys me, is that Microsoft struggle to get a fix out in 90 days for operating systems dating back to 2003, and they don't get 2 extra days for the fix (to meet normal release schedules), yet Google look at a bug in their own software and say, well, that affects software from 2012, we aren't going to bother fixing it.
The 90 days is totally irrelevant!
If a company is trying to fix the problem and says they need an extra few days or an extra month, it shows they are trying.
On the other hand, if you have companies like Google themselves, who turn around and say that 2 year old code is irrelevant and not worth fixing, then 90 days is irrelevant, you might as well release the details immediately...
Might be because the bugs in that codebase have to go through the manufacturer, then the vendor, and there's a pretty high % chance that one of those two can't be arsed to pass it through because they're wanting to push the latest and greatest phones?
Here there should be redress. If they don't release a patch for the security problems, then they should be forced to provide their customers with a secure replacement "loan" device, until they do. Good, a smartphone isn't like a PC, so a 4 - 5 year life span would be reasonable.
But the manufacturers and carriers (heck, why not just shut the damned carriers out and force them to take unbranded devices?) should be responsible for seeing that security patches are released to their devices quickly (in a maximum of weeks after Google / Microsoft have released a patch).
That is the problem at the moment, they are putting their customers at risk, but nobody is being held responsible. If Ford said, "the Mondeo with brake problems is 18 months old, we aren't going to address it," they would end up in front of the courts facing civil and criminal charges.
You can tell it has Microsoft rattled, because they have messed up more updates in the last two patch Tuesdays than they have in 5 years! I'm going to have to stop doing them right away, and wait at least 24 hours to see which ones are causing freeze ups, and every other order of grief for the end user.
I am missing something ? 90 days is good ammount of time to DO SOMETHING, anything that can remedy situation, or is it that MicroSlack can't keep up with all it's bugs ? To big, cumbersome & unwheldy to fix, across their "finger in every pie" OS's, seems to be message here, maybe MS don't want people to know, about bugs&holes till they get around to it, in the UPGRADE ...
Not sure, but it agravated repressed english schoolboys with a phobia about spell check, pity its a IT site, wish they would stay @ lancafe, but maybe they want to be a office addon when they grow up ...
But they come to a IT thats discussing BIG HOLES in MS OS, and their counterpoint is spelling....
Twats ....
90 Days is time to do "something" but given the amount of regression testing that must be required it's probably only time to cobble something together in an unstructured and untested way.
I'm sure MS could be more fleet of foot than they are, but I'm equally sure continuing to drive this agenda is the wrong way to improve things.
This is little more than a pi**ing competition.
Look I agree with some lee-way & google NOT being in charge of dumping crap on others OS, trying to make chrome seem more secure, but, 90 days is when they should let others know so they can look at the problem, not to mention maybe a legal requirement in some countries, regarding client data destroyed by something MS was aware of ..
Yes there is a long line of OLD bugs, in bash, 23 years in Apple/Red Hat 'nix OS, while debian/ubuntu it was not a issue, already patched in opensource system. Same for several other long term 'nix bugs.
However some people pay big money to windows, or any commercial firm, for a secure/reliable OS&apts, to do business with, so I would expect at least a warning, before they had a cure, so I could monitor servers & systems for issue ....
The real question is: How long was the time between google getting notified about webview, and the public getting notified?
As for grace time, 90 days seems kinds long. At one point certain research groups gave around 9 minuted worth of notice, if even that. Then 24 hours became the new "fair", as that was shortest time period that didn't give timezone and sleep cycle disadvantages/advantages.
Speaking of, which weekends and public holidays are google talking about? If we combine western christmas+newyear, russian dito, chinese newyear, northern europe summer shutdown, continental europe summer shutdown, we're left with... October.. Although the Bavarians might not have ended octoberfest yet.
Probably the only fair solution is to go back to fixed number of days.
>Although the Bavarians might not have ended octoberfest yet.
Oktoberfest, yes, with a K, is held in the month of September ... ;-) And, you forgot about the Jewish and muslim holidays (Fridays, Saturdays, Sundays are nogos, a whack of odd days throughout the year as well) ... I could go on.
That Google didn't find the domain bug that needed nearly a year of redesigning and recoding of the core of Windows domain functionality.
While I agree that companies sometimes need pressure to put out fixes (just look at the crap state of getting security patches released for Android!), if a company is working hard and need more than 90 days, then the bug reporter should work with the company.
If a fix will take a year to code and fix, because it is something fundamental to the central design of the OS, you aren't going to get that fixed in a couple of weeks or even a couple of months.
I would agree with 90 days, if the software company doesn't respond or doesn't seem to be taking the bug seriously, but if they are working hard and fixing the problem and tell the researchers that they need more time to get it fixed and tested, then they should get that time.
Goto Fail? Yeah, you can probably get a fix out in a couple of days.
Redesign the way domain integration works? Nope, 90 days aren't realistic!
Of course there are some bugs that take longer than 90 days to fix (and test and release). But if one lot of researchers have found it, so will another - and they might be exploiting it. Just because it takes a while to fix doesn't mean the blackhats will hold off too.
If 90 days is too short, then the vendor should offer a workaround instead, or at least a warning to disable some feature. Just keeping it quiet isn't a reasonable option.
But if the machines are going to be at risk for a year, becaus that is how long it takes to fix, then you don't want to announce the prolbem after three months and give the blackhats a 9 month headstart in exploiting it.
If there is evidence that the bug is being exploited in the wild, then the 90 days should be dropped and the users informed straight away, so they are aware of the problem and maybe given some advice on how they can protect themselves.
But releasing the details before a patch, when the company is working hard on the patch, when there is no evidence that the bug is being exploited, is just putting the users at risk for one-up-manship.
big_D, So, for a madeup example, if the Sony Hack was down to Hole MS knew about, but didn't tell anyone, MS wouldn't be liable ?
Also for failing to allow consumers choice ? Giving them chance/warning to prepare ?
Who owns our data, MS ? Not here, I think the EULA is a bit back to front, we should be giving them permission to protect our Data & Networks, Expecting them to keep the software "working as advertised", not getting permission from them to use crappy software, which they may or may not tell you how crappy it is ....
@ big_D
>Redesign the way domain integration works?
These are the types of problems you get with non-*nix systems, where you have one monolithic block of an OS where even userland shit like a browser is part of the whole. Unix philosophy of a number of different tools and protocols to choose from is the way to go, you would think.
Then you have the impact of a bug in Windows that can have repercussions in areas you would not expect, because a gazillion of different coders attempt to create this monolithic monster of an OS and communication can only go so far.
90 days ? 9 should be enough, in Free Software world, a security bug reported on a Monday gets fixed on the following Tuesday, before lunch, then sent out to the gazillion testers (bleeding edge users) - free software has more testers than MS employees.
Companies did'nt "copy and paste" whole sections of code from the previous OS and re-written the thing from the ground up(like the advertisers have us believe) then the exploits would only affect 1 OS and not every single one since the days of Win 3.1
Maybe thats why flash is such a exploit laden POS too.
Thats how OSX had 21 year old bash bug, they just make 'nix look pretty, turn it into spyware OS, & use it to sell you crap ....
I other wonder how much this effects Android, everytime theres a major bug in the 'nix code that was converted into java, & bugs in java also being a issue, no wonder it's always jumping versions ...
The problem is in having rigidly fixed periods after which everything about a flaw is dumped, including the exploit code.
It doesn't have to be that way but Google is choosing to do it that way and it seems done more to damage their rivals and harm users than to protect them. I can understand Google might like everyone to dance to their tune but blackmail, threat and exposing people to risk is not the best means of applying pressure.
I accept public notification as a means of kicking the lethargic and could-not-care-less into action but any release, particularly of exploit code, should be tempered by the damage done in doing that.
...arguing about how long is reasonable. My issue is: just who appointed Google as the global security patch police force?
We could end up with a tit for tat battle, Microsoft might find a problem with some Android code and declare that they consider it so serious that in their opinion 30 days should be long enough for Google to fix it so release exploit code on day 31.
Arbitrary timescales are no benefit to anyone - if a serious zero-day exploit crops up, Google's 90 days is inappropriate but by all means publish exploits for the "2038 Unix Millennium Bug" or the Y10K bug and if anyone has failed to patch over the next 23 years subject them to as much criticism as you like - but don't chastise them for not doing it within 90 days.
IMHO publishing details of a potential exploit before a patch has been released is irresponsible (I'll make an exception for the Unix Millennium Bug!). I'd like to think that any organisation which then suffered a successful attack using an exploit prematurely publicised would have a legal case for liability against the leaker upheld.
How long is reasonable to fix a problem depends on the problem. Some are trivial to fix others may have repercussions elsewhere in the codebase and need extensive effort and regression testing.
Some issues will be easy and damaging to exploit others are so obscure that the real world risk, even if details of the exploit are published, that the bad guys won't find it worth their while to utilise.
We've all seen bug fixes that result in an unforeseen side effect. We've seen fixes reverted. Many adopt a policy of not implementing (non-critical) patches immediately preferring to wait for others to deliver feedback on effectiveness. We may choose to hold-off Windows 10 but await Windows 10.1.
I don't want developers pulled off a serious problem to focus on an obscure exploit that a competitor has chosen to publicise because they've known about it for nearly 90 days.
By all means pressure developers who appear to be dragging their feet on patches but there are safer ways. How about publishing a simple graphical representation of known bugs by age, perceived severity and company without identifying the actual exploits. And how about that being done by someone without their own agenda of covering their own shortcomings while trumpeting those of their competitors.
This shouldn't be about corporates point scoring over each other, it should be about keeping your and my computing environment safe.
"My issue is: just who appointed Google as the global security patch police force?"
American Government, has "subbed" it apparently & may give Apple their economy .....
Obama administration ENDORSES Apple Pay during Tim Cook's White House LOVE-IN
U.S. benefit claimants can now use Cupertino payment system
http://www.theregister.co.uk/2015/02/15/apple_pay_federal_government_obama_cook/
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
