back to article Google cuts Microsoft and pals some slack in zero-day vuln crusade – an extra 14 days tops

Google has adjusted the terms of its controversial Project Zero vulnerability scouting effort, loosening its 90-day disclosure policy somewhat to give companies a better chance of fixing their security bugs before they become public knowledge. Among the changes, Google says it will no longer disclose bugs on weekends and …

  1. Robert Helpmann?? Silver badge
    Childcatcher

    Still Unclear on Concept

    "Google, meanwhile, said that an arbitrary deadline, albeit a nondiscriminatory one, is the best vendors can hope for."

    Well, they have this one hammer, so they will be beating people with it for a while. What's it called again when someone decides what's right for everybody else and takes preemptive action based on that arbitrary decision? Vigilantism? Tyranny? It makes me wonder if Google is trying to redefine the way people use their name in conversations from "I needed to do some research so I googled the subject," to "Wow! He really googled that! I bet he never does that again."

    1. big_D Silver badge

      Re: Still Unclear on Concept - Two faced

      The thing that annoys me, is that Microsoft struggle to get a fix out in 90 days for operating systems dating back to 2003, and they don't get 2 extra days for the fix (to meet normal release schedules), yet Google look at a bug in their own software and say, well, that affects software from 2012, we aren't going to bother fixing it.

      The 90 days is totally irrelevant!

      If a company is trying to fix the problem and says they need an extra few days or an extra month, it shows they are trying.

      On the other hand, if you have companies like Google themselves, who turn around and say that 2 year old code is irrelevant and not worth fixing, then 90 days is irrelevant, you might as well release the details immediately...

      1. DryBones

        Re: Still Unclear on Concept - Two faced

        Might be because the bugs in that codebase have to go through the manufacturer, then the vendor, and there's a pretty high % chance that one of those two can't be arsed to pass it through because they're wanting to push the latest and greatest phones?

        1. big_D Silver badge

          Re: Still Unclear on Concept - Two faced

          Here there should be redress. If they don't release a patch for the security problems, then they should be forced to provide their customers with a secure replacement "loan" device, until they do. Good, a smartphone isn't like a PC, so a 4 - 5 year life span would be reasonable.

          But the manufacturers and carriers (heck, why not just shut the damned carriers out and force them to take unbranded devices?) should be responsible for seeing that security patches are released to their devices quickly (in a maximum of weeks after Google / Microsoft have released a patch).

          That is the problem at the moment, they are putting their customers at risk, but nobody is being held responsible. If Ford said, "the Mondeo with brake problems is 18 months old, we aren't going to address it," they would end up in front of the courts facing civil and criminal charges.

    2. JCitizen
      Megaphone

      Re: Still Unclear on Concept

      You can tell it has Microsoft rattled, because they have messed up more updates in the last two patch Tuesdays than they have in 5 years! I'm going to have to stop doing them right away, and wait at least 24 hours to see which ones are causing freeze ups, and every other order of grief for the end user.

  2. JamesTQuirk

    More Eyes on Code

    I am missing something ? 90 days is good ammount of time to DO SOMETHING, anything that can remedy situation, or is it that MicroSlack can't keep up with all it's bugs ? To big, cumbersome & unwheldy to fix, across their "finger in every pie" OS's, seems to be message here, maybe MS don't want people to know, about bugs&holes till they get around to it, in the UPGRADE ...

    1. Tromos

      Re: More Eyes on Code

      Are you missing something?

      I'd say yes. Literacy and grammar for starters.

      1. JamesTQuirk

        Re: More Eyes on Code

        Good, if I don't speak "the Queens English", you let me know, It will save me checking grammer&spelling to converting it into Ancient English, on "blurb" posts I do on my phone ...

        1. DougS Silver badge

          Re: More Eyes on Code

          You don't speak any sort of English, unless "illiterate English" is considered a language now.

          1. JamesTQuirk

            Re: More Eyes on Code

            You mean like MS Visual Basic was considered a programming language ?

            1. Anonymous Coward
              Anonymous Coward

              Re: More Eyes on Code

              Which language was 'like' Visual Basic?

              1. JamesTQuirk

                Re: More Eyes on Code @ Anonymous Coward

                Not sure, but it agravated repressed english schoolboys with a phobia about spell check, pity its a IT site, wish they would stay @ lancafe, but maybe they want to be a office addon when they grow up ...

                But they come to a IT thats discussing BIG HOLES in MS OS, and their counterpoint is spelling....

                Twats ....

              2. Trevor_Pott Gold badge

                Re: More Eyes on Code

                "Which language was 'like' Visual Basic?"

                Base primates smearing poop on the walls comes to mind...

    2. Captain Queeg

      Re: More Eyes on Code

      90 Days is time to do "something" but given the amount of regression testing that must be required it's probably only time to cobble something together in an unstructured and untested way.

      I'm sure MS could be more fleet of foot than they are, but I'm equally sure continuing to drive this agenda is the wrong way to improve things.

      This is little more than a pi**ing competition.

    3. big_D Silver badge

      Re: More Eyes on Code

      @James

      And Google themselves refusing to fix code in 2 year old software, whilst Microsoft ask for an extra 2 days to meet their patch schedule and get that fixed in releases going back over a decade? Who isn't pulling their finger out?

      1. JamesTQuirk

        Re: More Eyes on Code

        Look I agree with some lee-way & google NOT being in charge of dumping crap on others OS, trying to make chrome seem more secure, but, 90 days is when they should let others know so they can look at the problem, not to mention maybe a legal requirement in some countries, regarding client data destroyed by something MS was aware of ..

        Yes there is a long line of OLD bugs, in bash, 23 years in Apple/Red Hat 'nix OS, while debian/ubuntu it was not a issue, already patched in opensource system. Same for several other long term 'nix bugs.

        However some people pay big money to windows, or any commercial firm, for a secure/reliable OS&apts, to do business with, so I would expect at least a warning, before they had a cure, so I could monitor servers & systems for issue ....

  3. Anonymous Coward
    Anonymous Coward

    WebView

    So Google, how is that WebView security fix coming along?

    1. Anonymous Coward
      Anonymous Coward

      Re: WebView

      The real question is: How long was the time between google getting notified about webview, and the public getting notified?

      As for grace time, 90 days seems kinds long. At one point certain research groups gave around 9 minuted worth of notice, if even that. Then 24 hours became the new "fair", as that was shortest time period that didn't give timezone and sleep cycle disadvantages/advantages.

      Speaking of, which weekends and public holidays are google talking about? If we combine western christmas+newyear, russian dito, chinese newyear, northern europe summer shutdown, continental europe summer shutdown, we're left with... October.. Although the Bavarians might not have ended octoberfest yet.

      Probably the only fair solution is to go back to fixed number of days.

      1. Hans 1 Silver badge

        Re: WebView

        >Although the Bavarians might not have ended octoberfest yet.

        Oktoberfest, yes, with a K, is held in the month of September ... ;-) And, you forgot about the Jewish and muslim holidays (Fridays, Saturdays, Sundays are nogos, a whack of odd days throughout the year as well) ... I could go on.

  4. Captain Queeg

    Hmmm....

    "if the date of a patch disclosure deadline falls on a weekend or a public holiday, Google now says it will hold off on its disclosure until the next working day"

    That's big of them...

    1. BongoJoe

      Re: Hmmm....

      Well, it saves having staff coming in on a Bank Holiday to make an announcement and thus saves the company double time and a day off in lieu.

  5. big_D Silver badge

    Good Job

    That Google didn't find the domain bug that needed nearly a year of redesigning and recoding of the core of Windows domain functionality.

    While I agree that companies sometimes need pressure to put out fixes (just look at the crap state of getting security patches released for Android!), if a company is working hard and need more than 90 days, then the bug reporter should work with the company.

    If a fix will take a year to code and fix, because it is something fundamental to the central design of the OS, you aren't going to get that fixed in a couple of weeks or even a couple of months.

    I would agree with 90 days, if the software company doesn't respond or doesn't seem to be taking the bug seriously, but if they are working hard and fixing the problem and tell the researchers that they need more time to get it fixed and tested, then they should get that time.

    Goto Fail? Yeah, you can probably get a fix out in a couple of days.

    Redesign the way domain integration works? Nope, 90 days aren't realistic!

    1. Adrian 4 Silver badge

      Re: Good Job

      Of course there are some bugs that take longer than 90 days to fix (and test and release). But if one lot of researchers have found it, so will another - and they might be exploiting it. Just because it takes a while to fix doesn't mean the blackhats will hold off too.

      If 90 days is too short, then the vendor should offer a workaround instead, or at least a warning to disable some feature. Just keeping it quiet isn't a reasonable option.

      1. big_D Silver badge

        Re: Good Job

        But if the machines are going to be at risk for a year, becaus that is how long it takes to fix, then you don't want to announce the prolbem after three months and give the blackhats a 9 month headstart in exploiting it.

        If there is evidence that the bug is being exploited in the wild, then the 90 days should be dropped and the users informed straight away, so they are aware of the problem and maybe given some advice on how they can protect themselves.

        But releasing the details before a patch, when the company is working hard on the patch, when there is no evidence that the bug is being exploited, is just putting the users at risk for one-up-manship.

        1. JamesTQuirk

          Re: Good Job

          big_D, So, for a madeup example, if the Sony Hack was down to Hole MS knew about, but didn't tell anyone, MS wouldn't be liable ?

          Also for failing to allow consumers choice ? Giving them chance/warning to prepare ?

          Who owns our data, MS ? Not here, I think the EULA is a bit back to front, we should be giving them permission to protect our Data & Networks, Expecting them to keep the software "working as advertised", not getting permission from them to use crappy software, which they may or may not tell you how crappy it is ....

    2. Hans 1 Silver badge
      Linux

      Re: Good Job

      @ big_D

      >Redesign the way domain integration works?

      These are the types of problems you get with non-*nix systems, where you have one monolithic block of an OS where even userland shit like a browser is part of the whole. Unix philosophy of a number of different tools and protocols to choose from is the way to go, you would think.

      Then you have the impact of a bug in Windows that can have repercussions in areas you would not expect, because a gazillion of different coders attempt to create this monolithic monster of an OS and communication can only go so far.

      90 days ? 9 should be enough, in Free Software world, a security bug reported on a Monday gets fixed on the following Tuesday, before lunch, then sent out to the gazillion testers (bleeding edge users) - free software has more testers than MS employees.

  6. Boris the Cockroach Silver badge
    Windows

    If

    Companies did'nt "copy and paste" whole sections of code from the previous OS and re-written the thing from the ground up(like the advertisers have us believe) then the exploits would only affect 1 OS and not every single one since the days of Win 3.1

    Maybe thats why flash is such a exploit laden POS too.

    1. Fibbles

      Re: If

      There's nothing wrong with re-using properly encapsulated code. There are only so many ways to skin a cat etc.

    2. JamesTQuirk

      Re: If

      Thats how OSX had 21 year old bash bug, they just make 'nix look pretty, turn it into spyware OS, & use it to sell you crap ....

      I other wonder how much this effects Android, everytime theres a major bug in the 'nix code that was converted into java, & bugs in java also being a issue, no wonder it's always jumping versions ...

  7. Mikel

    >meaning cyber-crooks have access to working exploits the minute Google's disclosure goes live.

    Cyber crooks had access to the bug the day the offending error was published. Let us not forget that disclosure or not, the bug is there for anyone to exploit.

  8. Jason Bloomberg Silver badge
    Devil

    Staggered release would be better

    The problem is in having rigidly fixed periods after which everything about a flaw is dumped, including the exploit code.

    It doesn't have to be that way but Google is choosing to do it that way and it seems done more to damage their rivals and harm users than to protect them. I can understand Google might like everyone to dance to their tune but blackmail, threat and exposing people to risk is not the best means of applying pressure.

    I accept public notification as a means of kicking the lethargic and could-not-care-less into action but any release, particularly of exploit code, should be tempered by the damage done in doing that.

  9. Richard Cranium

    missing the point...

    ...arguing about how long is reasonable. My issue is: just who appointed Google as the global security patch police force?

    We could end up with a tit for tat battle, Microsoft might find a problem with some Android code and declare that they consider it so serious that in their opinion 30 days should be long enough for Google to fix it so release exploit code on day 31.

    Arbitrary timescales are no benefit to anyone - if a serious zero-day exploit crops up, Google's 90 days is inappropriate but by all means publish exploits for the "2038 Unix Millennium Bug" or the Y10K bug and if anyone has failed to patch over the next 23 years subject them to as much criticism as you like - but don't chastise them for not doing it within 90 days.

    IMHO publishing details of a potential exploit before a patch has been released is irresponsible (I'll make an exception for the Unix Millennium Bug!). I'd like to think that any organisation which then suffered a successful attack using an exploit prematurely publicised would have a legal case for liability against the leaker upheld.

    How long is reasonable to fix a problem depends on the problem. Some are trivial to fix others may have repercussions elsewhere in the codebase and need extensive effort and regression testing.

    Some issues will be easy and damaging to exploit others are so obscure that the real world risk, even if details of the exploit are published, that the bad guys won't find it worth their while to utilise.

    We've all seen bug fixes that result in an unforeseen side effect. We've seen fixes reverted. Many adopt a policy of not implementing (non-critical) patches immediately preferring to wait for others to deliver feedback on effectiveness. We may choose to hold-off Windows 10 but await Windows 10.1.

    I don't want developers pulled off a serious problem to focus on an obscure exploit that a competitor has chosen to publicise because they've known about it for nearly 90 days.

    By all means pressure developers who appear to be dragging their feet on patches but there are safer ways. How about publishing a simple graphical representation of known bugs by age, perceived severity and company without identifying the actual exploits. And how about that being done by someone without their own agenda of covering their own shortcomings while trumpeting those of their competitors.

    This shouldn't be about corporates point scoring over each other, it should be about keeping your and my computing environment safe.

    1. JamesTQuirk

      Re: missing the point...

      "My issue is: just who appointed Google as the global security patch police force?"

      American Government, has "subbed" it apparently & may give Apple their economy .....

      Obama administration ENDORSES Apple Pay during Tim Cook's White House LOVE-IN

      U.S. benefit claimants can now use Cupertino payment system

      http://www.theregister.co.uk/2015/02/15/apple_pay_federal_government_obama_cook/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019