Print 8 comment(s) - last by croc.. on May 31 at 9:46 PM

This could encourage companies to issue security patches more quickly

Google's security team is backing a new seven-day deadline that would allow researchers to make serious vulnerabilities public a week after notifying a company.

Google security engineers Chris Evans and Drew Hintz said they want critical vulnerabilities under active exploitation to be published seven days after researchers have informed the company about them. They said this will lead to quicker patches and cut the risk of further problems in the future.

“Our standing recommendation is that companies should fix critical vulnerabilities within 60 days — or, if a fix is not possible, they should notify the public about the risk and offer workarounds,” said Evans and Hintz. “We encourage researchers to publish their findings if reported issues will take longer to patch. Based on our experience, however, we believe that more urgent action — within seven days — is appropriate for critical vulnerabilities under active exploitation. The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised.”

Right now, companies use either responsible disclosure or full disclosure when dealing with vulnerabilities. Responsible disclosure allows a company as much time as they want to patch an exploit, and the details surrounding the bug aren't revealed to the public until a patch is issued. Full disclosure, on the other hand, means the company and the public are given information about the flaw at the same time. 

Three years ago, Google's security team introduced a 60-day notice in order to find a happy medium between the two disclosures. This meant that researchers could publish details about a flaw for the public to see after 60 days whether a patch was issued or not. 

But it looks like Google is taking this a giant step further by advocating a new seven-day deadline, where researchers can make details about a flaw public only a week after telling the company about it. 

However, Google realizes that seven days is not enough time to patch all vulnerabilities. Even if a company can't address the bug in seven days, the researchers could still publish the details of the software flaw after a week so that the public can protect itself. 

Earlier this month, Google security engineer Tavis Ormandy exposed a Microsoft flaw on Full Disclosure. The Microsoft vulnerability, which was in the Windows kernel driver "Win32k.sys," was featured in a Full Disclosure mailing list on May 17. 

Ormandy also insulted Microsoft on Full Disclosure, saying "As far as I can tell, this code is pre-NT (20+ years) old, so remember to thank the SDL for solving security and reminding us that old code doesn't need to be reviewed ;-)."

Microsoft has been annoyed with Ormandy for publicly discussing vulnerabilities before they could be patched. Microsoft prefers "responsible disclosure," where security experts are asked to report flaws privately to the company.

Sources: Threat Post, Google Online Security Blog

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Patch tuesday
By DanNeely on 5/30/2013 2:52:22 PM , Rating: 2
I'm sure that picking a time span that almost guarantees disclosure before one of their largest rivals releases patches for bugs that aren't being actively exploited is just a coincidence.

RE: Patch tuesday
By Mitch101 on 5/30/2013 2:55:15 PM , Rating: 2
Yea you know where this is coming from.

Does everyone trust 7 day test periods? I dont.

RE: Patch tuesday
By quiksilvr on 5/30/2013 3:17:06 PM , Rating: 2
I do. Why would you need longer? If the patch doesn't impact services for 7 days throughout multiple scheduled tasks and procedures, why waste time and ask for longer test periods?

RE: Patch tuesday
By DanNeely on 5/30/2013 3:41:53 PM , Rating: 2
Originally MS released patches as they were completed which resulted new patches coming out every few days. The monthly cycle (for bugs not being actively exploited) was due to pushback from corporate IT. They objected for cost reasons to having to run regression testing for their applications/systems multiple times per week and to the downtime that resulted from having to restart servers to patch them that frequently as well.

RE: Patch tuesday
By kleinma on 5/30/2013 4:58:57 PM , Rating: 2
I hope this comes back to bite them in the ass when some major android flaw takes them a month to patch while its being actively exploited after someone published the goods 7 days after notifying google.

By boeush on 5/30/2013 9:36:05 PM , Rating: 5
Given the preceding comments, I feel the need to reiterate and re-emphasize the following:
Based on our experience, however, we believe that more urgent action — within seven days — is appropriate for critical vulnerabilities under active exploitation . The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised .
Get it? This applies only to vulnerabilities that are already known to hackers, and are already being exploited by hackers. With that going on, it makes little sense to keep such vulnerabilities "secret" -- as they are not "secret" among the people already exploiting them, keeping up such "secrecy" would only damage the people being exploited.

In reality
By Shadowself on 5/30/2013 4:49:37 PM , Rating: 3
This is just a guidance 7 days.

There is absolutely nothing that requires disclosure in 7 days, nor is there anything that absolutely forbids the discoverer from disclosing on day zero.

I believe it would be nice if every security investigator that found a hole waited at least 60 days after disclosure to the developer to disclose it to the public as I believe if you can't solve the issue in 60 days (which includes a reasonable testing period) the developer either can't solve it without major architecture changes or the developer doesn't care enough to solve it.

Many small to medium sized developers may not have the resources to respond to vulnerabilities with a fully vetted fix within seven days. Why set up a system that actively penalizes them?

And this does not go for vulnerabilities already being actively exploited in the wild. In those cases the vulnerability needs to be disclosed immediately (though maybe not disclose the low level, nuts and bolts of how the vulnerability is exploited).

google advisory notice
By croc on 5/31/2013 9:46:20 PM , Rating: 2
Yep... Look at any blog on Daily Tech and get a nice big red REPORTED ATTACK PAGE! notice, followed by a google advisory as to how offensive this page REALLY IS!

I chose to ignore it...

"Spreading the rumors, it's very easy because the people who write about Apple want that story, and you can claim its credible because you spoke to someone at Apple." -- Investment guru Jim Cramer

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki