Yesterday was the first Patch Tuesday of 2015, and the monthly Microsoft patching schedule is already mired in controversy. First, there was the decision by Microsoft to eliminate the public advanced notification system for security bulletins. More recently, Google published details — including exploit code — for a vulnerability in Windows the day before Microsoft was set to make the patch available.
Microsoft publicly chastised Google for the seemingly irresponsible disclosure. However, Google originally shared the vulnerability details with Microsoft on October 13, 2014, and it adheres to a strict 90-day disclosure policy. When Microsoft’s 90 days were up, Google shared the details of the bug.
Which company is right? The debate over “responsible” disclosure has raged for years. Developers would obviously like to keep flaws secret until the patch is created, tested, and ready to be deployed… whenever that is. Researchers want to know that their efforts were not in vain and that vendors are taking vulnerability discoveries seriously. As questionable as it may be for a researcher — like Google — to share information about a bug before the patch is available, it could be construed as equally questionable for the researcher to keep the information a secret indefinitely while millions of users are exposed to a security threat they don’t even know exists.
Microsoft published a blog post on Monday about the coordinated vulnerability disclosure debate. Microsoft’s Chris Betz declared, “With all that is going on, this is a time for security researchers and software companies to come together and not stand divided over important protection strategies, such as the disclosure of vulnerabilities and the remediation of them.”
I asked security experts for their thoughts on the ethics of responsible or coordinated disclosure. Predictably, I got answers from both sides of the fence.
Tom Gorup, security operations center manager for Rook Security, noted that the release timing was in line with Google’s previous zero-day flaw releases, and he praised Google for enforcing a consistent policy. “If I don’t know a vulnerability exists, I can’t do anything to detect or prevent attacks that leverage the vulnerability. Just because the general public isn’t aware of the issue doesn’t mean it’s not being actively exploited. It’s also important to be consistent with vulnerability releases.”
“Google provided Microsoft ample time to identify and create a suitable patch for this issue. Microsoft had two full patch cycles to address this vulnerability before Google disclosed it publicly,” agreed Michael Taylor, lead developer at Rook Security. He added, “The question is why Microsoft was unable or unwilling to address these vulnerabilities in a timely manner.”
That is a principled approach to disclosure, and I respect that Google has an established policy and doesn’t want to establish a precedent of giving Microsoft — or any other developer — special privileges or more time. It’s a slippery slope. If you let Microsoft have an extra two days this month, then maybe Oracle asks for three days next month, and then it becomes a week, etc.
The conflict is that coordinated vulnerability disclosure (CVD) assumes that researchers and developers are coordinating efforts for the best interests of the general public, and responsible vulnerability disclosure means that you don’t publicly publish vulnerability details and exploit code without giving the developer adequate time to create a patch. It seems that Google’s hardline 90-day disclosure policy is neither coordinated nor responsible, based on these definitions.
Dwayne Melancon, Tripwire’s chief technology officer, exclaimed “In this case, Google’s ‘one size fits all’ 90-day timeframe results in an irresponsible act — disclosing an exploitable security vulnerability, complete with exploit code, for a ubiquitous software product. While this may send the message that vendors need to take security fixes seriously and move quickly to resolve them, I don’t think this benefits consumers or enterprises when vulnerabilities are disclosed in this way.”
Vendors like Microsoft have enough to worry about just to make sure nefarious attackers don’t find and exploit vulnerabilities before a patch is deployed. Microsoft shouldn’t also have to worry about premature vulnerability disclosure from researchers exposing customers to unnecessary risk — especially when that researcher is a well-funded, reputable vendor that happens to be a primary competitor.
As Melancon put it, “That doesn’t feel like positive progress.”
Which company do you think is right? Share your opinion in the discussion thread below.