Google cuts Microsoft and pals some slack in zero-day vuln crusade – an extra 14 days tops

LOL u mad, Redmond? 'Yes, we mad'


Google has adjusted the terms of its controversial Project Zero vulnerability scouting effort, loosening its 90-day disclosure policy somewhat to give companies a better chance of fixing their security bugs before they become public knowledge.

Among the changes, Google says it will no longer disclose bugs on weekends and public holidays, and it will even offer software vendors a brief grace period to finish their patches, if they request one.

Project Zero has drawn fire from software companies – most notably Microsoft – for disclosing critical vulnerabilities to the public exactly 90 days after it reports them to vendors, a policy that top Redmond security bod Chris Betz said "feels less like principles and more like a 'gotcha'."

"What's right for Google is not always right for customers," Betz wrote in a blog post in January. "We urge Google to make protection of customers our collective primary goal."

Mind you, it's only natural that Microsoft would be miffed. Among the bugs revealed by Project Zero so far are critical zero-day flaws in Windows that can potentially allow an attacker to gain full control of affected systems.

Google's vulnerability disclosures often include proof-of-concept exploit code, meaning cyber-crooks have access to working exploits the minute Google's disclosure goes live.

Still, Google seems to have heard Redmond's complaints. On Friday, the online ad-slinger said it would make changes to how Project Zero discloses flaws, but it stopped short of saying it would lengthen the 90-day deadline, noting that CERT's own deadline is even shorter.

"We notify vendors of vulnerabilities immediately, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix," Google's security team wrote in a blog post. "We've chosen a middle-of-the-road deadline timeline and feel it's reasonably calibrated for the current state of the industry."

Going forward, however, 90 days won't necessarily mean 90 days. For one thing, if the date of a patch disclosure deadline falls on a weekend or a public holiday, Google now says it will hold off on its disclosure until the next working day.

What's more, the Chocolate Factory says it will extend the disclosure deadline by a grace period of up to 14 days, provided a vendor lets it know that a patch will be released on a specific date within the 14 days.

"Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed," Google's post states.

Google says it will also be sure to pre-assign CVE (Common Vulnerabilities and Exposure) numbers to bugs that go past their deadlines before it discloses them, to avoid confusion and help the public understand specific threats.

But Redmond wasn't entirely satisfied with the changes, saying it would much rather see Google work more interactively with software vendors to apply patches.

"When finders release proof-of-concept exploit code, or other information publically before a solution is in place, the risk of attacks against customers goes up," Microsoft's Betz told The Register in an emailed statement. "While it is positive to see aspects of disclosure practices adjust, we disagree with arbitrary deadlines because each security issue is unique and end-to-end update development and testing time varies."

Google, meanwhile, said that an arbitrary deadline, albeit a nondiscriminatory one, is the best vendors can hope for.

"As always, we reserve the right to bring deadlines forwards or backwards based on extreme circumstances," Google's security team said. "We remain committed to treating all vendors strictly equally." ®


Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading

Biting the hand that feeds IT © 1998–2022