Google push for faster zero day fixes hits a wall: Other companies
Google wants technology firms to cut down on the amount of time it takes
to fix zero-day vulnerabilities, but some are crying foul.
|A Web site malicious code injection, which uses the kind of exploit
Google is hoping to encourage companies to patch faster when discovered.
Google has undertaken what some might call a Sisyphean effort: to get
technology companies to patch publicly-unknown security vulnerabilities,
referred to as “zero-day” exploits, more quickly.
The post’s authors, Chris Evans and Drew Hintz, wrote, “Often, we find
that zero-day vulnerabilities are used to target a limited subset of
people. In many cases, this targeting actually makes the attack more
serious than a broader attack, and more urgent to resolve quickly.”
They noted that zero-day targets can be political activists, but the exploits are often used in spear phishing attacks aimed at nuclear researchers
, government employees, and even lowly Facebook users
“Seven days is an aggressive timeline and may be too short for some
vendors to update their products, but it should be enough time to
publish advice about possible mitigations, such as temporarily disabling
a service, restricting access, or contacting the vendor for more
information,” they wrote.
That’s too aggressive in one direction and not enough in another, wrote
Gunter Ollman, the Chief Technology Officer at IOActive, an enterprise
security company, wrote a blog post criticizing the policy as being
“rather naive and devoid of commercial reality.”
The basic thrust of his argument is that Google’s ideal vulnerability
patch timeline is not good enough for a Web services company like
Google, but will actually cause harm to companies that deal with “thick
clients,” software products written in code native to the operating
system that they run on.
“As a Web services company it is much easier for Google to develop and
roll out fixes promptly — but for 95-plus percent of the rest of the
world’s software development companies making thick-client, server and
device-specific software this is unrealistic,” Ollman wrote on Friday in
a post on Help Net Security
He wants Google and other Web service companies to have zero-days
patched in 12 hours. But traditional software companies, or those that
sell their products on the enterprise level, should have more than seven
days. Ollman highlighted vulnerabilities that have “national security
implications and huge monetary and safety implications.”
Robert Hansen, WhiteHat Security’s product management director, said that Google probably was taking aim at Microsoft and its more lax vulnerability disclosure policies.
“Google is effectively telegraphing to Microsoft that they will go full
disclosure faster, and they back their employees doing so. That
ultimately means that they are likely to be afforded the same by the
research community,” he said.
Hansen was in agreement with Ollman on the challenges facing the two
kinds of companies. “The problem is it’s not a simple process to patch
Microsoft,” he said.
Alex Stamos, an expert in network infrastructure and security, said that
Google was doing the right thing in this case. “I think the deadlines
are reasonable and that Ollman’s article missed the entire point. It is
true that seven days is not enough time to patch thick client and
embedded applications,” he said.
“The goal of the seven day timeline is to give current or potential
victims the ability to detect and mitigate the vulnerability via
mechanisms outside of patching, and to weigh the researcher’s
responsibility to the end-user against the desires of the vendor,”
Adam O’Donnell, the chief architect at Sourcefire’s Cloud Technology
Group, noted that Google’s principled, quantitative stance on the issue
will help end-user security because it gives other tech companies a
position to emulate.
“Any effort to shorten the window of vulnerability opened by a new exploit should be applauded,” he said.
Google declined to comment for the story. CNET will update with a response from Microsoft when we hear back from them.