Why Microsoft is Wrong About Google’s Project Zero

A while ago Google announced its project zero, which is a team of security researchers, whose goal is to find bugs in software, so that you, dear user, can use the web and technology securely.  They were very up front about how the team would work.  They would report bugs and vulnerabilities that they have found to the companies or people responsible for maintaining the software.  Google would give the developers 90 days to fix the bug and then let the world know about it.

It turns out that Microsoft Windows has a few bugs in it(who knew?).  On more than one occasion Google discovered vulnerabilities in Windows.  On two of these occasions Microsoft was notified of these vulnerabilities and was “unable” to patch the vulnerability before the 90 days elapsed.  I have read many articles about this and I feel like they are almost all completely out to lunch.  I won’t even link to them because I feel they are so poorly informed on this topic.

Tell Me A Secret

There are basically 3 types of disclosure.  Non disclosure, where a security researcher finds a vulnerability, and informs the software vendor about it, but the public at large never finds out about it.  The vendor may fix the issue, they may not, there really isn’t much motivation to fix the issue.  Due to the nature of it, we don’t know how often this happens, but I think it is safe to say that it happens more often than most people think, and more often than it should.  Full disclosure is the other end of the spectrum, where the vendor finds out about the vulnerability at the same time that the public does.  Many people, including myself, feel that this type of disclosure is often dangerous.  Unfortunately it is often very effective in motivating the company to fix the issue as the publicity generated by the disclosure is often higher than it would be under different circumstances.  The middle ground is something called responsible disclosure.  This is where the vendor is notified about the vulnerability ahead of the general public.  Sometimes the timeline for public disclosure is days or weeks, often it is months, sometimes even years.  The public is arguably safer than with full disclosure, as random bad guys can’t take advantage of the vulnerability until it is disclosed.  So it is the very definition of a compromise.  The company is more motivated to fix the vulnerability than with non disclosure.  Many flame wars have been had over the disclosure debate.  For some weird reason, the infosec community have never really had the chance to have a proper, grown up conversation about how disclosure should happen.  Because of this, responsible disclosure means different things to different people.  It is a loose, de facto, “standard”? I guess.  The length of time given to fix the vulnerability is often tied to how difficult it is to patch it.  If it requires just a minor server side update, disclosure doesn’t need to be very long after it is fixed.  If it something hard coded into point of sale terminals it may take years to patch the vulnerability, disclosure may have to wait that long.  If you asked most infosec people what a fair term before disclosure was, they would likely say 90 days.

Didn’t a Microsoft Employee Coin the Term “Responsible Disclosure”?

Most articles have either demonized Google for disclosing, or touted how they unilaterally decided the terms of their disclosure policy, or focused on why Google didn’t wait for Microsoft to fix the vulnerability.  The problem is that if they gave Microsoft more than 90 days, it would slip to 120, then 150 days etc.  It wouldn’t happen in each occasion, but it would delay things, meanwhile users are vulnerable to the problem, without knowing it.  The reason that you set a date and stick to it, is that you can not play favourites with vulnerabilities.

What Exactly Is It That You Do Again?

The following is what was missing from all of the articles that I have read about this story.  So Microsoft Makes software, yes?  They also make software that helps you make software.  As pioneers of it, I think they understand the software development lifecycle.  They should be decently good at it, at this point.  If an organization with the resources of a company like Microsoft can’t fix these issues in 30 days, let alone 90 days, then surely there is no hope for any of us.

Photo Credit

2 thoughts on “Why Microsoft is Wrong About Google’s Project Zero

  1. Jim, depending on bugs and system, they are not all made the same, and 90 days timeline is just a generalisation of timeline picked out of the air. Microsoft has a very big and interconnected system. it’ not like fixing a bug in a tic-tac-toe application where you just change a line of code. the more complex the system, the more rigorous test you need to do…. I think it’s reasonable for Google to wait for only 2 days..

    1. Just a very late FYI Daniel…

      “The expert has noted that Google’s disclosure policy applies to its own products as well, but unlike Microsoft, which uses an outdated development process, Google relies on automatic testing, which enables it to release updated versions of its software within 24 hours.”

      http://www.securityweek.com/google-discloses-new-unpatched-windows-81-privilege-escalation-flaw

      Yes this is not apples with apples, because software companies would patent the apple so we all have to invent our own fruit. Along with the privilege of maintaining first-mover-advantage; Microsoft has a responsibility to it’s customers to patch security vulnerabilities. Don’t be so quick to let them off the hook; they are not the guy down the street in a one-up one-down.

Leave a Reply