Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Google zero-day disclosure change slammed, praised

Antone Gonsalves | June 3, 2013
Google admits the seven-day timeline is too short for some vendors to patch, but hopes it will push companies to advise customers sooner

Google's dramatic shift to a seven-day grace period before disclosing actively exploited zero-day vulnerabilities in software has drawn both praise and derision from security experts.

Security engineers Chris Evans and Drew Hintz said on Wednesday in the Google Online Security Blog that the company was dropping the previous 60-day window.

"The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised," the engineers said.

While acknowledging the timeline was likely too short for some vendors to patch their products, Google believed companies could at least publish advice on how customers could protect themselves. Other options while a permanent fix was under development included disabling the flawed service or restricting access.

"After seven days have elapsed without a patch or advisory, we will support researchers making details available, so that users can take steps to protect themselves," Evans and Hintz said in the blog post.

Experts were sharply divided over the new policy. While some said the timeline was sufficient and hoped it would pressure vendors into moving faster, others said the move was draconian and ignored the realities of fixing vulnerabilities.

"It's a really, really risky and inappropriate blanket policy," said Randy Abrams, research director for application security tester NSS Labs. "Software is very, very complex and seven days is not enough time in most cases."

An alternative would have been cutting the timeline in half to 30 days, and deciding on a case-by-case basis whether a seven-day window is more appropriate, Abrams said. Even though Google said it would hold itself to the same standard, he doubted that would be the case.

"I would expect that if something isn't convenient, they'd redefine whether or not it is a critical vulnerability," Abrams said.

While acknowledging the timeline is tight, other experts believed it was enough for vendors to at least advise customers that cybercriminals were attacking a previously unknown flaw. The rationale for earlier disclosure is that if the bad guys already know about the vulnerability, why shouldn't customers.

"I almost think it should be a fiduciary responsibility that once a company is aware of something that they need to inform their customers," said Rick Holland, an analyst with Forrester Research.

The shorter grace period means companies using the flawed software could take steps sooner to check their systems for infection and to block attackers, Holland said.

Gunter Ollmann, chief technology officer for IOActive, which focuses on security in industrial control systems, believed Google was being disingenuous because as a Web-based service provider, it could fix vulnerabilities in its data center much faster than a software vendor.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.