Vulnerabilities / Threats
5/29/2013
06:29 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Google Sets New 'Aggressive' 7-Day Deadline For Vendors To Reveal Or Fix Zero-Day Bugs Under Attack

New policy narrows window for software vendors' public response to zero-day bugs discovered by Google researchers

Google today put the squeeze on software vendors with a new policy for vulnerability disclosure that allows its researchers to provide details on zero-day bugs they find within seven days if the affected vendor hasn't provided an advisory or a patch.

Chris Evans and Drew Hintz, security engineers with Google, made the announcement in a blog post, noting that Google's researchers recently discovered attacks using a zero-day in another unnamed vendor's software. "We recently discovered that attackers are actively targeting a previously unknown and unpatched vulnerability in software belonging to another company. This isn’t an isolated incident -- on a semi-regular basis, Google security researchers uncover real-world exploitation of publicly unknown (“zero-day”) vulnerabilities. We always report these cases to the affected vendor immediately, and we work closely with them to drive the issue to resolution," the Googlers said in their post.

Vulnerability disclosure long has been a hot button topic, with Google over the past few years pushing hard on vendors to more quickly warn users and fix new flaws, and software giant Microsoft standing by its policy that vulnerability fixes should not be assigned deadlines. Microsoft contends that patching is a delicate balance between quality and timeliness that can't be put on a specific deadline.

But Google is now dramatically narrowing the patch window for the most dangerous zero-day bugs it discovers and get used in attacks in the wild.

"Our standing recommendation is that companies should fix critical vulnerabilities within 60 days -- or, if a fix is not possible, they should notify the public about the risk and offer workarounds. We encourage researchers to publish their findings if reported issues will take longer to patch. Based on our experience, however, we believe that more urgent action -- within 7 days -- is appropriate for critical vulnerabilities under active exploitation," the Google researchers say. "The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised."

They acknowledge that a one-week turnaround is tight and may not work for some vendors. And Google itself will follow the same timeline in fixing its own bugs, they say.

"Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information," they say. "As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves. By holding ourselves to the same standard, we hope to improve both the state of web security and the coordination of vulnerability management."

Google security engineers in 2010 called it "irresponsible" for a software bug to remain unfixed over long periods of time -- sometimes years. They announced back then that they would set disclosure deadlines for serious bugs they found, and if the affected vendor didn't fix the bug by that date, Google would publish an analysis of it and any workarounds.

Today the engineers say it's becoming even more urgent to fix bad bugs faster. "Often, we find that zero-day vulnerabilities are used to target a limited subset of people. In many cases, this targeting actually makes the attack more serious than a broader attack, and more urgent to resolve quickly. Political activists are frequent targets, and the consequences of being compromised can have real safety implications in parts of the world," the said in their post.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1421
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar before 1.2.5, 1.2.6, and other versions before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via the Category Name field to category.php.

CVE-2013-2105
Published: 2014-04-22
The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.

CVE-2013-2187
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to the home page.

CVE-2013-4116
Published: 2014-04-22
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

CVE-2013-4472
Published: 2014-04-22
The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.

Best of the Web