In a Cybersecurity Vendor War, the End User Loses

When vulnerability information is disclosed without a patch available, users are the ones really being punished.

Morey Haber, Chief Security Officer, BeyondTrust

March 8, 2017

4 Min Read

Rarely do you see corporations clash over vulnerability disclosures. It's almost an unwritten rule that a business wouldn't participate in improper vulnerability disclosures, but Google has decided to go head-to-head with Microsoft in the release of information after 90 days of initial notification, even though Microsoft has acknowledged the flaw and scheduled an update.

Although this type of activity is common for researchers, it looks like Google has decided to pick a fight with Redmond and wants vulnerabilities patched faster. In addition, Google went on the offensive, disclosing it successfully and reliably cracked SHA1 and discovered a major coding flaw dubbed Cloudbleed in Cloudflare hosting services. The latter is responsible for the leakage of sensitive data across websites that are hosted by Cloudflare services.

 More on Security Live at Interop ITX More on Security
Live at Interop ITX

These activities are rather unusual for a company that's not primarily focused on security and only emphasize the disclosure of unpatched vulnerabilities in Windows. Early last month, Google disclosed an unpatched vulnerability in the Windows Graphic Device Interface (GDI), and later in February another (CVE-2017-0037) in Microsoft Edge and Internet Explorer that could lead to arbitrary code execution — both of which are 90 days past due since disclosure. Although most say it's appropriate to wait 90 days after submitting a vulnerability, it's unusual for companies to release information when the period ends and acknowledge a patch is coming.

What makes this disclosure so interesting, and potentially a battle between the two giant software organizations, is the disclosure of proof-of-concept code related to the latest browser vulnerabilities in Edge and IE that could allow hackers to refine the exploit and escalate privileges on targeted systems. That target base includes Windows 7, 8.1, and 10 for both 32- and 64-bit systems. As a zero-day, unpatched vulnerability, it's just a matter of time before this weakness becomes weaponized.

Microsoft delayed February's Patch Tuesday fix until March, making the mainstream distribution of patches unavailable to the masses. In fact, this adds to the Microsoft SMB flaws that are already in the wild (disclosed February 3) with exploit code, making it a bad first quarter at Redmond for zero-day vulnerabilities.

Browser War or Something Else?
It has been awhile since Microsoft has received so much negative press around security flaws at the hands of a competing corporation. Why Google has taken such a provocative stance is unclear, but the recommendation from other security professionals to mitigate the risks are very clear: replace Internet Explorer and Edge with another vendor's products to mitigate the risk. Is Google's approach an aggressive campaign to continue the browser wars? It may be very possible or just a strict interpretation of the industry 90-day standard for notification, disclosure, and patch remediation.

In the end, the end user is the one that suffers. Zero days are out in the wild, proof-of-concept exploits are available to hackers, and organizations are left finding suitable mitigations for the threats until patches are released, tested, and deployed. Businesses can only identify and document the risks using vulnerability assessment solutions and minimize the threats with application control and other proven security technologies.

Compliance regimes such as PCI should take note as well. There is no remediation path, and now vulnerabilities are over 90 days old from initial notification to the manufacturer. The clock is ticking for regulatory incompliance. We can only hope Patch Tuesday in March (scheduled for March 14) addresses all of these problems and doesn't give hackers more time to refine their exploits.

It will be interesting to watch if Google decides to release more vulnerability information against other vendors and whether other organizations follow suit with research after 90 days of have passed. It could be just the start of a new cyber security battle. The results could be faster patches or a gold mine for attackers for public exploits.

Related Content:

About the Author(s)

Morey Haber

Chief Security Officer, BeyondTrust

With more than 20 years of IT industry experience and author of Privileged Attack Vectors and Asset Attack Vectors, Morey Haber joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. He currently oversees the vision for BeyondTrust technology encompassing privileged access management, remote access, and vulnerability management solutions, and BeyondTrust's own internal information security strategies.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights