Furthermore, any vulnerability discovered by one security researcher might already have been discovered by another, privately sold to the highest bidder, and used in stealthy targeted attacks. Last year, Christopher Soghoian, principal technologist and senior policy analyst for the ACLU's Speech, Privacy and Technology Project, reported that more bugs were being sold on the open market than through "bug bounties and compensated responsible disclosure through firms like ZDI and TippingPoint."
Patching bugs more quickly -- or else releasing details of workarounds -- would ease the pressure on business customers of that software, said Flavio de Cristofaro, VP of engineering for professional products at Core Security, and Fernando Miranda, a senior researcher at Corelabs, in a joint email interview. "During the last few years we've been seeing critical vulnerabilities being actively exploited in the wild with almost no formal information/notifications about them from important vendors, consequently causing several losses to companies and end users," they said.
Reality check: Just how quickly do vendors now patch? Based on the 150 security advisories handled by Core, the average is three months. Microsoft, in one 2009 case involving an "Internet Explorer Security Zone restrictions bypass," took eight months to release a fix. More recently, Core informed Apple of a Mac OSX Server DirectoryService buffer overflow vulnerability on Jan. 9, but Apple didn't manage to release a fix for the bug -- which wasn't apparently being actively exploited -- until June. And this was after blowing four deadlines, triggering extra work for everyone involved. "From a communication perspective, the process was not as smooth as expected," said Cristofaro and Miranda.
In general, "big players are very proactive answering our initial contact, but they usually require more time to set up and align their processes and teams to fix a given issue," Cristofaro and Miranda said. Smaller vendors, meanwhile, act in widely disparate ways, with some ignoring requests altogether and others requesting excessive -- greater than six months -- time to make a fix.
Already, there are promising signs of change. Microsoft, for example, previously opposed releasing public details of any non-critical vulnerability as long as the vendor was working on a fix. But the company announced on July 9 a 180-day deadline for developers that distribute their apps on the Windows Store, Windows Phone Store, Office Store or Azure Marketplace to update their applications after receiving a report of a bug that rates as "important" or "critical" on Microsoft's exploitability index. Failure to comply with that deadline is grounds for Microsoft to withdraw the app from sale. In its announcement, Microsoft said it will take its own medicine: "The requirement applies to all apps available in the online stores, including Microsoft apps."
Would Microsoft really withdraw its own operating systems or applications from its app store if a vulnerability took longer than six months to fix? Don't hold your breath. But as Google holds vendors with critical, exploited product vulnerabilities to a seven-day fix cycle -- offering them a clear option between patching quickly or facing PR peril -- it's time for all software vendors to hold themselves to a higher standard.