Services & Software

Google push for faster zero day fixes hits a wall: Other companies

Google wants technology firms to cut down on the amount of time it takes to fix zero day vulnerabilities, but some are crying foul.

A Web site malicious code injection, which uses the kind of exploit Google is hoping to encourage companies to patch faster when discovered.

Google has undertaken what some might call a Sisyphean effort: to get technology companies to patch publicly unknown security vulnerabilities, referred to as "zero day" exploits, more quickly.

In a blog post published Wednesday, two Google security engineers advised their counterparts at other companies to respond to actively exploited zero days within seven days.

The post's authors, Chris Evans and Drew Hintz, wrote, "Often, we find that zero day vulnerabilities are used to target a limited subset of people. In many cases, this targeting actually makes the attack more serious than a broader attack, and more urgent to resolve quickly."

They noted that zero day targets can be political activists, but the exploits are often used in spear phishing attacks aimed at nuclear researchers, government employees, and even lowly Facebook users.

"Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information," they wrote.

That's too aggressive in one direction and not enough in another, Gunter Ollman, chief technology officer at IOActive, an enterprise security company, wrote in a blog post criticizing the policy as being "rather naive and devoid of commercial reality."

The basic thrust of Ollman's argument is that Google's ideal vulnerability patch timeline is not good enough for a Web services company like Google, but will actually cause harm to companies that deal with "thick clients," software products written in code native to the operating system that they run on.

"As a Web services company it is much easier for Google to develop and roll out fixes promptly -- but for 95-plus percent of the rest of the world's software development companies making thick-client, server and device-specific software this is unrealistic," Ollman wrote on Friday in a post on Help Net Security.

He wants Google and other Web service companies to have zero days patched in 12 hours. But traditional software companies, or those that sell their products on the enterprise level, should have more than seven days. Ollman highlighted vulnerabilities that have "national security implications and huge monetary and safety implications."

Robert Hansen, WhiteHat Security's product management director, said that Google probably was taking aim at Microsoft and its more lax vulnerability disclosure policies.

"Google is effectively telegraphing to Microsoft that they will go full disclosure faster, and they back their employees doing so. That ultimately means that they are likely to be afforded the same by the research community," he said.

Hansen was in agreement with Ollman on the challenges facing the two kinds of companies. "The problem is it's not a simple process to patch Microsoft," he said.

Dustin Childs at Microsoft Trustworthy Computing told CNET, "We want to make sure that any public communications or guidance we do is decreasing risk. We want to be sure that we put out a quality update that works on literally a billion systems around the planet."

Alex Stamos, an expert in network infrastructure and security, said that Google was doing the right thing in this case. "I think the deadlines are reasonable and that Ollman's article missed the entire point. It is true that seven days is not enough time to patch thick client and embedded applications," he said.

"The goal of the seven day timeline is to give current or potential victims the ability to detect and mitigate the vulnerability via mechanisms outside of patching, and to weigh the researcher's responsibility to the end-user against the desires of the vendor," Stamos said.

Adam O'Donnell, the chief architect at Sourcefire's Cloud Technology Group, noted that Google's principled, quantitative stance on the issue will help end-user security because it gives other tech companies a position to emulate.

"Any effort to shorten the window of vulnerability opened by a new exploit should be applauded," he said.

Google declined to comment for the story.

Update, 5:40 p.m. PT: Adds statement from Microsoft.