Microsoft issued a patch this week for a zero-day Windows vulnerability discovered by Google researchers that was publicly disclosed before the patch was issued despite Microsoft asking them to keep it secret.
Unsurprisingly, this has caused some debate around the ethics of vulnerability disclosure.
It has been the policy of Google’s security initiative, Project Zero, to tell the developers of software about flaws they find, then disclose the vulnerability to the public after 90 days. This happened to fall just days before Microsoft’s regular Tuesday security update.
This week, however, Microsoft Security Response Center Senior Director Chris Betz noted in a blog post that his team does not take that stance that full, public disclosure is not needed to push software vendors to fix vulnerabilities and help customers protect themselves. “It is necessary to fully assess the potential vulnerability, design and evaluate against the broader threat landscape, and issue a ‘fix’ before it is disclosed to the public, including those who would use the vulnerability to orchestrate an attack.”
Explaining the course of events, Betz wrote that Google “released information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so. Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha’, with customers the ones who may suffer as a result.”
In an interview with TechRepublic, Rook Security’s Tom Gorup came out in favor of Google’s adherence to its vulnerability disclosure policy, reasoning that the public should know if there’s an unpatched vulnerability. “Just because the general public isn’t aware of the issue doesn’t mean it’s not being actively exploited,” he said.
Tripwire CTO Dwayne Melancon, however, contended that not all vulnerabilities are equal. He said that a “one size fits all” policy does a disservice to consumers and enterprises. Additionally, the 90-day disclosure timeframe is an arbitrary period for developing security fixes.
Similarly, Betz favors an approach where software developers have more time, when needed, to carefully fix security flaws and push these patches to users when it makes sense. “We ask that researchers privately disclose vulnerabilities to software providers, working with them until a fix is made available before sharing any details publically,” Betz stated. “It is in that partnership that customers benefit the most. Policies and approaches that limit or ignore that partnership do not benefit the researchers, the software vendors, or our customers. It is a zero sum game where all parties end up injured.”