NEWS ANALYSIS: When zero-day bug information is released, users are at risk. Are they more or less at risk when a bug is made public before a patch is issued?
Microsoft's Windows 8.1 operating system is at risk from a zero-day vulnerability first publicly disclosed by Google's Project Zero security research team on Dec. 30. Google's disclosure has once again highlighted the issue of what responsible disclosure is about and how long a vendor should be given to fix a reported vulnerability.
The Windows 8.1 vulnerability that Google found was first privately reported to Microsoft on Sept. 30. Google attached a 90-day disclosure deadline to the flaw, a privilege-escalation vulnerability.
"If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public," Google stated in its bug report
As it turns out, 90 days did pass and no publicly available patch was made available by Microsoft for the flaw, which led to Google's making the zero-day vulnerability public.
Although Microsoft does not deny that the flaw exists, it is downplaying the severity of the issue. In an email statement, a Microsoft spokesperson noted that the company is working to release a security update to address the privilege-escalation issue.
"It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid log-on credentials and be able to log on locally to a targeted machine," the spokesperson stated. "We encourage customers to keep their anti-virus software up-to-date, install all available security updates and enable the firewall on their computer."
Aside from the actual privilege-escalation vulnerability, the Google disclosure after 90 days has led to some debate. The Google bug report page is full of comments from those who support and oppose the automated disclosure of vulnerabilities after a 90-day period.
"Automatically disclosing this vulnerability when a deadline is reached with absolutely zero context strikes me as incredibly irresponsible, and I'd have expected a greater degree of care and maturity from a company like Google," one bug report commenter wrote
For its part, Google officials claim its actions are fair and responsible. Ben Hawkes, a member of Google's Project Zero team, noted as part of the bug report commenting thread that the disclosure deadline policy has been in place since the formation of the team in early 2014. Google only publicly announced
its Project Zero initiative on July 15, though the effort had been finding and reporting software vulnerabilities since at least March.
Security researcher Ian Beer of Google Project Zero was credited by Hewlett-Packard's Zero Day Initiative (ZDI) with disclosing
a vulnerability during the Pwn2own hacking competition.
"On balance, Project Zero believes that disclosure deadlines are currently the optimal approach for user security—it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face," Hawkes wrote
. "By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner and to exercise their power as a customer to request an expedited vendor response."
Hawkes added that the majority of the bugs that Google's Project Zero has reported under the disclosure deadline have been fixed under the 90-day deadline period.