eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
Microsoft’s Windows 8.1 operating system is at risk from a zero-day vulnerability first publicly disclosed by Google’s Project Zero security research team on Dec. 30. Google’s disclosure has once again highlighted the issue of what responsible disclosure is about and how long a vendor should be given to fix a reported vulnerability.
The Windows 8.1 vulnerability that Google found was first privately reported to Microsoft on Sept. 30. Google attached a 90-day disclosure deadline to the flaw, a privilege-escalation vulnerability.
“If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public,” Google stated in its bug report.
As it turns out, 90 days did pass and no publicly available patch was made available by Microsoft for the flaw, which led to Google’s making the zero-day vulnerability public.
Although Microsoft does not deny that the flaw exists, it is downplaying the severity of the issue. In an email statement, a Microsoft spokesperson noted that the company is working to release a security update to address the privilege-escalation issue.
“It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid log-on credentials and be able to log on locally to a targeted machine,” the spokesperson stated. “We encourage customers to keep their anti-virus software up-to-date, install all available security updates and enable the firewall on their computer.”
Aside from the actual privilege-escalation vulnerability, the Google disclosure after 90 days has led to some debate. The Google bug report page is full of comments from those who support and oppose the automated disclosure of vulnerabilities after a 90-day period.
“Automatically disclosing this vulnerability when a deadline is reached with absolutely zero context strikes me as incredibly irresponsible, and I’d have expected a greater degree of care and maturity from a company like Google,” one bug report commenter wrote.
For its part, Google officials claim its actions are fair and responsible. Ben Hawkes, a member of Google’s Project Zero team, noted as part of the bug report commenting thread that the disclosure deadline policy has been in place since the formation of the team in early 2014. Google only publicly announced its Project Zero initiative on July 15, though the effort had been finding and reporting software vulnerabilities since at least March.
Security researcher Ian Beer of Google Project Zero was credited by Hewlett-Packard’s Zero Day Initiative (ZDI) with disclosing a vulnerability during the Pwn2own hacking competition.
“On balance, Project Zero believes that disclosure deadlines are currently the optimal approach for user security—it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face,” Hawkes wrote. “By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner and to exercise their power as a customer to request an expedited vendor response.”
Hawkes added that the majority of the bugs that Google’s Project Zero has reported under the disclosure deadline have been fixed under the 90-day deadline period.
Google Disclosure of Windows 8.1 Flaw Raises Questions
Google’s Project Zero is not the only research group that imposes a disclosure deadline. HP’s ZDI’s policy is to make reported flaws public after 120 days. In fact, ZDI has also automatically reported Microsoft zero-day flaws.
In May 2014, HP ZDI publicly reported the CVE-2014-1770 vulnerability, a zero-day flaw in Microsoft’s Internet Explorer browser. That particular flaw had first been reported to Microsoft on Nov. 11, 2013, and HP ZDI actually waited more than 180 days before publicly disclosing the issue. HP ZDI shortened its disclosure deadline from 180 days to 120 days in March 2014.
In response to a question from eWEEK about Google’s disclosure deadline policy, Microsoft provided a generic response about its view on disclosure. “It is always important to think first and foremost about the safety of computer users,” a Microsoft spokesperson stated in an email. “As a result, we believe in coordinated vulnerability disclosure that allows technology companies to provide ways for their customers to respond before technical details are released publicly.”
The debate over disclosure deadlines is not likely to subside any time soon. When zero-day bug information is released publicly, end users are, no doubt, left at risk. The question, though, is whether they are at more or less risk as a result of a bug that is made public before a patch has been issued. Does pushing out a public vulnerability disclosure embarrass the software vendor to act?
In the case of the CVE-2104-1770 Microsoft Internet Explorer vulnerability, HP ZDI publicly disclosed the issue on May 21, 2014, and Microsoft patched the issue on June 10, 2014 . Given that HP ZDI first reported the issue in November 2013, perhaps the public disclosure was the little push that was needed to finally get CVE-2104-1770 patched.
Whether Microsoft will be able to keep pace in 2015 with the volume of disclosure deadlines it faces from security researchers will be interesting to watch. HP ZDI has a public listing of its upcoming disclosure deadlines, and Microsoft is on the list with multiple upcoming deadlines, the first being Feb. 2. Will Microsoft patch in time? Only time will tell.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.