Google disputes bug patching report

Google argued that a recent report by claiming it failed to patch a third of the serious bugs in its software had the facts wrong. IBM's X-Force admitted the error.

By Gregg Keizer

August 31, 2010 — Computerworld — Google on Monday said that a recent report claiming it failed to patch a third of the serious bugs in its software had the facts wrong.

IBM's X-Force security company, which released the report last week, acknowledged the error and issued a revised chart that shows Google patched all the vulnerabilities rated "critical" or "high" in its online services.

"We questioned a number of surprising findings concerning Google's vulnerability rate and response record, and after discussions with IBM, we discovered a number of errors that had important implications for the report's conclusions," said Adam Mein, a security program manager at Google, in an entry on a company blog .

Last week, X-Force's report claimed that 9% of all Google bugs disclosed in the first half of 2010 were unpatched, and 33% of the vulnerabilities ranked as critical or high had not been fixed.

According to IBM's revised tabulations, Google patched every vulnerability revealed in the first six months of this year.

"After we released our trend report ... we received feedback from two software vendors regarding the severity and remedy information for some of the vulnerabilities behind this chart," said Tom Cross, a researcher with X-Force, in a mea culpa blog posted on Saturday. "As a consequence of this feedback, we have manually reassessed the CVSS scoring, remedy information, and vendor information for every vulnerability that impacted the percentages that appear in this chart."

Cross' blog post included a revamped table that showed the new numbers.

Although Cross did not name the other vendor that complained about the patching results, Sun Microsystem's numbers also changed dramatically. Where the original table had Sun letting 24% of all first-half 2010 bugs and 9% of the most serious flaws go unfixed, the recalculated figures were 8% and 0%, respectively. The changes dropped Sun from the vendor with the largest percentage of unpatched vulnerabilities to the one in fifth place.

In April, Oracle announced plans to acquire Sun for $7.4 billion ; X-Force listed the two companies' vulnerabilities separately.

Other vendors' unpatched percentages also decreased after X-Force re-examined its data, including Microsoft's and Mozilla's, as did the catch-all category of Linux.

What caught Google's eye, said Mein, was X-Force's assertion that one-in-three critical bugs had not been patched.

"We learned after investigating that the 33% figure referred to a single unpatched vulnerability out of a total of three -- and importantly, the one item that was considered unpatched was only mistakenly considered a security vulnerability due to a terminology mix-up," Mein said.

• Print