Google zero-day disclosure change slammed, praised
Google admits the seven-day timeline is too short for some vendors to patch, but hopes it will push companies to advise customers sooner
By Antone Gonsalves
May 31, 2013 — CSO — Google's dramatic shift to a seven-day grace period before disclosing actively exploited zero-day vulnerabilities in software has drawn both praise and derision from security experts.
Security engineers Chris Evans and Drew Hintz said on Wednesday in the Google Online Security Blog that the company was dropping the previous 60-day window.
"The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised," the engineers said.
While acknowledging the timeline was likely too short for some vendors to patch their products, Google believed companies could at least publish advice on how customers could protect themselves. Other options while a permanent fix was under development included disabling the flawed service or restricting access.
"After seven days have elapsed without a patch or advisory, we will support researchers making details available, so that users can take steps to protect themselves," Evans and Hintz said in the blog post.
Experts were sharply divided over the new policy. While some said the timeline was sufficient and hoped it would pressure vendors into moving faster, others said the move was draconian and ignored the realities of fixing vulnerabilities.
"It's a really, really risky and inappropriate blanket policy," said Randy Abrams, research director for application security tester NSS Labs. "Software is very, very complex and seven days is not enough time in most cases."
An alternative would have been cutting the timeline in half to 30 days, and deciding on a case-by-case basis whether a seven-day window is more appropriate, Abrams said. Even though Google said it would hold itself to the same standard, he doubted that would be the case.
"I would expect that if something isn't convenient, they'd redefine whether or not it is a critical vulnerability," Abrams said.
While acknowledging the timeline is tight, other experts believed it was enough for vendors to at least advise customers that cybercriminals were attacking a previously unknown flaw. The rationale for earlier disclosure is that if the bad guys already know about the vulnerability, why shouldn't customers.
"I almost think it should be a fiduciary responsibility that once a company is aware of something that they need to inform their customers," said Rick Holland, an analyst with Forrester Research.
The shorter grace period means companies using the flawed software could take steps sooner to check their systems for infection and to block attackers, Holland said.
Gunter Ollmann, chief technology officer for IOActive, which focuses on security in industrial control systems, believed Google was being disingenuous because as a Web-based service provider, it could fix vulnerabilities in its data center much faster than a software vendor.
"If anything, I would hope that Google could step up to the plate more aggressively and block the malicious content and/or remove it from search results when zero-days are under way," Ollmann said in an emailed statement. "That would be much more productive and have a meaningful impact to the vulnerable users/targets."
The one element experts agree on is that it is highly unlikely that the majority of companies, no matter their size, will be able to get a patch out in seven days. But Wolfgang Kandek, chief technology officer for Qualys, believed the deadline could be reached easily, said that because Google is only asking for an advisory, at the minimum, "as long as the vendor had all administrative hurdles clear, i.e. legal language, formatting, publishing strategy, etc."
"I think it is a step in the right direction," Kandek said of Google's new policy.
Cybercriminals have been finding and exploiting zero-day vulnerabilities at a troubling rate, so vendors have to respond much quicker, Holland said.
"Something has to change within the security industry to keep us from the [company] logo of the week getting hit," Holland said. "Our industry is so depressing sometimes to work in because it's just doom and gloom all the time."
"No questions about it, this is a bold change" he said.
Read more about application security in CSOonline's Application Security section.