Overcome The Microsoft Mindset: Patch Faster

9 Android Apps To Improve Security, Privacy

Software vendors: Prepare to adjust your patching reality.

The long-running debate about how fast software vendors should be required to squash bugs in their products is heating up again, following Microsoft's release on July 9 of a fix for a critical bug that had been detailed publicly by Google security researcher Tavis Ormandy seven weeks prior. Microsoft said the bug had already been exploited in "targeted attacks."

Who's right and wrong in this scenario? Ormandy, for releasing full details of a bug and a working exploit, without giving Microsoft a courtesy call and time to code a fix? Or Microsoft, for dictating the terms of the game and generally giving itself lots of time to fix bugs that aren't being actively exploited?

[ How did a hacker hijack the Emergency Alert System? Read 'Zombie Apocalypse' Broadcast Hoax Explained. ]

Regardless of your take, Google seems set to rewrite the rules of the bug-patching game, after two of its security researchers, Chris Evans and Drew Hintz, issued a warning to vendors in a May blog post: In cases of "critical vulnerabilities under active exploitation," Google will now give vendors only seven days to release a patch. After that time, Google will issue full details of the vulnerability. For anything that's not critical, Google is sticking with its recommendation to fix bugs within 60 days or else issue workarounds and mitigation techniques to affected users.

While acknowledging that the seven-day timeline is "aggressive," Evans and Hintz said everyone stands to benefit. "By holding ourselves to the same standard, we hope to improve both the state of Web security and the coordination of vulnerability management," they said in their post.

Google's revised bug-disclosure timeline is good news for all software users. "It shows that the long timeframes that the industry has been operating under -- find a vulnerability, ensure it's fixed within six months or a year -- isn't adequate," SANS Institute fellow Ed Skoudis told me in a phone interview. "So Google is trying to juice the whole thing to make it happen faster."

Skoudis added: "Microsoft got us into this mindset: You find a flaw, responsibly tell a vendor, and darn it, there will be a fix out within a year."

The annual Pwn2Own competition, hosted by Hewlett-Packard's DVLabs Zero Day Initiative (ZDI), has also been reshaping our collective patching mindset. "Google and Mozilla were able to patch the issues that were being exploited in the competition in less than two days," said ZDI manager Brian Gorenc, speaking by phone. Of course, it was in both companies' best interests to patch their browsers quickly, thus making Chrome and Firefox look better than Internet Explorer. "For actively exploited bugs, they pose an immediate problem for vendors, and they need to be pressured to act quickly," Gorenc said. What's the rush? "Political activists are frequent targets, and the consequences of being compromised can have real safety implications in parts of the world," said Google's Evans and Hintz. Of course, businesses and government agencies also are at risk from unpatched, easy-to-exploit flaws.

Furthermore, any vulnerability discovered by one security researcher might already have been discovered by another, privately sold to the highest bidder, and used in stealthy targeted attacks. Last year, Christopher Soghoian, principal technologist and senior policy analyst for the ACLU's Speech, Privacy and Technology Project, reported that more bugs were being sold on the open market than through "bug bounties and compensated responsible disclosure through firms like ZDI and TippingPoint."

Patching bugs more quickly -- or else releasing details of workarounds -- would ease the pressure on business customers of that software, said Flavio de Cristofaro, VP of engineering for professional products at Core Security, and Fernando Miranda, a senior researcher at Corelabs, in a joint email interview. "During the last few years we've been seeing critical vulnerabilities being actively exploited in the wild with almost no formal information/notifications about them from important vendors, consequently causing several losses to companies and end users," they said.

Reality check: Just how quickly do vendors now patch? Based on the 150 security advisories handled by Core, the average is three months. Microsoft, in one 2009 case involving an "Internet Explorer Security Zone restrictions bypass," took eight months to release a fix. More recently, Core informed Apple of a Mac OSX Server DirectoryService buffer overflow vulnerability on Jan. 9, but Apple didn't manage to release a fix for the bug -- which wasn't apparently being actively exploited -- until June. And this was after blowing four deadlines, triggering extra work for everyone involved. "From a communication perspective, the process was not as smooth as expected," said Cristofaro and Miranda.

In general, "big players are very proactive answering our initial contact, but they usually require more time to set up and align their processes and teams to fix a given issue," Cristofaro and Miranda said. Smaller vendors, meanwhile, act in widely disparate ways, with some ignoring requests altogether and others requesting excessive -- greater than six months -- time to make a fix.

Already, there are promising signs of change. Microsoft, for example, previously opposed releasing public details of any non-critical vulnerability as long as the vendor was working on a fix. But the company announced on July 9 a 180-day deadline for developers that distribute their apps on the Windows Store, Windows Phone Store, Office Store or Azure Marketplace to update their applications after receiving a report of a bug that rates as "important" or "critical" on Microsoft's exploitability index. Failure to comply with that deadline is grounds for Microsoft to withdraw the app from sale. In its announcement, Microsoft said it will take its own medicine: "The requirement applies to all apps available in the online stores, including Microsoft apps."

Would Microsoft really withdraw its own operating systems or applications from its app store if a vulnerability took longer than six months to fix? Don't hold your breath. But as Google holds vendors with critical, exploited product vulnerabilities to a seven-day fix cycle -- offering them a clear option between patching quickly or facing PR peril -- it's time for all software vendors to hold themselves to a higher standard.