Software vendors should respond to actively attacked vulnerabilities within seven days, Google says

Vendors should issue fixes or at least mitigation advice for zero-day flaws within a seven-day time frame, Google security engineers say

Google wants vendors to fix or offer mitigation advice for previously unknown and actively exploited software vulnerabilities within seven days of their discovery.

"After 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves," Google security engineers Chris Evans and Drew Hintz said Wednesday in a blog post.

In 2010, Google researchers proposed a public disclosure deadline of 60 days for critical vulnerabilities and said that vendors should release a patch or mitigation information for them within that time frame.

"Based on our experience, however, we believe that more urgent action -- within 7 days -- is appropriate for critical vulnerabilities under active exploitation," the Google security engineers said. "The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised."

Over the years, Google security researchers have found dozens of cases where attackers were actively targeting publicly unknown, or "zero-day," vulnerabilities in software from third-party vendors, Evans and Hintz said. "We always report these cases to the affected vendor immediately, and we work closely with them to drive the issue to resolution," they said.

Many zero-day vulnerabilities are used against specific groups of individuals in targeted attacks that are often more serious than broader ones, the Google security engineers said. For example, political activists from certain parts of the world are frequently targeted and the compromise of their computers can have real implications for their personal safety, they said.

"Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information," Evans and Hintz said.

Google expects to be held to the same standard and hopes that this new recommended time frame for zero-day vulnerability response will improve the coordination of vulnerability management and the overall state of security on the Web.

Carsten Eiram, the chief research officer at security firm Risk Based Security, agrees that making information about zero-day vulnerabilities known to users is important. "Each day an 0-day [vulnerability] is left undisclosed, systems are at a greater risk," he said Thursday via email. "Google providing other vendors with 7 days to respond by either publishing an announcement or a fix is very reasonable; they should not provide more."

Google has a fairly large security research team whose members are often credited by third-party vendors, including large ones like Adobe and Microsoft, with discovering vulnerabilities in their products.

However, while Google's new disclosure recommendation will most likely be followed by the company's own security researchers, it remains to be seen if it will also be adopted by third-party researchers or if it will influence vendors.

"Sadly, things don't change from one day to another," Kasper Lindgaard, the head of research at vulnerability management firm Secunia, said Thursday via email. "We do hope that all vendors will be influenced by this, that they will continue to improve their patching response times and accept their responsibility to ensure that 0-day vulnerabilities are patched as soon as possible."

Lindgaard described Google's seven-day time frame for coming up with a fix or workaround for a previously unknown vulnerability that is being actively exploited by attackers as being "sensible."

"To respond within 7 days with a properly tested patch without regressions is not always going to be possible, but in most cases it should be possible to come up with workarounds, if a patch is not available," he said. "So yes, I would expect that, in most instances of highly critical 0-day vulnerabilities, a vendor should be able to produce at least a workaround within 7 days."

Large software vendors like Microsoft, Adobe and Oracle, whose products are a frequent target of zero-day attacks, have experience in dealing with such incidents and have processes in place that allow them to respond in a timely manner most of the time. However, smaller vendors might be less prepared to deal with zero-day vulnerabilities and alert their customers.

"Our policy has always been to fix exploits in the wild as soon as possible," said Heather Edell, Adobe's senior manager of corporate communications, via email. "This is usually within seven days, unless there are extenuating circumstances."

Oracle did not immediately respond to a request for comment sent Thursday regarding Google's new recommended timeline for zero-day vulnerability disclosures.

On its part, Microsoft, which also finds vulnerabilities in third-party products, follows a disclosure process that it calls Coordinated Vulnerability Disclosure (CVD). This process doesn't use disclosure deadlines, as Microsoft prefers to coordinate with the affected vendors until fixes are released.

However, in cases of unpatched vulnerabilities in third-party products that are being actively exploited or that become publicly known, Microsoft researchers work with the affected vendor to release an advisory with potential mitigations and workarounds before a fix is ready.

Join the CSO newsletter!

Error: Please check your email address.

Tags patchesGoogleMicrosoftsecuniasecurityadobeExploits / vulnerabilitiesOracle

More about Adobe SystemsGoogleMicrosoftOracleSecunia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place