Google pressures industry to make software flaws public faster

Search giant puts heat on software industry to clean up its mistakes quickly--some within seven days.

Google threw the gauntlet down before the software industry to clean up its mistakes faster than has been done in the past.

Critical vulnerabilities in software programs being actively exploited by hackers should be made public seven days after a software vendor is made aware of the flaw by whomever discovered it, the company advocated in a blog posted Wednesday by Google security engineers Chris Evans and Drew Hintz.

"Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information," the pair wrote.

For flaws not being actively exploited by online marauders, Google continues to support giving software vendors 60 days to address a flaw before it is made public by its discoverer.

Special cases

Actively exploited vulnerabilities, however, are special cases that need special attention, they argue.

"The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised," they wrote.

Google's zeal for quick action may be a harsh solution that could do more harm than good, argued Trusteer Vice President Yishay Yovel.

"What Google is doing isn't going to accelerate the patching process," he told PCWorld. "In fact, it will notify the hacker community about yet another opportunity it will have to attack enterprises."

Pushing patches out in seven days won't speed up the process of mitigating the vulnerability because organizations will continue to be slow in installing the patches pushed to them. "What we're seeing in the marketplace is hackers targeting vulnerabilities that are two years old," Yovel said.

"That's because organizations often don't patch," he added. "They just don't get to it."


By custom, security researchers who find vulnerabilities in software are bound not to reveal what they find to the public until a vendor fixes the flaw. Vendors, though, haven't always fixed problems in a timely manner. That's left researchers hanging in the dark while users remain vulnerable.

Even after vulnerabilities are made public, software vendors have ignored them. Microsoft, for example, once took seven years to patch a known vulnerability.

However, Microsoft now is very diligent about patching its software. It releases regular software updates on the second Tuesday of the month. That contrasts with a company like Oracle which has a 120-day patch cycle for Java, although, of late, it has had to break out of that cycle.

Microsoft's diligence hasn't been diligent enough for Google, apparently. Two weeks ago, in a fit of miff, Google security researcher Tavis Ormandy ignored Microsoft entirely when he made public vulnerability in Windows 7 and 8 . He justified the move--called irresponsible by some security researchers--by stating, "I don't have much free time to work on silly Microsoft code..."

Join the CSO newsletter!

Error: Please check your email address.

Tags patchesGooglesecuritybusiness security

More about GoogleMicrosoftOracleTrusteerTrusteerTrusteer

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello Jr.

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts