Google zero-day disclosure change slammed, praised

Google's dramatic shift to a seven-day grace period before disclosing actively exploited zero-day vulnerabilities in software has drawn both praise and derision from security experts.

Security engineers Chris Evans and Drew Hintz said on Wednesday in the Google Online Security Blog that the company was dropping the previous 60-day window.

"The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised," the engineers said.

While acknowledging the timeline was likely too short for some vendors to patch their products, Google believed companies could at least publish advice on how customers could protect themselves. Other options while a permanent fix was under development included disabling the flawed service or restricting access.

"After seven days have elapsed without a patch or advisory, we will support researchers making details available, so that users can take steps to protect themselves," Evans and Hintz said in the blog post.

Experts were sharply divided over the new policy. While some said the timeline was sufficient and hoped it would pressure vendors into moving faster, others said the move was draconian and ignored the realities of fixing vulnerabilities.

"It's a really, really risky and inappropriate blanket policy," said Randy Abrams, research director for application security tester NSS Labs. "Software is very, very complex and seven days is not enough time in most cases."

An alternative would have been cutting the timeline in half to 30 days, and deciding on a case-by-case basis whether a seven-day window is more appropriate, Abrams said. Even though Google said it would hold itself to the same standard, he doubted that would be the case.

[Also see: Day after patch, Java zero-day sold to highest bidders]

"I would expect that if something isn't convenient, they'd redefine whether or not it is a critical vulnerability," Abrams said.

While acknowledging the timeline is tight, other experts believed it was enough for vendors to at least advise customers that cybercriminals were attacking a previously unknown flaw. The rationale for earlier disclosure is that if the bad guys already know about the vulnerability, why shouldn't customers.

"I almost think it should be a fiduciary responsibility that once a company is aware of something that they need to inform their customers," said Rick Holland, an analyst with Forrester Research.

The shorter grace period means companies using the flawed software could take steps sooner to check their systems for infection and to block attackers, Holland said.

Gunter Ollmann, chief technology officer for IOActive, which focuses on security in industrial control systems, believed Google was being disingenuous because as a Web-based service provider, it could fix vulnerabilities in its data center much faster than a software vendor.

"If anything, I would hope that Google could step up to the plate more aggressively and block the malicious content and/or remove it from search results when zero-days are under way," Ollmann said in an emailed statement. "That would be much more productive and have a meaningful impact to the vulnerable users/targets."

The one element experts agree on is that it is highly unlikely that the majority of companies, no matter their size, will be able to get a patch out in seven days. But Wolfgang Kandek, chief technology officer for Qualys, believed the deadline could be reached easily, said that because Google is only asking for an advisory, at the minimum, "as long as the vendor had all administrative hurdles clear, i.e. legal language, formatting, publishing strategy, etc."

"I think it is a step in the right direction," Kandek said of Google's new policy.

Cybercriminals have been finding and exploiting zero-day vulnerabilities at a troubling rate, so vendors have to respond much quicker, Holland said.

"Something has to change within the security industry to keep us from the [company] logo of the week getting hit," Holland said. "Our industry is so depressing sometimes to work in because it's just doom and gloom all the time."

"No questions about it, this is a bold change" he said.

Read more about application security in CSOonline's Application Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsGooglezero-daysecurityData Protection | Application SecurityAccess control and authenticationsoftwaredata protection

More about Forrester ResearchGoogleQualys

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place