Google pressures industry to make software flaws public faster

Search giant puts heat on software industry to clean up its mistakes quickly--some within seven days.

Google threw the gauntlet down before the software industry to clean up its mistakes faster than has been done in the past.

Critical vulnerabilities in software programs being actively exploited by hackers should be made public seven days after a software vendor is made aware of the flaw by whomever discovered it, the company advocated in a blog posted Wednesday by Google security engineers Chris Evans and Drew Hintz.

"Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information," the pair wrote.

For flaws not being actively exploited by online marauders, Google continues to support giving software vendors 60 days to address a flaw before it is made public by its discoverer.

Special cases

Actively exploited vulnerabilities, however, are special cases that need special attention, they argue.

"The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised," they wrote.

Google's zeal for quick action may be a harsh solution that could do more harm than good, argued Trusteer Vice President Yishay Yovel.

"What Google is doing isn't going to accelerate the patching process," he told PCWorld. "In fact, it will notify the hacker community about yet another opportunity it will have to attack enterprises."

Pushing patches out in seven days won't speed up the process of mitigating the vulnerability because organizations will continue to be slow in installing the patches pushed to them. "What we're seeing in the marketplace is hackers targeting vulnerabilities that are two years old," Yovel said.

"That's because organizations often don't patch," he added. "They just don't get to it."


By custom, security researchers who find vulnerabilities in software are bound not to reveal what they find to the public until a vendor fixes the flaw. Vendors, though, haven't always fixed problems in a timely manner. That's left researchers hanging in the dark while users remain vulnerable.

Even after vulnerabilities are made public, software vendors have ignored them. Microsoft, for example, once took seven years to patch a known vulnerability.

However, Microsoft now is very diligent about patching its software. It releases regular software updates on the second Tuesday of the month. That contrasts with a company like Oracle which has a 120-day patch cycle for Java, although, of late, it has had to break out of that cycle.

Microsoft's diligence hasn't been diligent enough for Google, apparently. Two weeks ago, in a fit of miff, Google security researcher Tavis Ormandy ignored Microsoft entirely when he made public vulnerability in Windows 7 and 8 . He justified the move--called irresponsible by some security researchers--by stating, "I don't have much free time to work on silly Microsoft code..."

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags securityGooglepatchesbusiness security

More about GoogleMicrosoftOracleTrusteerTrusteerTrusteer

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello Jr.

Latest Videos

More videos

Blog Posts