Yesterday, Google’s threat analysis team released a public disclosure of a flaw in Windows that allows hackers to bypass security sandboxes. While we applaud disclosures, there are some questionable policies at play from Google that allowed them to make the disclosure just 10 days after telling Microsoft of the flaw. Which was well before Microsoft had time to release a patch.
In most cases, when a (responsible) security team or individual discovers an exploitable flaw, the first step is to contact the vendor and make sure they understand the issue. Then it is not unusual to request that the vendor acknowledge the flaw and provide a plan of action. Keeping in mind that it is completely up to the group, team, or individual on how they will disclose their findings publicly, the customary thing to do is to give the vendor some time to fix the bug before going public. Most vendors are very responsive to communicating with the discovery team/person, and will offer up a valid date to patch. At which point, the team/person can disclose their findings. Again, the date to disclose is completely up to the researcher. So if the researcher feels that the vendor is stalling or unwilling to fix the bug, then they are under no obligation to wait.
In Google’s case however, they’ve had a standing policy in place since 2013, that permits a very small notify-to-disclose policy, giving a vendor after notification, only 7 days. So really, by Google standards, 10 day was a gift. Many people in the research field have expressed that Google’s disclosure policy is a bit extreme, noting that some bugs are more complex than others.
There are two sides to this coin. On the one side; we need disclosures to be timely so that the public can react accordingly, and keep the knowledge of potential risks current. On the other side; disclosing an exploit before there is a fix, can leave people exposed, and even expand the use of that exploit. It’s a fine line to dance around and dangerous if the news comes too early or too late.
Micorsoft’s response to Google’s disclosure was about what you’d expect, a little peeved. They also followed it with a bit more detailed explanation and said, “We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.” As expected, really. Also, they’ll release a comprehensive patch on Nov. 8th.