Microsoft Security Response Center senior director Chris Betz, who was in the limelight late last week for abruptly killing Microsoft's Advanced Notification Services, now has a blog post on TechNet that rips into Google. While his conclusions have merit, some of the details warrant closer scrutiny.
The subject is the long-running feud between Google and Microsoft over the handling of zero-day flaws. Google engineer Tavis Ormandy has built a reputation in security circles for finding zero days in Windows and notifying Microsoft. If no action is forthcoming from Microsoft in a pre-determined amount of time (usually 90 days), Ormandy releases the details (presumably with Google's permission), typically on the Full Disclosure mailing list. Gregg Keizer at Computerworld has details on similar situations in 2010 (where Ormandy gave Microsoft only five days) and 2013.
The process is now formally supported by Google, under the name Project Zero.
There's no better way I know to get Microsoft's attention.
The latest instances actually concern two zero-day bugs, both reported by a Google researcher known as Forshaw, who reported the NtApphelpCacheControl bug in Windows 8.1 on Sept. 30. The report contains Google's usual warning:
This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
Sure enough, 90 days later, on Dec. 29, the bug became visible to the public.
The second bug, involving User Profile Services escalation -- which the press appears to have missed -- was posted on Oct. 13. It, too, had a 90-day countdown warning. That bug was released to the public late Sunday night, Jan. 11.
As it has in the past, Microsoft (understandably) hit the roof. Betz puts it this way:
Ultimately, vulnerability collaboration between researchers and vendors is about limiting the field of opportunity so customers and their data are better protected against cyberattacks. Those in favor of full, public disclosure believe that this method pushes software vendors to fix vulnerabilities more quickly and makes customers develop and take actions to protect themselves. We disagree. Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment. It is necessary to fully assess the potential vulnerability, design and evaluate against the broader threat landscape, and issue a "fix" before it is disclosed to the public, including those who would use the vulnerability to orchestrate an attack. We are in this latter camp.
For reasons that escape me, Betz appears to ignore the Dec. 29 NtApphelpCacheControl disclosure and focuses instead on the Jan. 11 User Profile Services bug. He goes on to say:
Coordinated Vulnerability Disclosure philosophy and action is playing out today as one company - Google - has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so. Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a "gotcha", with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.
The "well known and coordinated Patch Tuesday cadence" phrase had me spitting up my coffee. I've been writing since last August about the way Microsoft is tearing apart its old Black Tuesday cadence (make that "Update Tuesday cadence") and releasing patches on any random Tuesday. I think it's a bad move that will haunt Microsoft with Windows 10.
You also have to wonder why Betz focused on the User Profile Services escalation zero day, while neglecting to mention the NtApphelpCacheControl bug. Is it possible that Microsoft doesn't have a patch for NtApphelpCacheControl waiting in the wings yet?
The press, predictably, has it all garbled. Betz's comments about "two days before" clearly implicates the User Profile Services security hole. He isn't talking about NtApphelpCacheControl, although all of the press I've seen as of early Monday morning points to the previously reported bug. It'll be interesting to see if Black Tuesday this month includes a patch for NtApphelpCacheControl. Without Advance Notification Services, we don't yet have a clue.
Here's how the argument boils down, in my estimation.
If you trust Microsoft to fix the holes in Windows, then Coordinated Vulnerability Disclosure -- where we, as customers, trust Microsoft to dig in and fix problems as soon as they're discovered -- is a great idea. We would trust Microsoft to fix the problems expeditiously because other people may have discovered the problem already. We also trust Microsoft to put enough money into the patching effort to make the fixes appear quickly and accurately.
If you don't trust Microsoft, then the question becomes how best to hold Microsoft's feet to the fire. Although some believe in full, immediate disclosure, I don't buy that. There has to be a better way. Google's approach seems to me a reasonable one -- although it's arguable that the zero-day notification window should be extended to 120 days.
The question remains: Do you trust Microsoft to diligently and accurately fix reported zero days?