Google's third zero-day disclosure: Holding Microsoft's feet to the fire

The Google engineer responsible for the latest revelation has won multiple Microsoft awards for finding security flaws

helicopter drops fire retardant rescue emergency

Another day, another zero-day revelation. Yesterday Google released its third recent disclosure of an unpatched Windows security hole.

Here's how they've appeared:

Google Issue 118, released to the public on Dec. 29, involves a flaw in the Windows Application Compatibility Cache. It was patched on Jan. 13, in MS15-001. Microsoft was notified of the flaw on Sept. 30. I can't find any record of Microsoft contacting Google to ask that this notification be withheld.

Google Issue 123, released to the public on Jan. 11, concerns a security hole in the User Profile Service. It, too, was patched on Jan. 13, in MS15-003. Microsoft was notified on Oct. 13. According to the Google listing, Microsoft asked for a reprieve -- until February:

Correspondance (sic) Date: 11 Nov 2014

> Microsoft confirmed that they are on target to provide fixes for these issues in February 2015. They asked if this would cause a problem with the 90 day deadline.

< Microsoft were informed that the 90 day deadline is fixed for all vendors and bug classes and so cannot be extended. Further they were informed that the 90 day deadline for this issue expires on the 11th Jan 2015.

Correspondance Date: 11 Dec 2014

> Microsoft confirmed that they anticipate to provide fixes for these issues in January 2015.

This is the two-day trigger that drew a vehement response from many in the security community. Why, many asked, couldn't Google wait two days for the fix to be released? The press reports almost universally overlook the fact that Microsoft originally asked for an extension until February.

Google Issue 128, released yesterday, Jan. 15, unveils a flaw in the CryptProtectMemory routine; it hasn't been patched as yet. Microsoft was notified on Oct. 17. According to the Google listing, Microsoft has responded:

Correspondance Date: 29 Oct 2014

< Microsoft confirm they've reproduced the issue and think it might constitute a security feature bypass. Further confirmation will be provided soon.

Correspondance Date: 14 Jan 2015

< Asked Microsoft for information on whether they were going to fix this issue and timescales of it. Notified them that the current deadline is the 15th January.

> Microsoft informed us that a fix was planned for the January patches but has to be pulled due to compatibility issues. Therefore the fix is now expected in the February patches.

The debate rages on as to whether "Don't be evil" Google is flaming Microsoft at their mutual customers' expense -- whether Microsoft or Google (choose your side) wears the white hat in this very public spat. I firmly believe that Microsoft has to be held accountable, but I'm not convinced that an absolute 90-day deadline works to anyone's advantage.

The best solution to the impasse that I've seen comes from ZDNet's Ed Bott:

One obvious solution would be for Google to acknowledge that both Microsoft and Adobe have standardized on the second Tuesday of each month as their date for delivering patches and adjust the deadline to correspond to the Patch Tuesday after the 90-day deadline expires. That would be trivially easy code to write, and it would be no less arbitrary than 90 days. Unfortunately, it would also require meaningful cooperation between Google and Microsoft, which means it's probably not going to happen anytime soon.

A little bit of sleuthing uncovered the name of the Google researcher who found the three security holes. James Forshaw, formerly head of vulnerability research at Context Security in the United Kingdom, now works for Google Project Zero. He's well-known on the conference circuit, having spoken at Blackhat US, Blackhat Europe, CanSecWest, and 29C3. Remarkably, Forshaw won the Pwn2Own competition in Java in 2013.

Even more remarkably, Forshaw won a $9,400 Bounty Hunter award from Microsoft in 2013 for discovering flaws in IE11, and a $100,000 Bounty Hunter award, also from Microsoft, for a mitigation bypass bug. Per TechNet's Microsoft BlueHat blog:

James' submission was of such high quality and outlined some other variants such that we wanted to award him the full $100,000 bounty… Congratulations and well done! You not only made history by receiving a total of $109,400 from our bounty programs, you're also helping us make our customers safer from entire classes of attack. On behalf of over a billion people worldwide -- Thank you and way to go!!

It would be interesting to hear from Forshaw how he feels about Google's iron-fisted 90-day disclosure policy.

Copyright © 2015 IDG Communications, Inc.