Google's Project Zero was designed to track and list down vulnerabilities in software systems and reports them to vendors "in as close to real-time as possible." But what happens if said vendor then fails to push a fix within the 90-day window?
Microsoft just found out the hard way: Google will go ahead and publish the bug anyway, complete with code that can be used to exploit it.
A researcher found a Windows 8.1 security hole that allows lower-level users to become administrators, giving them access to sensitive server functions they'd normally have no right to. Though it remains unpatched by Microsoft, the Zero team published it several days ago - right on schedule.
Microsoft was quick to point out that attackers would "need to have valid logon credentials and be able to log on locally to a targeted machine." While that should limit the damage, it doesn't mean the flaw is harmless - a disgruntled mid-level employee with some programming skills could wreak serious harm, for instance.
Mountain View told several tech writers that "just to make this absolutely clear, the (bug) was reported to Microsoft on September 30 (along with) the 90-day disclosure deadline statement... which in this instance has passed."
Still, some observers have raised questions about whether Project Zero does more harm than good if Google isn't flexible with its publishing deadline. Others argued that Microsoft had plenty of time to fix the bug, and Google was firm about its policy.
"Project Zero's disclosure deadline ... allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face." But it also added that "we're going to be monitoring the affects (sic) of this policy very closely."
Meanwhile, Microsoft said that it's currently "working to release a security update to address an Elevation of Privilege issue." For full statements from both companies, see below.
Microsoft just found out the hard way: Google will go ahead and publish the bug anyway, complete with code that can be used to exploit it.
A researcher found a Windows 8.1 security hole that allows lower-level users to become administrators, giving them access to sensitive server functions they'd normally have no right to. Though it remains unpatched by Microsoft, the Zero team published it several days ago - right on schedule.
Microsoft was quick to point out that attackers would "need to have valid logon credentials and be able to log on locally to a targeted machine." While that should limit the damage, it doesn't mean the flaw is harmless - a disgruntled mid-level employee with some programming skills could wreak serious harm, for instance.
Mountain View told several tech writers that "just to make this absolutely clear, the (bug) was reported to Microsoft on September 30 (along with) the 90-day disclosure deadline statement... which in this instance has passed."
Still, some observers have raised questions about whether Project Zero does more harm than good if Google isn't flexible with its publishing deadline. Others argued that Microsoft had plenty of time to fix the bug, and Google was firm about its policy.
"Project Zero's disclosure deadline ... allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face." But it also added that "we're going to be monitoring the affects (sic) of this policy very closely."
Meanwhile, Microsoft said that it's currently "working to release a security update to address an Elevation of Privilege issue." For full statements from both companies, see below.
No comments:
Post a Comment