Overcome The Microsoft Mindset: Patch Faster

Why cant vendors patch every critical bug like it was the Pwn2Own competition?

9 Android Apps To Improve Security, Privacy (click image for larger view)
Software vendors: Prepare to adjust your patching reality.
The long-running
debate
about how fast software vendors should be required to squash bugs in their products is heating up again, following Microsofts release on July 9 of a fix for a critical bug that had been detailed publicly by Google security researcher Tavis Ormandy seven weeks prior. Microsoft said the bug had already been exploited in
targeted attacks.
Whos right and wrong in this scenario? Ormandy, for releasing full details of a bug and a working exploit, without giving Microsoft a courtesy call and time to code a fix? Or Microsoft, for dictating the terms of the game and generally giving itself lots of time to fix bugs that arent being actively exploited?
[ How did a hacker hijack the Emergency Alert System? Read
Zombie Apocalypse Broadcast Hoax Explained
. ]
Regardless of your take, Google seems set to rewrite the rules of the bug-patching game, after two of its security researchers, Chris Evans and Drew Hintz,
issued a warning to vendors
in a May blog post: In cases of critical vulnerabilities under active exploitation, Google will now give vendors only seven days to release a patch. After that time, Google will issue full details of the vulnerability. For anything thats not critical, Google is sticking with its recommendation to fix bugs within 60 days or else issue workarounds and mitigation techniques to affected users.
While acknowledging that the seven-day timeline is aggressive, Evans and Hintz said everyone stands to benefit. By holding ourselves to the same standard, we hope to improve both the state of Web security and the coordination of vulnerability management, they said in their post.
Googles revised bug-disclosure timeline is good news for all software users. It shows that the long timeframes that the industry has been operating under -- find a vulnerability, ensure its fixed within six months or a year -- isnt adequate, SANS Institute fellow Ed Skoudis told me in a phone interview. So Google is trying to juice the whole thing to make it happen faster.
Skoudis added: Microsoft got us into this mindset: You find a flaw, responsibly tell a vendor, and darn it, there will be a fix out within a year.
The annual
Pwn2Own competition
, hosted by Hewlett-Packards DVLabs Zero Day Initiative (ZDI), has also been reshaping our collective patching mindset. Google and Mozilla were able to patch the issues that were being exploited in the competition in less than two days, said ZDI manager Brian Gorenc, speaking by phone. Of course, it was in both companies best interests to patch their browsers quickly, thus making Chrome and Firefox look better than Internet Explorer. For actively exploited bugs, they pose an immediate problem for vendors, and they need to be pressured to act quickly, Gorenc said. Whats the rush? Political activists are frequent targets, and the consequences of being compromised can have real safety implications in parts of the world, said Googles Evans and Hintz. Of course, businesses and government agencies also are at risk from unpatched, easy-to-exploit flaws.
Furthermore, any vulnerability discovered by one security researcher might already have been discovered by another,
privately sold to the highest bidder
, and used in stealthy targeted attacks. Last year, Christopher Soghoian, principal technologist and senior policy analyst for the ACLUs Speech, Privacy and Technology Project, reported that more bugs were being sold on the open market than through bug bounties and compensated responsible disclosure through firms like ZDI and TippingPoint.
Patching bugs more quickly -- or else releasing details of workarounds -- would ease the pressure on business customers of that software, said Flavio de Cristofaro, VP of engineering for professional products at Core Security, and Fernando Miranda, a senior researcher at Corelabs, in a joint email interview. During the last few years weve been seeing critical vulnerabilities being actively exploited in the wild with almost no formal information/notifications about them from important vendors, consequently causing several losses to companies and end users, they said.
Reality check: Just how quickly do vendors now patch? Based on the 150 security advisories handled by Core, the average is three months. Microsoft, in one 2009 case involving an
Internet Explorer Security Zone restrictions bypass,
took eight months to release a fix. More recently, Core informed Apple of a
Mac OSX Server DirectoryService buffer overflow vulnerability
on Jan. 9, but Apple didnt manage to release a fix for the bug -- which wasnt apparently being actively exploited -- until June. And this was after blowing four deadlines, triggering extra work for everyone involved. From a communication perspective, the process was not as smooth as expected, said Cristofaro and Miranda.
In general, big players are very proactive answering our initial contact, but they usually require more time to set up and align their processes and teams to fix a given issue, Cristofaro and Miranda said. Smaller vendors, meanwhile, act in widely disparate ways, with some ignoring requests altogether and others requesting excessive -- greater than six months -- time to make a fix.
Already, there are promising signs of change. Microsoft, for example, previously opposed releasing public details of any non-critical vulnerability as long as the vendor was working on a fix. But the company announced on July 9
a 180-day deadline
for developers that distribute their apps on the Windows Store, Windows Phone Store, Office Store or Azure Marketplace to update their applications after receiving a report of a bug that rates as important or critical on
Microsofts exploitability index
. Failure to comply with that deadline is grounds for Microsoft to withdraw the app from sale. In its announcement, Microsoft said it will take its own medicine: The requirement applies to all apps available in the online stores, including Microsoft apps.
Would Microsoft really withdraw its own operating systems or applications from its app store if a vulnerability took longer than six months to fix? Dont hold your breath. But as Google holds vendors with critical, exploited product vulnerabilities to a seven-day fix cycle -- offering them a clear option between patching quickly or facing PR peril -- its time for all software vendors to hold themselves to a higher standard.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Overcome The Microsoft Mindset: Patch Faster