Slashdot Mirror

← Back to Stories (view on slashdot.org)

Questioning Google's Disclosure Timeline Motivations

Posted by timothy on from the comparative-advantage dept.

An anonymous reader writes "The presence of 0-day vulnerability exploitation is often a real and considerable threat to the Internet — particularly when very popular consumer-level software is the target. Google's stance on a 60day turnaround of vulnerability fixes from discovery, and a 7-day turnaround of fixes for actively exploited unpatched vulnerabilities, is rather naive and devoid of commercial reality. As a web services company it is much easier for Google to develop and roll out fixes promptly — but for 95+% of the rest of the world's software development companies making thick-client, server and device-specific software this is unrealistic. Statements like these from Google clearly serve their business objectives. As predominantly a web services company with many of the world's best software engineers and researchers working for them. One could argue that Google's applications and software should already be impervious to vulnerabilities (i.e. they should have discovered them themselves through internal QA processes) — rather than relying upon external researchers and bug hunters stumbling over them."

21 of 73 comments (clear)

  1. You suck by AmiMoJo · · Score: 4, Insightful

    If your company is producing security critical software and doesn't have a plan for quickly dealing with bugs you suck.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    1. Re:You suck by JMJimmy · · Score: 5, Insightful

      Also, even if they can't patch it quickly the point is to inform users so they can take appropriate precautions.

  2. -1 Flamebait by a_n_d_e_r_s · · Score: 4, Insightful

    For article. Sadly you can't moderate an article.

    --
    Just saying it like it are.
    1. Re: -1 Flamebait by Anonymous Coward · · Score: 2, Insightful

      Agreed. Submitter sputtered the industry line, but if the industry wanted different standards they should try setting *some* standards instead of pretending that it's OK to ignore vulnerabilities.

  3. Good catch by Anonymous Coward · · Score: 2, Interesting

    Google has a decent point, but they're also trying to nudge the industry in a direction where more businesses will leave the driving to them, or to cloud competitors like Amazon.

  4. Just Google? by chrylis · · Score: 5, Insightful

    Why single out Google? Shouldn't traditional software vendors have also run programs through QA?

    1. Re:Just Google? by Nerdfest · · Score: 5, Insightful

      Most other companies doesn't have well funded FUD campaigns directed against them.

    2. Re:Just Google? by Vintermann · · Score: 2

      It's Google who are pushing a 7-day deadline for vulnerability disclosure. These companies are in effect saying "That's not fair, we can't fix our software that quickly!". It would be a real PR foot bullet if people understood what they're saying.

      --
      xkcd is not in the sudoers file. This incident will be reported.
  5. Perhaps Google does tell companies... by hsmith · · Score: 4, Informative

    And they simply don't do anything? I've contacted companies about security flaws I've found in their products and was met with deafening silence.

    Until I publicly announce them on platforms like Twitter, then you have their full attention.

  6. Exactly... by theshowmecanuck · · Score: 4, Informative

    Testing can find the presence of bugs, not the absence of them. An ages old adage that has withstood the test of time because it is true. Only the new to the game or naive would think otherwise.

    --
    -- I ignore anonymous replies to my comments and postings.
  7. Critical vulnerabilities under active exploitation by mattiaza · · Score: 5, Informative

    Google recommends 7 days for "critical vulnerabilities under active exploitation", and 60 days for vulnerabilities that are assumed to not yet be known to attackers.

    Frankly, even 7 days is too long for active attacks. Publishing the vulnerability lets users to use a workaround or shut down the service or app entirely until a fix is released.

  8. You're right, 7 days isn't good enough by Anonymous Coward · · Score: 3, Insightful

    A vulnerability that is already being exploited needs to be fixed right away. It's called 0-day for a reason, not 7-day. It should be disclosed immediately to force the vendor to do something about it.

  9. What?! by CanEHdian · · Score: 5, Insightful

    a 7-day turnaround of fixes for actively exploited unpatched vulnerabilities, is rather naive and devoid of commercial reality. As a web services company it is much easier for Google to develop and roll out fixes promptly — but for 95+% of the rest of the world's software development companies making thick-client, server and device-specific software this is unrealistic

    Hello there, mr/ms/mrs anonymous COWARD, what are you saying there? It COSTS TOO MUCH to prompty (as in a week) fix ACTIVELY EXPLOITED vulnerabilities? When you get the actual problem handed to you on a silver platter? What company do you work for?

    --
    When the copyright term is "forever minus a day", live every day like it's the last.
  10. Slower? He's Saying Slower?!? by Bob9113 · · Score: 3, Insightful

    a 7-day turnaround of fixes for actively exploited unpatched vulnerabilities, is rather naive and devoid of commercial reality.

    I read that and I was thinking, "Well, yeah, sure - I shoot for one hour and can't recall the last time it took more than a day to get a critical bug patch out, but that's not really reasonable for everyone. The team I work on is pretty focused on keeping the tracks polished so we can get high priority things through. I think 7 days is OK. It could be better, but it's OK. And Google isn't even saying it will take 7 days, they're saying 7 days is the max. But, whatever, I guess -- ultimately agitating for faster patches is something I support."

    for 95+% of the rest of the world's software development companies making thick-client, server and device-specific software this is unrealistic.

    What?!? You mean it's not realistic to get the patch available within 7 days? I mean, obviously you can't expect users to have their systems patched immediately, and sometimes a third party (like a walled garden approval path) can lock you out. But is the writer saying 95% of companies can't even have a patch pushed for release in 7 days?

    If that is true, we, as a society, need to drop what we're doing and focus on security, build management, QA workflow, whatever it is that is making that a reality. 7 days is acceptable. 95% of companies can't hit 7 days? First, that is not true in my experience. But if it is? That is not acceptable, if it is true. There really are bad people out there trying to root our electronics. Seven days to get a patch out for an actively exploited in the wild vulnerability is enough. Work the problem. Figure out why you can't hit that number, and fix it.

    --
    Stop-Prism.org: Opt Out of Surveillance
  11. I smell a flack by linuxwrangler · · Score: 2

    It's no wonder this article was posted anonymously. The whole tone and writing style is exactly what one would expect in a position statement cranked out by a corporate PR flack. I wonder whose flack it is.

    --

    ~~~~~~~
    "You are not remembered for doing what is expected of you." - Atul Chitnis
  12. Naive and devoid of reality? by Sloppy · · Score: 3, Insightful

    Google's stance on a 60day turnaround of vulnerability fixes from discovery, and a 7-day turnaround of fixes for actively exploited unpatched vulnerabilities, is rather naive and devoid of commercial reality.

    I think what you're saying, is that if someone is going around stabbing people in the heart, and if a doctor says these victims all need immediate medical attention (even the victims which are in isolated areas far from hospitals), then that doctor is being naive and devoid of medical reality.

    I personally think you should quit blaming the doctor for the unfairness and horror that is inherent in the situation. Declaring the urgency of a problem being addressed, isn't "naive". It's not naive, even if addressing the problem is incredibly hard or even if it's effectively impossible.

    If the doctor truly thinks the victims all really will get "immediate medical attention" then he'd be naive. But advising it isn't naive. Yelling at people "get that victim to the ER as fast as you can!" isn't naive. Telling people that heart stab wounds are very serious, isn't naive.

    And the analogy with Google here, is that you just got stabbed in the heart, they're advising and hoping you get immediate medical attention, and 7 days from now, if your wife asks Google if they've seen you lately, they're going to tell your wife, "I heard he got stabbed in the heart last week. You took him to the hospital, right? If not, you better get on that, right now." You're concerned Google is going to scare your wife?! Be concerned that you're not at the hospital yet!

    You think Google is being naive with unreasonably high expectations, but the need for those high expectations isn't their fault!

    --
    As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
  13. Nice double standard by russotto · · Score: 2

    Google's standards are too hard to be realistic for the rest of the industry, but the standards for Google itself are 0 security defects ever. How does that work again?

    (disclosure: I work for Google. I don't speak for them.)

    1. Re:Nice double standard by NotBorg · · Score: 2

      The whole reason for not disclosing is to prevent the bad guys from knowing about it. The words "actively exploited" means the bad guys know about it. Ergo there's no reason not to disclose it. Waiting seven days is not too short because it's pointless to wait at all under said circumstance.

      --
      I want this account deleted.
  14. Re:Just Google? Not at all by chrylis · · Score: 2

    Oh, I'm completely with you: Developers should run QA, but there will always be bugs that slip through. I was responding to the AP's insinuation that Google should be catching all their security problems in internal QA but that Microsoft should get a pass for some reason.

  15. Vendor's processes not relevant by Todd+Knarr · · Score: 4, Insightful

    As a user, I don't care about the vendor's ability to fix it quickly. Really I don't. That's their problem. My problem is that my systems are vulnerable to compromise and I have to do something about it. I need to know what the vulnerability is, in enough detail to understand it myself, and I need to know the possible workarounds (not just the vendor's recommended one(s), which is another reason I need to know what the vulnerability actually is so I can understand all the other possible ways of dealing with it). I need to evaluate my options and take whatever steps I need to to protect my systems. If the vendor needs a month to get the fix through their change-control process, I still need to protect my systems today.

    The vendor's advice will be based on their most-likely scenario. Problem is that my situation may be radically different from the vendor's most-likely one. There's definitely going to be local considerations even if my situation's one the vendor's workaround covers. I need to understand the vulnerability to be able to evaluate it intelligently. It may not even be relevant to my setup. If it is, I may have less-intrusive workarounds (eg. for the SSH OTP authentication bug, if we've got a purely internal network that isn't accessible to the outside world or the Windows desktop portion of the network it may be less intrusive to just monitor for attempted exploits and defer doing anything until I see someone having gotten past the air gap rather than changing an authentication method that a lot of people depend on and that can't be exploited easily without being physically in the building). And if I need to take drastic steps like disabling the vulnerable SSH authentication method, I may have clients who insist they must be able to use it (maybe because their systems are based on it and they need my systems to integrate with their authentication because I'm providing services to them) and I need to be able to intelligently discuss exactly what's wrong and why it's simply not possible to use that method without being vulnerable and we've got to change to a different method despite the disruption. I can't do that unless I understand the vulnerability.

    Notice that in all the above I haven't mentioned the vendor at all. Like I said, the vendor isn't relevant at all. It's my systems that're vulnerable and me that has to do something about it. If the vendor already has a fix then well and good, but if they don't it doesn't change my situation. When vendors say they need more time, they're asking me to leave my systems vulnerable without telling me they're vulnerable. Sorry, but no. Not, that is, unless they're willing to shoulder 100% of all the costs resulting from that vulnerability being exploited. Not just direct costs, things like the costs of lost business and clean-up if the vulnerability is exploited and liabilities I may incur because of the compromise. If a vendor isn't willing to take on that liability, then they don't get to tell me I shouldn't have the information I need to protect myself from that liability. If they don't like it... this is the sound of the world's smallest violin, playing the world's saddest song just for them.

  16. Because all of Google's products are web sites... by swillden · · Score: 2

    I guess Chrome, ChromeOS, Android, numerous Android apps, Google Earth, Google Drive, Picasa and Google's many other traditional installable software products don't count.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.