This week, Google published a vulnerability in Windows 8.1 after a 90-day countdown timer automatically expired. Microsoft has not yet released a patch.
Controversy ensued. Obviously, yes, an unpatched, well-known vulnerability in Windows is troubling. But the alternative is worse.
The reason companies automatically disclose security findings after a set time period (frequently 90 days but sometimes as little as 30) is to raise the stakes. In the bad old days, this kind of security research was routinely ignored, so when a good-guy researcher found a vulnerability, there weren’t a lot of options.
You can see this when you point a vulnerability scanner at machines running very old software. Every vendor has a dark period, and it varies, but you’ll find vulnerabilities that don’t have any vendor patch available. The only answer is to upgrade to a new-enough version of the software where the vendor managed to fix the issue, whether intentionally or unintentionally. But during that time in between releases, the software was vulnerable. Sometimes that was years.
This eventually gave rise to the idea of responsible disclosure. The idea works like this: The researcher gives the software vendor all of the information available about the bug and works with the vendor for a set period of time. But if that set period of time expires and the bug isn’t patched, the details go public.
The model looks bad when something falls through the cracks like this one apparently did. And to an outsider, it may look like Google taking a cheap shot at its archrival Microsoft. But this is the exception, rather than the rule. Looking at the acknowledgements from the December Patch Tuesday bundle, Microsoft credited Google six times. In November, they credited Google seven times. Researchers from Microsoft and Google routinely work together to fix flaws in one another’s products even though the two companies don’t like each other very much. Both companies know that insecure software hurts both of them, regardless of who wrote it.
After the disclosure, Microsoft did release a statement. The statement is pretty much a canned response, saying it’s an elevation of privilege bug so it could be worse (true enough), and advising people to run up-to-date antivirus software. That last piece of advice is lip service if I’ve ever heard it, but it’s not complete hooey. Every time last year when my employer’s incident response team has asked me about a bug like this, I’ve been unable to download the exploit because one or more of our security controls, whether it’s our antivirus software or our web proxy, has blocked me from downloading it.
Microsoft didn’t come right out and give an estimate on when they would be releasing a patch, but you can rest assured they’re working on it now. If it’s ready before January 13–the next scheduled Patch Tuesday–they may very well release it right away rather than wait. They released several out-of-band patches last year. I hope they do it again this time, for several reasons.