Microsoft has been stung anew by Google’s Project Zero wasps after the latter’s researchers made public a Windows 10 vulnerability which has yet to be patched.
The flaw in the Windows GDI’s gdi32.dll was supposed to have been patched with last June’s MS-16-074 bulletin, but according to Project Zero researcher Mateusz Jurczyk, that fix was only partial.
Jurczyk resubmitted his vulnerability report on November 16, which gave Microsoft 90 days to issue a fix under Google’s Project Zero protocol for non-critical flaws. With no patch forthcoming by the cut-off, he felt justified in making the issue public.
Normally, this would be merely annoying for Microsoft if the date of the deadline, February 14, had not also been the day it unexpectedly pulled its regular monthly update (formerly Patch Tuesday) due to an unspecified “last-minute issue”.
Worse still, not only was dropping a patch day unprecedented in a system stretching back to 2003, but Microsoft unsettled customers by pulling it completely until March 14.
It’s not certain that a fix had been prepared for February but the long delay pushes it back by weeks unless an out-of-band patch is issued, something reserved only for serious flaws that are being exploited.
If Google embarrassing Microsoft over unpatched vulnerabilities sounds familiar, it is. Barely three months ago, the pair crossed swords after Google disclosed a zero-day flaw days in advance of a patch. As Microsoft’s Terry Myerson complained at the time:
We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.
Further back, in early 2015, barely six months after Google set it up, Project Zero was heavily criticised by Microsoft after it released details of a privilege escalation flaw in Windows 8.1 under its 90-day protocol even though a Patch Tuesday fix was due two days later.
Stung, Google revised its policy to allow for an extension of up to 14 business days where a fix was on its way.
These ongoing spats boil down to whether Google’s disclosure policy is in the interests of the public as opposed to the convenience of an affected vendor, in this case Microsoft.
Google works to three timescales: the 90-day rule applied to the latest vulnerability, which drops to 60 days if the flaw is rated critical, and seven days if it is being exploited.
As Google says in a 2015 blog, timescales are always a balancing act. The vendor must have some time but not too much or there is no incentive to issue a fix quickly.
US CERT/CC works to an even more aggressive 45-day policy, Yahoo 90 days, while TippingPoint’s old Zero Day Initiative (ZDI) assumed 120 days. Arguably, by this measure, Google is being overly generous. Google explained:
We’ve chosen a middle-of-the-road deadline timeline and feel it’s reasonably calibrated for the current state of the industry.
Microsoft has yet to respond the latest Project Zero disclosure but it could be that with an extraordinary one-month update delay to cope with, this is simply the least of its worries.
Anonymous
In the past, Microsoft split its patches up instead of sending out one big one for the month. If a patch had problems, they could just stop that patch, while letting the rest through. Now it all gets held up if anything has a problem. I wonder if this vulnerability is now a side effect of that policy. I still feel Google should stop disclosure of vulnerabilities when vendors are honestly trying to fix them, though.
Jim
I agree, but how does one company decide that another company is really trying to fix them? 90 days actually seems too long for me.
Anyhow, yes, I think the move to their new patching model is indeed affecting this, and probably numerous other patches.
Charles Clarke
Not a lot of love on Valentines day…
Victor Pereira
Google is quite merciless. This is the second time I see Project Zero releasing unpatched information of Windows OS. Of course you can read what the vulnerability is and a proof of concept in the Project Zero
SumGuy
Considering how much everyone and business relies on windows for everything, this seems very unwise of Google to be doing.
Mahhn
So much for the – Do no evil, policy…
Max
It’s pretty reasonable that bad guys have figured out a vulnerability on their own after 90 days, depending on how hard it is to find. And if Microsoft doesn’t fix it within 3 months, it’s their own fault. Without the threat of actually exposing the vulnerability, there are no guarantees that Microsoft, or any respective vendor, will actually fix it. So without Google actually going through with their threat, the whole concept doesn’t work. If it’s a vulnerability that is not reasonably fixable within 3 months (seems unlikely) they could always reach out to Google and explain the situation. Doesn’t seem like they did that though.
Prakash Patel
Very bad, Google.