Critical vulnerabilities in software programs being actively exploited by hackers should be made public seven days after a software vendor is made aware of the flaw by whomever discovered it, the company advocated in a blog posted Wednesday by Google security engineers Chris Evans and Drew Hintz.
“Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information,” the pair wrote.
For flaws not being actively exploited by online marauders, Google continues to support giving software vendors 60 days to address a flaw before it is made public by its discoverer.
Actively exploited vulnerabilities, however, are special cases that need special attention, they argue.
“The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised,” they wrote.
Google’s zeal for quick action may be a harsh solution that could do more harm than good, argued Trusteer Vice President Yishay Yovel.
“What Google is doing isn’t going to accelerate the patching process,” he told PCWorld. “In fact, it will notify the hacker community about yet another opportunity it will have to attack enterprises.”
Pushing patches out in seven days won’t speed up the process of mitigating the vulnerability because organizations will continue to be slow in installing the patches pushed to them. “What we’re seeing in the marketplace is hackers targeting vulnerabilities that are two years old,” Yovel said.
“That’s because organisations often don’t patch,” he added. “They just don’t get to it.”
By custom, security researchers who find vulnerabilities in software are bound not to reveal what they find to the public until a vendor fixes the flaw. Vendors, though, haven’t always fixed problems in a timely manner. That’s left researchers hanging in the dark while users remain vulnerable.
Even after vulnerabilities are made public, software vendors have ignored them. Microsoft, for example, once took seven years to patch a known vulnerability.
However, Microsoft now is very diligent about patching its software. It releases regular software updates on the second Tuesday of the month. That contrasts with a company like Oracle, which has a 120-day patch cycle for Java, although, of late, it has had to break out of that cycle.
Microsoft’s diligence hasn’t been diligent enough for Google, apparently. Two weeks ago, in a fit of miff, Google security researcher Tavis Ormandy ignored Microsoft entirely when he made public a vulnerability in Windows 7 and 8 . He justified the move – called irresponsible by some security researchers – by stating, “I don’t have much free time to work on silly Microsoft code…”