Some situations in life call for a zero-tolerance policy. Drunk driving, sexual harassment and murder come to mind. But do security vulnerabilities pass the test?
Google seems to think so. Google’s Project Zero team publicly disclosed a zero-day vulnerability in Microsoft Windows 8.1 on December 29th after giving the software giant 90 days to patch the flaw.
Before I go any further, if you are a Windows 8.1 user, don’t panic (Thanks Doug)!
The flaw is a elevation of privilege flaw (EoP) in NtApphelpCacheControl, a function used for caching application compatibility information.
For example, it can be used to bypass User Account Control (UAC), allowing a malicious application to promote itself to administrator even if it started off with the privilege of a regular user.
Fortunately this means you have to already have been compromised for this vulnerability to be of use. There are also mitigations that can be employed to reduce the risk from this flaw.
People testing the vulnerability are saying that using UAC at its maximum setting prevents the attack, at least as demonstrated by Google, from working without a warning being presented.
The controversy isn’t so much about the severity of this vulnerability, but rather Google’s policy regarding disclosure of exploits.
The Project Zero team gives software developers 90 days to fix vulnerabilities before automatic full disclosure occurs. In this case Microsoft was notified on September 30th, leading to the disclosure on December 29th, 2014.
Is 90 days enough? Hard to say. Google says it picked 90 days as a sort of happy medium.
Short enough time to put pressure on vendors to fix flaws, but long enough that most issues should be able to be resolved within that timeframe.
In this case, 90 days clearly wasn’t enough for Microsoft to feel confident in shipping a well-tested update. Redmond has had a bit of a rough time with QA of security updates as of late.
Without getting into the full disclosure debate, there is one thing about this particular disclosure that doesn’t lend credibility to Google’s arguments that Project Zero is doing a public service and abiding by its famous “Don’t be evil” policy.
The public disclosure included proof-of-concept (PoC) code that allows anyone with interest the immediate ability to exploit the vulnerability.
In my book, that’s not compatible with behaviour that is allegedly in the public interest.
Hopefully, Microsoft will give us a New Year’s gift of a fix next Patch Tuesday, which will be on January 13th, 2015.
Creative Commons “Don’t be evil” image courtesy of Tangi Bertin’s Flickr photostream.