OK, that subject, while true, was really just to catch your attention.
Here is the rest of the story (and sorry, this is a bit of a rant).
Google has a team that researches security vulnerabilities in all kinds of software. The team, founded in 2014, is called Project Zero. While I am sure it finds bugs in Google’s own software (it does!), it seems to, frequently, find bugs in competitor’s software. That usually includes Microsoft and Adobe, among others.
Google has a database of the vulnerabilities that it finds and it has a very strict protocol for disclosing these vulnerabilities.
Part of what Google wants to have happen is for the industry to fix vulnerabilities quickly. To be honest, the industry as a whole has a horrible track record for fixing bugs quickly.
Part of the “battle” if you will, is that companies like Microsoft have software that they have to create, test on hundreds of different configurations, package and distribute and users have to download, test and install – think Windows, Office, Adobe Flash and others. Google, on the other hand, is almost exclusively web based.
Web based offerings are inherently easier to patch. Google controls every single server that their software runs on. They know what the hardware looks like and if the software does not work on a particular brand or model of hardware they don’t use it. In fact, Google BUILDS their own servers. Companies like Microsoft can only dream about that.
Microsoft USED to release patches at random. It drove system administrators crazy. As a result, they now only release patches once a month and it usually takes them two or three months to get a fix through that release cycle.
Needless to say – and this is part of Google’s point – the hackers don’t have to follow that model. As a result, the hackers win most of the time.
So what are Google and Microsoft battling about this week?
Google disclosed a flaw that it found October 21st (that is about 10 days ago) in Windows. On that same day, Google also found a bug in Adobe Flash. Adobe has fixed their bug. Microsoft has not.
Google would normally give Microsoft at least 60 days to fix the bug (and sometimes adds extensions) before they announced the bug to the world, but in this case, Google says, the bug is ACTIVELY being exploited in the wild. So Google had two choices – be quiet for three months while people’s systems were being attacked and allow Microsoft to work through it’s process or, alternatively, warn people and let Microsoft be a tad bit displeased with them.
The bug is a privilege escalation attack which allows a hacker to escape the Windows sandbox and do things that they should not be able to do.
Microsoft COULD have told people that there was a problem and provide them with workarounds or a possibly a temporary fix but they chose not to. They did say, now, that users should upgrade to Windows 10 and use the Edge browser. That doesn’t help the tens of millions of users of Windows 7 and Windows 8.
Instead Microsoft said that Google’s disclosure of hacker’s attacking Microsoft’s customer’s systems in the real world was irresponsible. What would have been responsible, Microsoft says, is to keep people in the dark while attackers compromise their systems. Somehow I have a problem with Microsoft’s reasoning.
Microsoft said that they are the ONLY platform committed to investigating security issues and providing updates as soon as possible. While those of you who read this column know that I am not much of an Adobe Flash fan, I do give them a LOT of credit for releasing fixes sometimes the next day after a bug is found when hackers are exploiting it, so I think Microsoft’s claim is a bit self serving.
The bottom line here is that the industry – and it doesn’t matter whether we are talking Windows, Mac, Linux, Android, iPhone, Web, whatever – needs to be more aggressive at identifying and fixing bugs. Not just the kind of bugs that we usually think of but also issues like the attack on DYN last week that took out Twitter and hundreds of other sites.
Attackers don’t care about collateral damage and they don’t care about following the rules. WE as an industry need to get more effective about fixing problems.
At least that is the way that I see it.
Information for this post came from CSO Online.
Google’s Project Zero has its own Wikipedia page, found here.