The tech news has been abuzz recently about a Windows security vulnerability that has been published by Google’s Project Zero. The interesting thing here is that the details of the flaw are relatively unimportant. What is important is the way in which the vulnerability was published.
One of the key concepts behind Project Zero is that when a vulnerability is found and reported to the vendor, the vendor has a 90 day window in which to release a patch. The details of the vulnerability are kept secret until either a patch is released, or the 90 day window has elapsed.
The controversy here is that the is that with this particular vulnerability, the 90 day window ran out before Microsoft had come up with a fix. This means that the details of a zero-day vulnerability have been made available to all and sundry, including a proof of concept exploit. This is obviously Not A Good Thing™.
Reading the comments on the vulnerability disclosure page, it’s clear that there are two opposing viewpoints on the disclosure itself. One side agrees with the disclosure, saying that 90 days is more than long enough and that Microsoft deserve to be punished for dragging their heels. The other side disagrees with the disclosure, saying that it was irresponsible to publish the full details before Microsoft had an opportunity to release a patch.
I’m a little divided on where I stand on this issue. On one hand, I agree with the whole 90 day thing. There’s no guarantee that Google’s researchers were the only ones to know about the vulnerability, and there’s every chance that it has already been exploited in the wild. The ticking clock puts some level of urgency on the vendor to find a fix. On the other hand, Microsoft typically only release patches once a month (“Patch Tuesday”, the second Tuesday of the month). It’s possible that Microsoft have been working on a patch, making sure that it fixes the problem correctly without causing any negative side-effects, and were planning to release it next week. Only people inside Microsoft know for sure.
One good side-effect of this is that it has a whole raft of people talking about what constitutes responsible disclosure. This is a tricky subject at the best of times, as everyone has a different opinion. There’s a very fine line between disclosing too early and leaving people vulnerable, or waiting too long and having malicious actors find the flaw on their own. No matter what you do, there’s a good chance that somebody will disagree with your timing.