Google: Security flaws not fixed in a week should be made public

Summary:Google's security engineers approve of researchers publishing details of flaws in the company's products if it does not respond within seven days.

Google is pushing for a new "aggressive" response timeline for security vulnerabilities, where vendors would be given seven days to patch to the flaw, notify the public or disable affected products.

If researchers find a previously unseen critical flaw that is being used in real-world attacks, they will have Google's blessing to publish details about it seven days after alerting the affected vendor.

"Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information," Google security engineers Chris Evans and Drew Hintz wrote.

Google announced its new recommended "aggressive timeline" on Wednesday, which would slash its current recommended disclosure timeline of 60 days.

The move comes shortly after Google security researcher Tavis Ormandy published details for a zero-day Windows kernel flaw on Full Disclosure that could allow an attacker to gain escalated privileges on a target machine.

At the time Microsoft acknowledged reports of the flaw, but told Computerworld that it had not detected any attacks on its customers using the flaw. There is no patch or workaround for the vulnerability, and Danish security company Secunia has issued a basic advisory for the bug, which is said to affected fully patched Windows 7 x86 Professional, Windows 8, and possibly other versions of the OS.

Google does not say that its new recommendation is in response to that particular flaw, and Evans and Hintz note that its team "recently discovered that attackers are actively targeting a previously unknown and unpatched vulnerability in software belonging to another company".

While a seven-day response deadline may be difficult for some vendors to meet, the Google engineers argue it is a necessary move to respond to the threat of targeted attacks. 

"Often, we find that zero-day vulnerabilities are used to target a limited subset of people. In many cases, this targeting actually makes the attack more serious than a broader attack, and more urgent to resolve quickly. Political activists are frequent targets, and the consequences of being compromised can have real safety implications in parts of the world," Google's security team said. 

"Based on our experience, however, we believe that more urgent action — within seven days — is appropriate for critical vulnerabilities under active exploitation. The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised."

Topics: Google, Microsoft, Security

About

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, s... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.