Google Threatens to Air Microsoft and Apple's Dirty Code

[GeneralTheoryOfBadassery]

Google to Rivals: Fix Flaws or We Make Them Public

Google Inc. has given fellow tech companies an ultimatum: patch your software vulnerabilities within 90 days or we’ll make them public.

An elite team of Google hackers and programmers scrub their own and competitors’ software for security flaws, giving companies a deadline to issue a fix. Google says it wants software makers to move fast because cybercriminals act with lightning speed when they spot bugs.

It’s a sensitive topic --

rivals Microsoft Corp. and Apple Inc. declined to talk about the tactic -- though others in the industry say the help isn’t always welcome, usurps a role best left to government and can jeopardize security.

“I’m not sure who made Google the official referee of the marketplace for vulnerability notification,” said John Dickson, a principal with software security company Denim Group Ltd. in San Antonio. He said pressuring companies to fix flaws is a good idea, but “what noble motives they had in mind could be called into question given the fact that they essentially outed vulnerabilities for two of their biggest rivals.”

Google established the team in July, calling it Project Zero after the much-feared “zero day” security flaws that are exploited before developers learn of them. It says it is trying to help everyone as well as protect its own products that run on others’ devices and software.

That’s an activity some security experts say is more appropriate for a government agency. The respective roles of the private and public sectors is on the agenda at a cybersecurity summit Friday in Palo Alto, California, where President Barack Obama will call on technology leaders to improve cooperation and share more information.

Divisive Issue:-

Some researchers are wondering aloud, however, how much cooperation can be expected if the biggest Internet companies can’t play nice together.

“We support a variety of efforts, including Project Zero and our Security Reward Programs, to find and fix online threats,” Aaron Stein, spokesman for the Mountain View, California-based Google said in an e-mail.

Apple declined to comment while Microsoft would only refer to a previous statement in which it said Google’s tactics felt like a game of “gotcha,” illustrating how divisive the issue is.

“If these companies can’t even get along, that’s just bad for security for the whole ecosystem,” said Jake Kouns, chief information security officer for Risk Based Security Inc. in Richmond, Virginia.

Heartbleed Flaw:-

Opponents of Google’s practice say it puts online security at risk by revealing gaps before they can be plugged.

Hackers work fast to exploit problems when they become known. Chinese-backed intruders exploited a Web-security flaw known as Heartbleed last year to attack Community Health Systems Inc. more than a week after the hole was publicized.

In January, Apple pleaded with Google to wait about a week before going public so it could fix three flaws in the Mac OS X operating system, according to a person familiar with the request who wasn’t authorized to speak publicly.

Google knew the fix was coming and had possession of the updated software because it serves as a developer for Apple, the person said. Regardless, Google refused and released details of the flaws.

Microsoft, meanwhile, requested two additional days to fix a flaw in Windows. Google refused and publicized the bug.

Everyone Injured

“The decision feels less like principles and more like a ‘gotcha,’ with customers the ones who may suffer as a result,” wrote Chris Betz, senior director of Microsoft’s Security Response Center, in a Jan. 11 blog post, which has remained the company’s only public comment on the issue to date. “What’s right for Google is not always right for customers.”

Microsoft asks that researchers privately disclose flaws to software providers, working with them until a fix is made available, Betz said. “Policies and approaches that limit or ignore that partnership do not benefit the researchers, the software vendors, or our customers. It is a zero sum game where all parties end up injured,” he wrote.

Google supporters say the hard-line approach may fundamentally alter software industry practices in which companies can take months or years to patch bugs.

According to an analysis by Risk Based Security, Project Zero has identified 39 vulnerabilities in Apple products and 20 in Microsoft products. The team also has found 37 flaws in Adobe Systems Inc. software and 22 in the FreeType software development library for rendering fonts.

Strict Policy:-

Project Zero publicly released details before a fix became available about Apple flaws 16 times, Microsoft three times and Adobe once, Kouns said in a phone interview.

Google’s “strict policy is good for the industry,” and the company should be praised because they “stuck to their guns,” said Tom Gorup, a manager with Rook Security Inc. based in Indianapolis.

“A regular Joe on the street doesn’t have the clout that Google does,” Gorup said in a phone interview. “If we have huge companies like Microsoft, Apple and Google going at each other and pushing for better security, it’s a win across the board.”

Google created Project Zero after revelations about the Heartbleed bug and spying by the U.S. National Security Agency and other governments.

“You should be able to use the Web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications,” according to a July 15 blog post announcing Project Zero. “Our objective is to significantly reduce the number of people harmed by targeted attacks.”

Patching Market

Google also is helping to spur the market for managing and patching software vulnerabilities, which is expected to grow to $1 billion in value by 2018 from about $600 million in 2014, said Christopher Kissel, a network security industry analyst with research company Frost & Sullivan Inc.

Companies that provide vulnerability management services like Hewlett-Packard Co., Tenable Network Security Inc. and Qualys Inc. stand to gain from the increased spending, Kissel said in a phone interview.

The number of Internet flaws being found surged to 7,903 in 2014 from 5,174 in 2013, he said. It took companies 205 days on average in 2014 to learn that hackers had infiltrated their networks, according to cybersecurity company FireEye Inc.

FBI Alert:-

“While a few adversaries use zero-day exploits to target victims, many adversaries still target known vulnerabilities for which patches have been released, capitalizing on slow patch processes and risk decisions by network owners not to patch certain vulnerabilities or systems,” the FBI said in an alert at the end of January obtained by Bloomberg News.

A 90-day deadline might not be practical for large companies that have to search through thousands lines of code and make sure patches don’t negatively affect other software, said Craig Young, a senior security researcher with Tripwire Inc. based in Portland, Oregon, in a phone interview.

Other times, however, a company may be negligent. “We’ve had a lot of experiences where vendors will seemingly not care about something unless it’s in the headlines or unless there’s something out there that people see as an immediate threat,” Young said.

Young reported a bug to Apple in October 2012 that could let hackers attack a file server in OS X. Although the flaw wasn’t critical, Apple didn’t issue a final patch until Jan. 27 of this year, Young said.

The flaws exposed by Project Zero without fixes so far haven’t been very serious, Young said. He said he would have more concerns if Google published details about a critical vulnerability that put users at a high risk.

“Microsoft is using this opportunity to kick some sand up in Google’s face and attack their mantra of ‘Do no evil’,” said Gorup with Rook Security. “If it was a government entity, Microsoft wouldn’t be able to make the case.”

To contact the reporters on this story: Chris Strohm in Washington at

cstrohm1@bloomberg.net; Jordan Robertson in Washington at jrobertson40@bloomberg.net

To contact the editors responsible for this story: Jon Morgan at jmorgan97@bloomberg.net Pui-Wing Tam in San Francisco at ptam13@bloomberg.net Elizabeth Wasserman, Steve Geimann

Ad hominem.

 

 

Now you're just being silly. 90 days seems pretty reasonable. If you don't understand why it's not 0 days then the entire concept of the program has gone right over your head.

 

 

But Google IS a third party.

By the way, you can find a ton of security issues related to Google product on their security research repository. They obey their own rules very well by the looks of it.

 

 

By the way, Google has now implemented a 14 days grace period. If the vendor contacts Google and says that the patch is ready then Google will give them an extra 14 days to roll it out before disclosing it. I think that should have been in the program from the start, because it really was a dick move to disclose that first Windows vulnerability just a few days before the patch was being rolled out.

Source :-http://www.bloomberg.com/news/articles/2015-02-11/google-riles-silicon-valley-by-exposing-others-security-flaws

[brownninja97]

google are just low blowing everyone, while this is great im a little worried if they exploit that ability

[wyattzx]

It's like Anonymous but public. 

[Shaqo_Wyn]

Nice article, adding some spacing between the paragraphs will make it much more pleasurable to read.

[Joaquin94]

Well, its good that google tries to hurry up the lazy coders or negligent directors that wont just fix their products to make it safer to their consumers but it might go really bad for the consumer if google actually reveals some risky vulnerabilities and they still take their time to patch them up.

[JAKEBAB]

Isn't this old?

[SimpleG]

Yeah, they won't do it, Microsoft and Apple has more power. They have wealthy investors who could sell all their Google shares

[GeneralTheoryOfBadassery]

Nice article, adding some spacing between the paragraphs will make it much more pleasurable to read.

I'm editing it rite now

I always just copy paste stuff and post it ...

And edit it later

Thanx !

Edit .. :- Done !

[JAKEBAB]

Yeah, they won't do it, Microsoft and Apple has more power. They have wealthy investors who could sell all their Google shares

they already have http://linustechtips.com/main/topic/282690-google-engineer-finds-critical-vulnerability-in-windows-81-makes-it-public/...... http://linustechtips.com/main/topic/289424-microsoft-criticize-google-for-publishing-a-security-vulnerability-in-windows-81/

[Sharp_3yE]

This is old isn't it? This has been around for a bit now. Google has showed vulnerabilities in windows and MS patched it a couple days later on patch Tuesday. MS even asked for a couple days extra.

[askmax]

Yeah, they won't do it, Microsoft and Apple has more power. They have wealthy investors who could sell all their Google shares

You're an idiot if you think that has anything to do with this.

[GeneralTheoryOfBadassery]

This is old isn't it? This has been around for a bit now. Google has showed vulnerabilities in windows and MS patched it a couple days later on patch Tuesday. MS even asked for a couple days extra.

I have no idea .. This was posted on Blomberg 3 days ago :blink:

[SIGSEGV]

Google right now:

[LAwLz]

Yeah, they won't do it, Microsoft and Apple has more power. They have wealthy investors who could sell all their Google shares

They have already done it three times.

 

 

I think this is a good move. A lot of big companies are way too lazy when it comes to security. Google seems a bit too strict with the 90 day deadline though since both Apple and Microsoft had the patches ready when Google published the issues. Then again, if they aren't very strict we might end up with "just give us 1 more month and we'll fix it" situations. I mean look at Apple. Microsoft failed to meet the 90 day deadline 3 times but Apple, who are generally really sloppy with security updates, missed it 16 times. Apple won't get better unless they get punished for being negligent and that's exactly what Google is doing.

 

Now if only Google could increase their security patch efforts as well...

[The_Strict_Nein]

Dick move, Google.

If you have the patch in your hands, you should delay until it is launched. If it isn't launched the day it's supposed to, then release it.

Dick move

[Fetzie]

The way I see this, Google is doing everyone a favor.

 

They find the vulnerability and inform (only) the software developer (in this case Microsoft and Apple) and gives them 90 days (3 months) to fix it.

 

Reporting a vulnerability is all good and no harm. That's exactly what Google is doing.

 

However once the software developer knows of it, the onus is on them to patch it.

 

Not doing anything within 90 days is proof of negligence, and they deserve all the bashing they get when the vulnerability is revealed to the public.

 

 

With Google around, MS and Apple can't just sweep everything under the rug and pretend their software is flawless. Oh no they don't.

 

Except in two of the cases documented in the OP, deployment of the fix was imminent (within 2-3 days) and they made the bug public anyway. Which means it is nothing to do with "making the world safer" and more about "look how bad Microsoft and Apple are at fixing bugs in their operating systems, you should install Android or ChromeOS instead of the competition".

 

Bug fixing in an operating system can open up ten holes for every one it closes. 90 days is not a long time to R&D, develop, QA, fix goes back to development because it broke five other things which now need fixing too, this all goes back to QA. It sounds like a long time but it really isn't, especially in something as critical and complex as an operating system.

[Bsmith]

google isn't such a bad company mainly, but this is just a dick move, it's even funny that appearently are allowed to do this, since it bascily contains computer fraud, on which stands jailtime

[Tataffe]

Now if Google only adhered to this principle themselves? They do not even bother maintaining older versions of Android, ignoring the quite large number of people still using those. Once Apple and MS establish these "services" as well, it's going to be uncomfortable for Google.

[GoodBytes]

And when it is Google turn. "Oh it's 2 years old Android... it's not OUR problem that it affected the majority of Android users by significant margins....it's manufactures fault! Yea That is right! manufactures fault. They should be fixing Android security bugs, not us, the creators and main developers... Look at us, we are poor, have no resources, we can't do this alone! Poo hoo..."

 

Fix your own issues Google first, then you can bully the rest.

[Misanthrope]

Yeah Google, you're big. You're not "Win a Lawsuit vs Microsoft and/or Apple" big though so stfu with the big man talk.

Besides, QFT:

And when it is Google turn. "Oh it's 2 years old Android... it's not OUR problem that it affected the majority of Android users by significant margins....it's manufactures fault! Yea That is right! manufactures fault. They should be fixing Android security bugs, not us, the creators and main developers... Look at us, we are poor, have no resources, we can't do this alone! Poo hoo..."

 

Fix your own issues Google first, then you can bully the rest.

[dalekphalm]

Finding security bugs is definitely a worthwhile pursuit. However, Google fails in several ways:

 

1. As others have mentioned, publishing info about the bugs when a security fix is imminent.This is only beneficial for hackers. The 90-day policy needs to be flexible. It needs to be decided on a case-by-case basis.

 

2. The time-frame, 90-days, is ridiculously arbitrary. Why 90 days? Why not 80? 100? 120? 45? Picking some random "seemingly sounding good" number out of your ass, and then publishing security flaws because of it? Seems ridiculous if you think about it. Not all bugs/vulnerabilities are made equal. Some only take days to fix. Some weeks. Some months. Some WILL take longer than 90 days to properly fix. An OS is the most complex piece of software consumers use, after all.

 

3. Google seems pretty biased in this. Apple and Microsoft are competitors. It's in Google's best interest to make them look bad.

 

4. How many "Google" bugs has Project Zero discovered? I don't see this information published anywhere. Does anyone here know?

 

5. Android is a buggy piece of shit - especially for older versions. There are so many vulnerabilities in the older versions of Android, like KitKat and Jellybean. Google just washes their hands of it, because those vulnerabilities have been fixed in "Newer Versions", and it's the manufacturers responsibility. - This would be like Microsoft finding a Windows 7 bug and saying "Hey guys, no worries! It's fixed in Windows 8!" We would be fucking furious at Microsoft for doing something like that. It's one thing to not patch really old (5+ year old) versions of Android, but Jellybean is only 3 years old, for example.

 

I see the need for a system like this to exist, but I also see that Google is taking unfair advantage of it. A 3rd party - independent organization would be better suited to this. One that is perhaps funded by all major Software companies equally, but has no ties to any of them. Or funded by Government or UN perhaps?

[Victorious Secret]

And when it is Google turn. "Oh it's 2 years old Android... it's not OUR problem that it affected the majority of Android users by significant margins....it's manufactures fault! Yea That is right! manufactures fault. They should be fixing Android security bugs, not us, the creators and main developers... Look at us, we are poor, have no resources, we can't do this alone! Poo hoo..."

 

Fix your own issues Google first, then you can bully the rest.

 

Google likes throwing sand in companies faces yet can't handle admitting to their own screwups. Just goes to show you can't really trust anyone in the corporate game, their all in it for the benefit of themselves, not others. 

Why not just 0 days, Google? Why 90? Some bugs take longer to fix, some shorter; your time table is so fucking arbitrary what difference does it make? 

[dalekphalm]

Google likes throwing sand in companies faces yet can't handle admitting to their own screwups. Just goes to show you can't really trust anyone in the corporate game, their all in it for the benefit of themselves, not others. 

Why not just 0 days, Google? Why 90? Some bugs take longer to fix, some shorter; your time table is so fucking arbitrary what difference does it make? 

Yeah the arbitrary nature of 90 days is what pisses me off the most about this. Any programmer will tell you that 90 days is arbitrary and meaningless.

 

It just sounds "good" to consumers, because they don't know any better. Average Joe: "Oh, 90 days?!?! That's tons of time!!!!"

[Misanthrope]

Finding security bugs is definitely a worthwhile pursuit. However, Google fails in several ways:

 

1. As others have mentioned, publishing info about the bugs when a security fix is imminent.This is only beneficial for hackers. The 90-day policy needs to be flexible. It needs to be decided on a case-by-case basis.

 

2. The time-frame, 90-days, is ridiculously arbitrary. Why 90 days? Why not 80? 100? 120? 45? Picking some random "seemingly sounding good" number out of your ass, and then publishing security flaws because of it? Seems ridiculous if you think about it. Not all bugs/vulnerabilities are made equal. Some only take days to fix. Some weeks. Some months. Some WILL take longer than 90 days to properly fix. An OS is the most complex piece of software consumers use, after all.

 

3. Google seems pretty biased in this. Apple and Microsoft are competitors. It's in Google's best interest to make them look bad.

 

4. How many "Google" bugs has Project Zero discovered? I don't see this information published anywhere. Does anyone here know?

 

5. Android is a buggy piece of shit - especially for older versions. There are so many vulnerabilities in the older versions of Android, like KitKat and Jellybean. Google just washes their hands of it, because those vulnerabilities have been fixed in "Newer Versions", and it's the manufacturers responsibility. - This would be like Microsoft finding a Windows 7 bug and saying "Hey guys, no worries! It's fixed in Windows 8!" We would be fucking furious at Microsoft for doing something like that. It's one thing to not patch really old (5+ year old) versions of Android, but Jellybean is only 3 years old, for example.

 

I see the need for a system like this to exist, but I also see that Google is taking unfair advantage of it. A 3rd party - independent organization would be better suited to this. One that is perhaps funded by all major Software companies equally, but has no ties to any of them. Or funded by Government or UN perhaps?

 

OP you need to mark this as resolved, you sir might just drop the mic and walk out.

[Paralectic]

Yeah, they won't do it, Microsoft and Apple has more power. They have wealthy investors who could sell all their Google shares

Will MIcrosoft and Apple have the same power when various dangerous bugs will be abused where customers lose all of their data and/or money? Don't think so.