Google exposes security flaw in Microsoft Edge before a patch is ready

[mr moose]

3 minutes ago, LAwLz said:

So what you're saying is that you think Google are posting things out of order? Why would they do that?

It's not that I think they are posting out of order, but  there are 3 other posts that are deleted.   For all we know the one about MS not having a date could be an answer to a previous post.   It is not qualified in any way shape or form.  It is simply a statement that exists outside of context. 

 

3 minutes ago, LAwLz said:

Dont you think it's a far more logical explanation that Microsoft realized the issue was more complex than anticipated and they would not be able to hold their previous estimate? 

This by the way shows why good faith doesn't work for security. If what I think is true, because it is the only explanation that doesn't involve believing Google posts things out of order for no reason, then it's a clear example of how developers could misuse relaxed deadline practices to put off making patches. 

 

"Hey boss, the deadline for the vulnerability is coming up next week and we haven't even started working on it."

"Just tell Google we're working hard on it but it's proving more difficult than anticipated. Those suckers will probably believe it and give us another month of time" 

Anything is possible, but why is making assumpotions in one direction worse than another?

 

3 minutes ago, LAwLz said:

 

So what you're saying is that you believe Google should set deadlines tailored for each specific exploit they find? 

How do you propose they do that? Remember, they have no way of knowing exactly how difficult something is to patch, nor do they know how much resources the company can nor will dedicate to fixing it. 

Well they know enough about the threat to be able to exploit it, You seem to be worried that a company might be able to pull the wool over the eyes of PZ staff. 

 

3 minutes ago, LAwLz said:

The reason they use 90 days is based on well established facts and logic when looking at the software industry as a whole, and they have taken things like release schedules and some exploits being more difficult to patch into consideration (hence why the deadline is over twice as long as the average patch time for open source projects and security minded closed source projects). 

 

where's that written?

 

3 minutes ago, LAwLz said:

How would you suggest they estimate the time needed? Again, good faith does NOT work. 

 

 

 

I don't see why though. Such an organization wouldn't work and what we got today, with each company doing their own thing is far more beneficial to the industry as a whole. 

Why ruin a good situation just because some people who doesn't understand the industry dislike some company and think they are being dicks when they are actually doing good things? 

 

At the end of the day, it doesn't matter if people think Project Zero are just out to harm Microsoft or whatever they believe. What matters is that security holes gets found and fixed. 

 

Interesting you claim good faith does not work, but you consider it a "good situation" for a company that has a conflict of interest to dictate the times and not an independent consortium.

 

Now I am not saying google did this out of marketing spite, but if you don't seek independent arbitration and

[dalekphalm]

8 hours ago, mr moose said:

An industry consortium.  A member from each of the interested/funding companies sits on the board and they oversee the work.  Pretty much like what they have for USB, DVD etc.

Could be something like that - I'm not entirely sure on the optimal way it could be organized. Perhaps (and I know this will trigger some people) an organization headed by the UN? Or perhaps a hybrid, where government and interested companies could sit on the board.

 

You would want to structure it in such a way so that no one company can dictate direction or influence things too heavily over any other company.

3 hours ago, LAwLz said:

I don't see why though. Such an organization wouldn't work and what we got today, with each company doing their own thing is far more beneficial to the industry as a whole. 

Why ruin a good situation just because some people who doesn't understand the industry dislike some company and think they are being dicks when they are actually doing good things? 

 

At the end of the day, it doesn't matter if people think Project Zero are just out to harm Microsoft or whatever they believe. What matters is that security holes gets found and fixed. 

Why would such an organization not work? Be specific, please.

 

I'm not telling Google to get rid of their Bounty program. In fact, I highly suggest that both programs co-exist:

Each individual company can operate an in-house bounty program, where people can look for exploits for that specific company. If found, the company can still pay a bounty, as many of them do.

 

The difference is that if you wanted to submit and disclose exploits, etc, instead of going to Google, which gives them a vast amount of power and influence over the industry because of Project Zero, you would submit the exploit to an independent consortium instead.

 

They could even adopt the same basic structure and rules as Project Zero.

 

The difference here is that if, say, Google finds an exploit for Microsoft, but Microsoft can't patch it in time, Microsoft can seek third party independent arbitration to determine whether an extension is valid, and how long said extension would be.

 

There could be strict rules on how long extensions can be, and how many extensions can be granted. And if you violate the terms of the extension, there could be rules around that too.

 

And that's the crux of this. Project Zero in and of itself, is not a bad thing. But it being under the control of Google isn't good, because as good as Google is, they have their own internal biases. Every employee of every company does. I'm sure they try their best to not let those biases affect their decision making processes, but I would personally rather this kind of program be taken out of any one companies hands, and put into a more trusted, open and transparent body, with actual industry standardization.

3 hours ago, mr moose said:

Interesting you claim good faith does not work, but you consider it a "good situation" for a company that has a conflict of interest to dictate the times and not an independent consortium.

 

Now I am not saying google did this out of marketing spite, but if you don't seek independent arbitration and

That's kind of my thought process here. Google is no doubt NOT doing this "on purpose", or "out of spite". But that doesn't change the fact that an independent body could do the exact same thing, and perhaps do it better.

[LAwLz]

21 minutes ago, dalekphalm said:

Why would such an organization not work? Be specific, please.

 

I'm not telling Google to get rid of their Bounty program. In fact, I highly suggest that both programs co-exist:

Each individual company can operate an in-house bounty program, where people can look for exploits for that specific company. If found, the company can still pay a bounty, as many of them do.

Oh OK now it makes more sense.

I thought you suggested replacing the current divisions in favor of a single one.

I was going to say that would not work because of internal conflicts. Which company gets to research issues with what products and how would disclosures etc get handled. There would be an astronomical amount of internal conflicts.

 

21 minutes ago, dalekphalm said:

The difference is that if you wanted to submit and disclose exploits, etc, instead of going to Google, which gives them a vast amount of power and influence over the industry because of Project Zero, you would submit the exploit to an independent consortium instead.

 

They could even adopt the same basic structure and rules as Project Zero.

 

The difference here is that if, say, Google finds an exploit for Microsoft, but Microsoft can't patch it in time, Microsoft can seek third party independent arbitration to determine whether an extension is valid, and how long said extension would be.

 

There could be strict rules on how long extensions can be, and how many extensions can be granted. And if you violate the terms of the extension, there could be rules around that too.

You know what, you completely changed my mind on this. I completely agree that it would be a good idea.

 

But there would have to be serious reproductions for failing to meet deadlines after extinctions were granted. Something like the GDRP where it's 2-4% of the companies total annual (global) turnover (capped at 20 million euros).

 

The problem with granting extensions right now is that there are no penalties if you miss the deadline, so everyone would always ask for them if they existed, and Google can't force Microsoft to pay anything if they miss it. If an organization like the UN created a framework of laws regarding it then it would make sense to have extensions periods, because they would be used very sparingly and only in scenarios where they were certain it would help protect users, rather than just an excuse to be lazy.

 

If Microsoft were willing to put something like 20 million dollars on the line that the bug would be fixed before March 13 then I would not have any issue with giving them that extra time.

[dalekphalm]

3 minutes ago, LAwLz said:

Oh OK now it makes more sense.

I thought you suggested replacing the current divisions in favor of a single one.

I was going to say that would not work because of internal conflicts. Which company gets to research issues with what products and how would disclosures etc get handled. There would be an astronomical amount of internal conflicts.

 

You know what, you completely changed my mind on this. I completely agree that it would be a good idea.

 

But there would have to be serious reproductions for failing to meet deadlines after extinctions were granted. Something like the GDRP where it's 2-4% of the companies total annual (global) turnover (capped at 20 million euros).

 

The problem with granting extensions right now is that there are no penalties if you miss the deadline, so everyone would always ask for them if they existed, and Google can't force Microsoft to pay anything if they miss it. If an organization like the UN created a framework of laws regarding it then it would make sense to have extensions periods, because they would be used very sparingly and only in scenarios where they were certain it would help protect users, rather than just an excuse to be lazy.

 

If Microsoft were willing to put something like 20 million dollars on the line that the bug would be fixed before March 13 then I would not have any issue with giving them that extra time.

I agree - it should be strict. But when Google has control over the entire program, they get to decide when (or when not) to extend a extension. And they have no teeth, since they can't fine Microsoft money for failing to meet a deadline.

 

It would need a LOT of thought and careful planning, but I seriously think this kind of body could make the Internet, and modern software, a better place. They could even get agreements with the EU, NAFTA, UN, whatever, so that their fines are legally binding - or make Membership dependent on agreeing to the fines.

 

Most of the big companies know that fixing exploits is in their best interest - they just sometimes need a kick in the face for them to think straight.

[LAwLz]

3 hours ago, mr moose said:

Anything is possible, but why is making assumpotions in one direction worse than another?

Because we're talking about security. It's in companies' best interest to NOT fix issues and let them stay there for as long as they can, which is exactly what a significant portion of companies do.

Security relies on assuming the worst. You don't drive around in your car assuming that you won't crash right? You put on your seat belt assuming that there can be a crash and in that event you want to be protected.

When you don't have evidence that points in either direction, you have to prepare for the worst.

 

3 hours ago, mr moose said:

Well they know enough about the threat to be able to exploit it, You seem to be worried that a company might be able to pull the wool over the eyes of PZ staff. 

Google knows how to exploit it, but they do not have any idea of how it would be fixed, code wise, in Edge since it is closed source. They have no idea what kind of relations are inside the code and how one change might affect other parts.

They have no idea if this requires a single line of code to fix, or reworking the entire browser engine. Only Microsoft knows that.

 

3 hours ago, mr moose said:

where's that written?

I linked to it on the previous page.

Cisco has a team called Talos which conducts security research. In late 2016 they decided to change their disclosure policies. They decided on a 90 day disclosure window and they based that on vendor feedback, average patch time and the risks of too long or too short disclosure times.

Here is a link to their blog post about it.

 

 

4 hours ago, mr moose said:

Interesting you claim good faith does not work, but you consider it a "good situation" for a company that has a conflict of interest to dictate the times and not an independent consortium.

Yes, because the time frames they use are realistic and used by other groups too. It's not some "haha, we will set it too short sot hat it fucks Microsoft over" conspiracy.

[LAwLz]

22 minutes ago, dalekphalm said:

I agree - it should be strict. But when Google has control over the entire program, they get to decide when (or when not) to extend a extension. And they have no teeth, since they can't fine Microsoft money for failing to meet a deadline.

 

It would need a LOT of thought and careful planning, but I seriously think this kind of body could make the Internet, and modern software, a better place. They could even get agreements with the EU, NAFTA, UN, whatever, so that their fines are legally binding - or make Membership dependent on agreeing to the fines.

 

Most of the big companies know that fixing exploits is in their best interest - they just sometimes need a kick in the face for them to think straight.

I should probably add that such an organization kind of exists already, but it doesn't have the powers I think would be necessary, such as imposing fines for breaking deadlines.

It's called the Computer Emergency Response Team Coordination Center (CERT/CC). It's a US state funded research and development center focused on software and network security.

 

By the way, their deadline is 45 days. So half that of Google's and Cisco's.

Quote

Vulnerabilities reported to the CERT/CC will be disclosed to the public 45 days after the initial report, regardless of the existence or availability of patches or workarounds from affected vendors. Extenuating circumstances, such as active exploitation, threats of an especially serious (or trivial) nature, or situations that require changes to an established standard may result in earlier or later disclosure.

 

[dalekphalm]

1 minute ago, LAwLz said:

I should probably add that such an organization kind of exists already, but it doesn't have the powers I think would be necessary, such as imposing fines for breaking deadlines.

It's called the Computer Emergency Response Team Coordination Center (CERT/CC). It's a US state funded research and development center focused on software and network security.

 

By the way, their deadline is 45 days. So half that of Google's and Cisco's.

 

Interesting. Should they take the place of Project Zero, they would need executive powers to actually punish companies that abuse the system.

 

Furthermore, being a US government organization means they can exert control over US companies fairly easily (given the proper powers), but I question how much power they would have over non-US companies.

 

Plus a lot of people don't feel very comfortable with the US Government holding another key asset that affects things globally.