Google Inc. has given fellow tech companies an ultimatum: patch your software vulnerabilities within 90 days or we’ll make them public.
An elite team of Google hackers and programmers scrub their own and competitors’ software for security flaws, giving companies a deadline to issue a fix. Google says it wants software makers to move fast because cybercriminals act with lightning speed when they spot bugs.
It’s a sensitive topic -- rivals Microsoft Corp. and Apple Inc. declined to talk about the tactic -- though others in the industry say the help isn’t always welcome, usurps a role best left to government and can jeopardize security.
“I’m not sure who made Google the official referee of the marketplace for vulnerability notification,” said John Dickson, a principal with software security company Denim Group Ltd. in San Antonio. He said pressuring companies to fix flaws is a good idea, but “what noble motives they had in mind could be called into question given the fact that they essentially outed vulnerabilities for two of their biggest rivals.”
Google established the team in July, calling it Project Zero after the much-feared “zero day” security flaws that are exploited before developers learn of them. It says it is trying to help everyone as well as protect its own products that run on others’ devices and software.
That’s an activity some security experts say is more appropriate for a government agency. The respective roles of the private and public sectors is on the agenda at a cybersecurity summit Friday in Palo Alto, California, where President Barack Obama will call on technology leaders to improve cooperation and share more information.
Some researchers are wondering aloud, however, how much cooperation can be expected if the biggest Internet companies can’t play nice together.
“We support a variety of efforts, including Project Zero and our Security Reward Programs, to find and fix online threats,” Aaron Stein, spokesman for the Mountain View, California-based Google said in an e-mail.
Apple declined to comment while Microsoft would only refer to a previous statement in which it said Google’s tactics felt like a game of “gotcha,” illustrating how divisive the issue is.
“If these companies can’t even get along, that’s just bad for security for the whole ecosystem,” said Jake Kouns, chief information security officer for Risk Based Security Inc. in Richmond, Virginia.
Opponents of Google’s practice say it puts online security at risk by revealing gaps before they can be plugged.
Hackers work fast to exploit problems when they become known. Chinese-backed intruders exploited a Web-security flaw known as Heartbleed last year to attack Community Health Systems Inc. more than a week after the hole was publicized.
In January, Apple pleaded with Google to wait about a week before going public so it could fix three flaws in the Mac OS X operating system, according to a person familiar with the request who wasn’t authorized to speak publicly.
Google knew the fix was coming and had possession of the updated software because it serves as a developer for Apple, the person said. Regardless, Google refused and released details of the flaws.
Microsoft, meanwhile, requested two additional days to fix a flaw in Windows. Google refused and publicized the bug.
“The decision feels less like principles and more like a ‘gotcha,’ with customers the ones who may suffer as a result,” wrote Chris Betz, senior director of Microsoft’s Security Response Center, in a Jan. 11 blog post, which has remained the company’s only public comment on the issue to date. “What’s right for Google is not always right for customers.”
Microsoft asks that researchers privately disclose flaws to software providers, working with them until a fix is made available, Betz said. “Policies and approaches that limit or ignore that partnership do not benefit the researchers, the software vendors, or our customers. It is a zero sum game where all parties end up injured,” he wrote.
Google supporters say the hard-line approach may fundamentally alter software industry practices in which companies can take months or years to patch bugs.
According to an analysis by Risk Based Security, Project Zero has identified 39 vulnerabilities in Apple products and 20 in Microsoft products. The team also has found 37 flaws in Adobe Systems Inc. software and 22 in the FreeType software development library for rendering fonts.
Project Zero publicly released details before a fix became available about Apple flaws 16 times, Microsoft three times and Adobe once, Kouns said in a phone interview.
Google’s “strict policy is good for the industry,” and the company should be praised because they “stuck to their guns,” said Tom Gorup, a manager with Rook Security Inc. based in Indianapolis.
“A regular Joe on the street doesn’t have the clout that Google does,” Gorup said in a phone interview. “If we have huge companies like Microsoft, Apple and Google going at each other and pushing for better security, it’s a win across the board.”
Google created Project Zero after revelations about the Heartbleed bug and spying by the U.S. National Security Agency and other governments.
“You should be able to use the Web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications,” according to a July 15 blog post announcing Project Zero. “Our objective is to significantly reduce the number of people harmed by targeted attacks.”
Google also is helping to spur the market for managing and patching software vulnerabilities, which is expected to grow to $1 billion in value by 2018 from about $600 million in 2014, said Christopher Kissel, a network security industry analyst with research company Frost & Sullivan Inc.
Companies that provide vulnerability management services like Hewlett-Packard Co., Tenable Network Security Inc. and Qualys Inc. stand to gain from the increased spending, Kissel said in a phone interview.
The number of Internet flaws being found surged to 7,903 in 2014 from 5,174 in 2013, he said. It took companies 205 days on average in 2014 to learn that hackers had infiltrated their networks, according to cybersecurity company FireEye Inc.
“While a few adversaries use zero-day exploits to target victims, many adversaries still target known vulnerabilities for which patches have been released, capitalizing on slow patch processes and risk decisions by network owners not to patch certain vulnerabilities or systems,” the FBI said in an alert at the end of January obtained by Bloomberg News.
A 90-day deadline might not be practical for large companies that have to search through thousands lines of code and make sure patches don’t negatively affect other software, said Craig Young, a senior security researcher with Tripwire Inc. based in Portland, Oregon, in a phone interview.
Other times, however, a company may be negligent. “We’ve had a lot of experiences where vendors will seemingly not care about something unless it’s in the headlines or unless there’s something out there that people see as an immediate threat,” Young said.
Young reported a bug to Apple in October 2012 that could let hackers attack a file server in OS X. Although the flaw wasn’t critical, Apple didn’t issue a final patch until Jan. 27 of this year, Young said.
The flaws exposed by Project Zero without fixes so far haven’t been very serious, Young said. He said he would have more concerns if Google published details about a critical vulnerability that put users at a high risk.
“Microsoft is using this opportunity to kick some sand up in Google’s face and attack their mantra of ‘Do no evil’,” said Gorup with Rook Security. “If it was a government entity, Microsoft wouldn’t be able to make the case.”