Zero-day exploits are no fun, by the very name given to them – glaring holes in software you have zero days to fix. Some groups look to find them to jailbreak an iPhone, root Android or just steal all your personal data. Whole businesses exist around them, finding and reporting them for a bounty then moving on to find another one. However this increased level of bugs reported by Google is no chance accordance.
Google have already uncovered major floors in security in Microsoft systems, unfortunately they have in turn been receiving major criticism for revealing information days away from being patched. This practice of reporting a vulnerability and then making the information about it public should the hole not be patched is standard practice. What isn’t standard is the 90 days that Google give companies, the acceptable standard is around 30 days.
Despite highlighting their policy as “middle-of-the-road deadline timetable” and others being anywhere between 30 – 120 days. Google has now allowed an extra 14 days providing that they receive contact confirming a fix is coming. They will also be allowing extra days should the deadline appear on a weekend or a holiday – so you can still enjoy your day off, and patch the hole later.
After the backlash Google must be wondering why they bother with such a large push in finding and fixing these holes. Back in June 2014, Google went on a security rampage aiming to fix holes and breaches in software that exist all over the net. Terming the team tasked with finding and reporting any bug they found ‘Project Zero.’
Sounding something out of a futuristic first person shooter, Project Zero contained skilled security engineers, Google veterans and one individual more famous for Zero day exploits than anyone – GeoHot. Finding and fixing holes he was once more used to using to his advantage and manipulating an operating system.
Zero-days are not only used by criminals to gain sensitive data, they are also used by security agencies to track and monitor individuals and business. Following leaks by Snowden Google engineers have been extremely outspoken at attempts to use vulnerabilities to spy on end users. Once an exploit had been accessed, a server could be completely taken over by an attacker. With the ability to monitor any data – delete, copy or transfer the information at will.
As such these bugs should be fixed as soon as possible, 90 days is more than reasonable. We can speculate over Project Zero really aiming to secure the internet, or being nothing more than marketing one-upmanship. However questions should be asked about information being made public after 90 days, when they are due to be patched after 91.
The recent bugs found by Google in Microsoft servers were released to the public after reportedly being a day away from being fixed. These are however just exploits we have heard about. If the hole is patched within the 90 days then no information about the bug is ever revealed. So Google and others could well be helping to secure exploits that would otherwise leave us exposed. The shocking truth is that whilst online activity and security breaches increase, the expenditure on security is going down.