Pressure mounts for a swifter response to vulnerabilities

An end may be in sight to vendors dragging their feet when it comes to releasing patches. After Google announced that it will in future give software vendors just 60 days to patch security vulnerabilities before public disclosure, the Zero Day Initiative (ZDI), part of Hewlett-Packard / TippingPoint, has announced that, with immediate effect, it will limit the period for developing security updates to six months. However, the ZDI says that it will grant extensions to this deadline in special cases.

Previously ZDI did not implement a time limit, instead allowing vendors to take as long as they wanted to develop a patch following notification of a vulnerability and only releasing information once a patch had been distributed. The result of this policy is in an eye-watering list of outstanding patches from major vendors such as Apple, IBM, Microsoft and Symantec. IBM, for example, appears not to have lifted a finger to fix a critical vulnerability reported three years ago. Ironically, Hewlett-Packard also makes multiple appearances on the list.

ZDI justifies its new measures by saying that longer delays place users at unnecessary risk. The argument that criminals are first made aware of vulnerabilities through their disclosure is, according to ZDI, no longer tenable. ZDI cites an increasing degree of overlap between vulnerabilities reported to it by independent security specialists. The conclusion must be that exploit programmers may also have information on many such vulnerabilities.

Tavis Ormandy of Google's security team recently presented a similar argument after coming under fire for disclosing the Windows Help Center vulnerability. Ormandy released information on the vulnerability after Microsoft declined to commit to fixing the vulnerability within 60 days. Once the cat was out of the bag, Microsoft managed to produce a patch after just 34 days.

Earlier this year Metasploit developer HD. Moore noted that, "Software vendors never provide a fix for a researcher-discovered vulnerability within the time span they initially propose. It doesn't matter whether it's 30, 60, 90 or 120 days, they never meet their own deadlines." However when an exploit turns up on a forum, noted Moore, a fix is ready within ten days.

US-CERT, which issues alerts for government agencies, is even stricter than ZDI and Google. It releases bug reports after just 45 days, regardless of whether or not a patch is available. Mitigating circumstance leading to an extension to this deadline are considered only in exceptional cases. Security services providers VUPEN and Immunity take another approach – they do not notify vendors at all.

(crve)