Communities are helpful, to a vast type of people, for a vast number of problems. Communities such as StackOverflow, one of the most popular online forums where programmers help fellow coders and share queries and offer solutions, is one such example. Google, however took a different approach to look upon a similar problem, with its ‘Project Zero’ which started as a part-time research in earlier 2014, and is now is a well-staffed team which seeks out vulnerabilities in software systems and reports them to vendors.
Microsoft however learnt about the consequences in case a vendor does not debug vulnerabilities within the given 90-day time bracket, according to Project Zero’s policies. Well, Google will simply go ahead and publish the bug, complete with code that can be used to exploit it.
A researcher at Project Zero team found out about a hole in security in Windows 8.1 that would allow lower-level users to gain administrative access to server functions, which they would normally have no right to. Though the bug remains unpatched by Microsoft, the Project Zero published it several days ago.
Microsoft was however quick to point out that an attacker would need to have valid login credentials in order to log on locally to the targeted machine to access data. While that should limit the damage, it does not mean that isn’t even a hint of risk involved, for instance an unhappy mid-level employee with some programming skills could cause serious harm to the system.
Google also made it clear, that the company reported the bug to Microsoft on 30 September, 2014 along with the 90-day disclosure deadline statement. Still, some observers have raised their disagreement whether Project Zero is a savior, or perhaps a necessary evil.
Others argued that 90-days was plenty for Microsoft to fix the bug, and Google was also firm about their policy – Project Zero’s disclosure deadline allows software manufacturers with a fair and reasonable amount of time to exercise their vulnerability management process, while also respected users’ right to learn and understand the risks that they face.
Microsoft meanwhile said they are currently working on a security update which would be released to address an ‘Elevation to Privilege issue’.
The disclosure deadline policy exercised by Project Zero has been in place since its inception in earlier 2014, and is the result of years of careful consideration and industry-wide discussions about vulnerability remediation. Since the introduction of “Responsible Disclosure” in 2001, similar disclosure principles have been used by security researchers, and Google thinks that their principle need to evolve over time – as threats change, so should our disclosure policies.