Last week I did the impossible – I took a week of vacation, without visiting the Internet. So this week I’ve been playing catch-up. There are a number of striking topics from last week – the steady stream of clickjacking worms on Facebook, the Adobe zero-day and the discovery of the Unreal IRCd server backdoor.
However there’s one story that really stands out – Google’s full disclosure of the Microsoft Windows Help and Support Center zero-day vulnerability, which is present in Windows XP and Windows 2003 – CVE 2010-1885. It’s the second zero-day published by a Google employee in the space of two months. That starts to sound like a strategy, doesn’t it? Let’s try to analyze the situation…First of all, the Google employee involved this time states he disclosed the vulnerability of his own accord. That may very well be true, but there are some side notes to this.
In the full disclosure publication the employee thanks quite a number of colleagues at Google. That makes it likely that someone in a manager’s position was aware of this research. Secondly, after the full disclosure of the Java Web Kit vulnerability two months ago, Google must have had renewed internal discussions on the rules and guidelines for fully disclosing vulnerabilities.
Rather a strange situation isn’t it? Google’s official policy has been to responsibly disclose vulnerabilities. Doing it privately rather than in the name of the company? Well, I don’t buy that for a second. At Kaspersky Lab we’re all for responsible disclosure and if I were to privately fully disclose something in a similar fashion I’d surely have to go looking for a new job. Given this, I can only conclude that full disclosure is not discouraged within Google and possibly even encouraged.
So, what might Google’s motives be? Well, the first thing that stands out is that Google did not publish full disclosure on zero-day vulnerabilities up until a couple of months ago.
Given that they employ quite a number of well known vulnerability researchers something must have changed this year. The thing which comes to mind is Aurora.
With Aurora, Google got compromised through a zero-day vulnerability which Microsoft was aware of. One might therefore theorize that Google has developed some sort of zero-tolerance.
When Google finds that the impacted vendor isn’t responding quickly enough they’ll simply publish full details of the vulnerability. So, in Google’s eyes full disclosure is the best thing from a security perspective.
Some may argue that Google’s battle with Microsoft has intensified and publishing vulnerability details could offer a strategic advantage. Well, I’m sure that Google will do everything it can to distance itself from this perception. Putting individual and corporate assets on the line is no joke and no self-respecting company would even toy with the idea simply in order to gain market share.
That brings us back to option number one – Google thinking it’s helping the greater good. Let’s ignite the full disclosure debate again taking Google as an example.
Let’s imagine a situation where the vulnerability through which Google got compromised late last year was publicly disclosed two weeks prior to the attack. What would have been different?
I’d argue that the amount of ‘collateral damage’ would have been much higher, but Google would very likely still have been a victim. By collateral damage I mean the number of Joe Average machines that got owned across the world.
As for corporate victims, any company still running IE6 at the end of 2009 was bound to be running Adobe Reader 7 as well (that’s speaking from our experience with a number of high tech IT companies throughout the US and Europe). Reader 7 became EOL at the end of last year, so if it hadn’t been through IE6 Google would likely have been compromised a different way.
If even one of the most high tech, resourceful IT companies in the world can’t get its act together how can it expect the rest of the world to do so? Again, I’m sure Google means well but it publishing full disclosure information is definitely having a negative effect on the threat landscape. On both occasions there were exploits for the zero-day vulnerabilities days after publication. There’s simply no denying that machines are getting infected that otherwise wouldn’t be infected.
Please, Google, stop this initiative before causing more innocent casualties.