Google Releases Windows 8.1 Exploit Code – After 90 Days Warning to Microsoft
Google Project Zero has debuted with the aim of solving the vulnerabilities problem by identifying zero day vulnerabilities, notifying the company which owns the software and giving them 90 days to solve the problem. After 90 days they publish the exploit. And they just did it to Microsoft.
I remember quite a while ago when we decided at the cyber labs at Ben-Gurion university to adopt such policy following our discovery of a vulnerability in Samsung KNOX. The KNOX vulnerability eventually turned into a Google's Android vulnerability with the help of some political juggling between the two companies. We disclosed the exploit to Google on the 17th of Jan 2014 and we got a notice that a patch was ready on the 27th of Feb so their fast response was good enough to expect others to deliver the same level of service. I would not go into the topic of how long it takes such patch to really by applied on users' devices but at least expecting a patch to be delivered in 90 days is a good start. We eventually did not release the exploit code because we understood it will take some time until users will be protected with the patch and since the vulnerability was quite serious (VPN Bypass) then we decided not to disclose it.
Disclosing the exploit too early is a double edged sword where on one hand you want the good guys to be aware to the problem in depth while on the other hand you give a weapon into the hands of the bad guys and it is well know that published exploits are highly used by attackers relying on the time window between publishing the patch to applying it on system.
Anyway, I think Project Zero is a good step forward for the security industry!