To Disclose or Not to Disclose, That is The Security Researcher Question

Microsoft and Google are?bashing each other on the zero-day exploit in Windows 8.1 that was disclosed by Google last week following a 90 days grace period. Disclosing is a broad term when speaking about vulnerabilities and exploits – you can disclose to the public the fact that there is a vulnerability and then you can disclose how to exploit it with an example source code. There is a big difference between just telling the world about the vulnerability vs. releasing the tool to exploit it and that is the level of risk created by each alternative. In reality, most attacks are based on exploits that have been reported but have not been patched yet. Disclosing the exploit code without a patch that is ready to protect the vulnerable software is in a way helping the attackers. Of course, the main intention is to help the security officers which want to know where is the vulnerability and how to patch it temporarily but we should not forget that public information also falls in the hands of attackers.

Since I have been at Google’s position in the past with the KNOX vulnerability we uncovered at the cybersecurity labs @ Ben-Gurion University I can understand them. It is not an easy decision since on one hand, you can’t hide such info from the public while on the hand you know for sure that the bad guys are just waiting for such “holes” to be exploited. Within the time I understood a few more realities:

  • Even if a company issues a software patch still the risk is not gone since the time window from the moment a patch is ready to be applied up to the time it is actually applied on systems can be quite long and during that time the vulnerability is available for exploitation.
  • Sometimes vulnerabilities uncover serious issues in the design of the software and solving it may not be a matter of days. Of course, a small temporary fix can be issued but a proper well thought of patch taking into account many different versions and interconnected systems can take a much longer time to devise.
  • There is a need for an authority to manage the whole exploit disclosure, patching, and deployment life cycle which will devise a well-accepted policy and not just a single-sided policy such as the one Google Zero devised. If the intention eventually is to increase security then without the collaboration of software vendors it won’t work out.

And I am not into the details but I truly believe Google has acted here out of professionalism and not for other political reasons against Microsoft.