Standard modern living checklist: make sure you drink clean water every day; make sure you have enough to eat; make sure you've updated your Adobe Flash and Microsoft operating system, if you haven't already this week. As security blogger Brian Krebs noted, Microsoft posted eight different security patches for Windows this Tuesday while Adobe put out at least nine patches for vulnerabilities in its Flash Player.
Granted, security patches are pretty much a standard part of any software update; the very phrase “Patch Tuesday” came about because Microsoft usually releases its software updates on Tuesdays. What makes this latest update noteworthy is what's going on in the background: a recent public spat between Microsoft and Google. One of the latest Microsoft updates (all of which are listed at this link) involves fixing a Windows 8.1 vulnerability announced first announced on Sunday — by security researchers working for Google.
Google's initial announcement was part of Project Zero, a security initiative (and possible publicity stunt) the company launched last summer. In the July 15 blog post announcing Project Zero, Google researcher Chris Evans wrote:
You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications. Yet in sophisticated attacks, we see the use of "zero-day" vulnerabilities to target, for example, human rights activists or to conduct industrial espionage. This needs to stop. We think more can be done to tackle this problem.
Project Zero is our contribution, to start the ball rolling. Our objective is to significantly reduce the number of people harmed by targeted attacks....
January's Patch Tuesday
As part of Project Zero, when Google discovers a security vulnerability in the software of some other company (such as Microsoft), it will tell the company in private, then wait 90 days before making a public announcement.
Google told Microsoft about the 8.1 exploit on Oct. 13, 2014. Microsoft asked Google to keep quiet about it until January's Patch Tuesday, which fell on the thirteenth, 92 days after Google first told Microsoft.
Google held firm to the 90-day Project Zero deadline and announced the Windows 8.1 vulnerability on Sunday, Jan. 11, two days before Patch Tuesday. In response, Microsoft’s Security Response Center director Chris Betz published a Jan. 11 blog post calling for “better coordinated vulnerability disclosure” between various tech companies (such as Microsoft and Google); in other words, Google shouldn't announce such security vulnerabilities before Microsoft can release the fix:
[Coordinated vulnerability disclosure] philosophy and action is playing out today as one company - Google - has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so. Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.
On the other hand, Betz's post didn’t say why Microsoft needed 92 days to make develop and release a patch for that problem, nor why Microsoft couldn't have released the patch during an earlier Patch Tuesday, or even on a different day of the week. After all, hackers certainly don't respect the scheduling needs of their intended victims; why should security fixes adhere to a strict schedule when security threats do not?