Google riles rivals with 'gotcha' tactics that reveal software bugs
Google has given fellow tech companies an ultimatum: patch your software vulnerabilities within 90 days or we'll make them public.
An elite team of Google hackers and programmers scrub their own and competitors' software for security flaws, giving companies a deadline to issue a fix. Google says it wants software makers to move fast because cybercriminals act fast when they spot bugs.
It's a sensitive topic - rivals Microsoft and Apple declined to talk about the tactic - though others in the industry say the help isn't always welcome, usurps a role best left to government and can jeopardise security.
"I'm not sure who made Google the official referee of the marketplace for vulnerability notification," said John Dickson, a principal with software security company Denim Group.
He said pressuring companies to fix flaws is a good idea, but "what noble motives they had in mind could be called into question given the fact that they essentially outed vulnerabilities for two of their biggest rivals".
Google established the team in July, calling it Project Zero after the much-feared "zero day" security flaws that are exploited before developers learn of them. It says it is trying to help everyone as well as protect its own products that run on others' devices and software.
That's an activity some experts say is more appropriate for a government agency. The roles of the private and public sectors is on the agenda at a cybersecurity summit tomorrow in Palo Alto, California, where US President Barack Obama will tell tech leaders to improve co-operation and share more information. Some researchers are wondering aloud, however, how much co-operation can be expected if the biggest Internet companies can't play nice together.
"We support a variety of efforts, including Project Zero and our Security Reward Programs, to find and fix online threats," Aaron Stein, a spokesman for Google said. Apple declined to comment while Microsoft would only refer to a previous statement in which it said Google's tactics felt like a game of "gotcha", illustrating how divisive the issue is.
"If these companies can't even get along, that's just bad for security for the whole ecosystem," said Jake Kouns, chief information security officer for Risk Based Security.
Opponents of Google's practice say it puts online security at risk by revealing gaps before they can be plugged as hackers work fast to exploit problems when they become known. In January, Apple pleaded with Google to wait a week before going public so it could fix three flaws in the Mac OS X operating system, according to a person familiar with the request who wasn't authorised to speak publicly.
Google knew the fix was coming and had possession of the updated software because it serves as a developer for Apple, the person said. Regardless, Google refused and released details of the flaws.
Microsoft, meanwhile, requested two additional days to fix a flaw in Windows. Google refused and publicised the bug.
"The decision feels less like principles and more like a 'gotcha,' with customers the ones who may suffer as a result," wrote Chris Betz, senior director of Microsoft's Security Response Centre, in a January 11 blog post, which has remained the company's only public comment on the issue to date. "What's right for Google is not always right for customers."
Microsoft asks that researchers privately disclose flaws to software providers, working with them until a fix is made available, Betz said. "policies and approaches that limit or ignore that partnership do not benefit the researchers, the software vendors, or our customers. It is a zero sum game where all parties end up injured," he wrote.
Google supporters say the approach may fundamentally alter software industry practices in which companies can take months or years to patch bugs.
According to an analysis by Risk Based Security, Project Zero has identified 39 vulnerabilities in Apple products and 20 in Microsoft products. The team also has found 37 flaws in Adobe Systems software and 22 in the FreeType software development library for rendering fonts.
Project Zero publicly released details before a fix became available about Apple flaws 16 times, Microsoft three times and Adobe once, Jake Kouns said.
Google's "strict policy is good for the industry", and the company should be praised because they "stuck to their guns," said Tom Gorup, a manager with Rook Security. "A regular Joe on the street doesn't have the clout that Google does," Mr Gorup said.
"If we have huge companies like Microsoft, Apple and Google going at each other and pushing for better security, it's a win across the board." (Bloomberg)