Earlier this week, we published to reveal a zero-day from Google in its operating system Microsoft που επέτρεπε την τοπική κλιμάκωση προνομίων στα Windows 10. Ευπάθεια zero-day, σημαίνει ότι το κενό στην better safety δεν έχει επιλυθεί και έτσι θεωρητικά ένας εισβολέας θα μπορούσε να επωφεληθεί κάθε δημόσια αποκάλυψη, χρησιμοποιώντας τις ευαίσθητες information for his own benefit.
Of course, there have been several discussions like with every zero-day revelation. Google was accused of publishing the vulnerability from Microsoft, while on the other hand, using Adobe's proprietary disclosure that preceded public disclosure, Adobe has managed to repair vulnerability in Flash (CVE-2016 - 7855) about five days later. This Flash security update is already available to the public.
Google, of course, has long published a vulnerability disclosure policy that says it will notify the developer or company privately, providing seven days for a repair, or a public announcement.
The seven-day limit is superfluous especially for critical vulnerabilities that are under active exploitation. The reason;
Each passing day favors malicious users as vulnerability remains unpatched and too many computers are at risk.
Microsoft has not yet released an update that fixes Windows vulnerability, but in a blog post it says it will be available on the next Tuesday Patch on November 8.
It should be noted here that there is no agreement in the field of security on when a vulnerability should be disclosed. Many follow the term: "responsible disclosure," meaning private communication with the developer or company that includes all the details of the vulnerability discovered, with the intention of taking the time to fix it, disclosing the details to the public only when the subject matter has already been fixed.
As long as the developer or company makes no effort and there is no timeline for fixing a vulnerability it may continue to exist for weeks or even months before it is fixed. Google recommends 60 days, although there are others that give more time.
However, not everyone in the security industry agrees with the principles of responsible disclosure. Although they may be considered reckless, some believe that the best solution is immediate publication, especially if vulnerability is actively exploited.
So, although Google gave seven days for both Adobe and Microsoft, the second one showed that she was following her pace, waiting for Tuesday Patch to release the update that may already be available.
The idea behind the immediate disclosure of the vulnerability exerts public pressure (some might call it extortion) and I personally find it completely agreeable especially if the vulnerability is actively exploited. The developer or company receives the message much more seriously because it is exposed to customers.
Προσωπικά, γνωρίζοντας ότι τίποτα δεν μπορεί να είναι απόλυτα ασφαλές, θα εκτιμήσω ιδιαίτερα ένα άμεσο patch σε ένα product which I use, despite the indifference of Microsoft to wait until the first Tuesday of every month to keep its customers safe.
