There was a time in the not-so-distant past when nasty public fights between Microsoft and various researchers over when and how to disclose vulnerabilities were just about a weekly occurrence. That time thankfully has passed, but, as the current disagreement between Google and Microsoft over Google’s disclosure of a Windows zero day makes clear, everyone isn’t sitting around the campfire holding hands either.
The facts of the current case are fairly straightforward there’s really only one bit that’s in dispute: whether a large swath of the Windows user base was at risk of attack. Last month, researchers from Google’s Threat Analysis team discovered new flaws in Windows and Adobe Flash. The team found that both bugs were being used in targeted attacks–spear-phishing attempts via email with rigged attachments–and informed both vendors about the vulnerabilities. The Flash bug is the more serious of the two, as it is remotely exploitable, while the Windows flaw is a local privilege-escalation weakness.
Adobe patched the Flash bug quickly and warned customers that it was being used in attacks already. Meanwhile, Microsoft decided not to rush out an emergency patch for the Windows vulnerability, probably because it isn’t dangerous enough to warrant the commitment of time and resources that requires. Google’s team waited 10 days after informing Microsoft and then disclosed some details of the flaw, saying that it was doing so because of the existence of active attacks.
Click-happy users are the bane of security teams the world over.
After 7 days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released. This vulnerability is particularly serious because we know it is being actively exploited,” Google’s engineers said.
None of that is particularly surprising. Google has taken similar actions in the past, and its researchers typically hew very closely to the company’s stated disclosure timelines. (Except when Apple gets involved, apparently.) And disclosing bugs to put pressure on vendors that are perceived to be dragging their feet on patches is a well-trod path.
The difference in this particular case is that it’s very likely that only a small group of users was being targeted with the Windows vulnerability. Google’s researchers know this because the company has a unique vantage point on the Internet and actively scans email and other traffic looking for active exploit attempts. The company has a system that identifies attacks by nation-state actors against Google users and will notify intended victims when they find such exploit attempts. Google hasn’t disclosed the details of that system publicly, but it certainly involves analysis of Gmail messages. That analysis would give Google’s team a detailed picture of what the exploit attempts look like, as well as a general idea of who they’re targeting and how big that target population might be.
In looking into the vulnerability and the exploit attempts, Microsoft’s own research team discovered that the attacks were tied to a known attack group called Fancy Bear, Strontium, or APT 28. The group is tied to the Russian government, and usually goes after high-value targets such as embassies, government agencies, policy groups, and defense contractors. That’s the default menu for APT groups and does not intersect with the overwhelming majority of the Windows user base. Microsoft’s Terry Myerson said the group “conducted a low-volume spear-phishing campaign” using the Windows zero day and the Flash bug, which is exactly the description you’d see in a report on a advanced attack group’s methods.
Email is still the simplest and most-reliable method for attackers to compromise most targets, including those at theoretically well-defended organizations. Click-happy users are the bane of security teams the world over and the stepping stones that attackers count on. Phishing is an industry scale problem and one that both Google and Microsoft have worked hard to mitigate, with some success.
There are some valid reasons to disclose unpatched vulnerabilities, but doing so to protect a tiny percentage of users against a phishing attack while potentially putting a much larger number at higher risk shouldn’t be one of them.
Image: Kanny Nguyen, Public Domain.