Google has refused to delay zero-day flaw disclosures from both Microsoft and Apple, according to a report
Google has reportedly refused requests by Apple and Microsoft to delay exposing security flaws until a patch became available, creating friction with its rivals as it pushes ahead with its controversial ‘Project Zero’ programme.
With Project Zero, launched in July, Google has said it is hunting down bugs in software widely used across computer systems and mobile devices, and will publicise the bugs 90 days after notifying the software vendor, whether the bug has been patched by that time or not. Unpatched flaws are known as ‘zero-day’ bugs.
Microsoft and Apple have both requested flexibility from Google as they prepared patches reported by Project Zero, but both were refused, underscoring the strictness with which the search giant is adhering to its 90-day time limit, according to a report by Bloomberg.
Last month, Apple asked Google for a delay of about a week so that it could release a patch for three flaws in Mac OS X, according to the report. As a developer for Apple, Google was in possession of the updated software and knew it was about to be released, but still refused Apple’s request and publicly released details of the flaws, according to the report, which cited an unnamed source.
Google also refused Microsoft’s request for two additional days as it sought to fix a Windows flaw, according to the report.
Apple and Microsoft declined to comment, with Microsoft referring the press to an earlier blog post in which it criticised Project Zero.
‘Zero sum game’
In that post, Chris Betz, senior director of Microsoft’s Security Response Centre, said Project Zero was not necessarily right for the industry or for customers, but only “right for Google”.
“What’s right for Google is not always right for customers,” he wrote in the January 11 post. Microsoft normally requests that researchers work with software developers until a fix is available, before publicising flaws, Betz said.
“Policies and approaches that limit or ignore that partnership do not benefit the researchers, the software vendors, or our customers,” he stated. “It is a zero sum game where all parties end up injured.”
He said Project Zero “feels less like principles and more like a ‘gotcha’”.
Other industry observers, however, have praised Google for using its leverage to help ensure bugs are patched in a timely manner.
Project Zero has resulted in 16 Apple flaws being disclosed before a patch was available, three Microsoft flaws and one Adobe flaw, according to figures from Risk Based Security cited by Bloomberg. The company said that in all, Project Zero has identified 39 bugs in Apple products, 20 in Microsoft software, 37 in Adobe software and 22 in the FreeType font rendering library.
Are you a security pro? Try our quiz!