Happy New Year and welcome to the first Microsoft Patch Tuesday of 2015. This year’s January release is twice the size last year’s with eight bulletins total. One is rated “Critical” and the other seven are marked “Important”.
The month’s release is notable for patching two vulnerabilities released as zero days by Google. Both vulnerabilities were privilege elevation vulnerabilities in Windows. Google released the first vulnerability on December 29 and the second one on January 11 complete with Proof of Concept (PoC) exploit code.
Why didn’t Google wait until today to release the vulnerability details? The vulnerabilities were disclosed under Google’s new Project Zero vulnerability disclosure policy. The policy dictates that a vendor will get 90 days to patch a vulnerability after Google discloses it to them. If the vendor doesn’t have a patch or workaround ready in that time Google will automatically disclose.
This process is generally known as Coordinated Vulnerability Disclosure, where an organization works closely with a vendor to make sure that security vulnerabilities are patched before criminals exploit them. It’s important for Google, as the organization reporting the vulnerability, to be flexible and understand the difficulties of patch development. Bugs embedded deep in an operating system’s architecture will take longer to patch than a minor filtering issue in an application. As Microsoft notes in their response to the disclosure, “Responding to security vulnerabilities can be a complex, extensive and time-consuming process.”