The Zero-Day Lesson Learned
The cybersecurity world is all a-buzz this week with big news from Google. The tech giant routinely uncovers security flaws in other companies’ software and platforms, but this time, the target was Microsoft’s signature operating system, Windows.
Google researchers discovered what’s known as a zero-day vulnerability, one that had already been used “in the wild.” That might sound like the plot of a blockbuster spy movie, but in reality, these security flaws happen fairly often. Zero-day simply refers to the fact that the creator of the software has had “zero days” to block it before other people—namely, hackers—found out about it. Google’s discovery means that Windows has a security hole in it that hackers are already using for their own purposes.
There’s an interesting point to be made for everyday consumers: Google’s own policy is to inform the developers of the flaw in order to give them a chance to issue an update or “patch” for that particular flaw. They do have a time limit on the process, though. While unknown threats have as much as 90 days before an announcement is made, the developer only has seven days to create a patch before Google shares its findings if it’s already been discovered to be exploited.
Obviously, no one enjoys having their bad news shared with the world, and Microsoft was no exception; they’ve expressed their disappointment in Google for announcing the zero-day vulnerability before the patch could be created. But in this case, both Google and Microsoft have valid points. While Microsoft may be concerned that other hackers will now seek out the flaw before they can close it, Google’s viewpoint is that the more information the public has about cybersecurity, the better off we’ll all be.
From a personal security standpoint, we’ve seen a tremendous shift in the time it now takes for consumers to be made aware of a data breach or hacking event. Not too long ago, the public received notification letters about a data breach that compromised their personal information months or even years beforehand. Now, there have been data breaches that get reported literally hours after they’re discovered.
We can partly thank better investigative efforts at recognizing suspicious activity for the decrease in lost time, but it’s also coupled with state-by-state legislation that has clarified what types of breaches have to be reported and within what kind of time frame. Arming the public with news that their personal data may be in jeopardy can go a long way towards minimizing the risk of identity theft and fraud.
Interested in more cyber news? Check out the ITRC blog to keep you updated and aware of the latest topics and events.