Google disputes bug patching report

IBM's X-Force admits mistake, now says Google patched all disclosed vulnerabilities in the first half of 2010

Google on Monday said that a recent report claiming it failed to patch one-third of the serious bugs in its software had the facts wrong.

IBM's X-Force security unit, which released the report last week, acknowledged the error and issued a revised chart that shows Google patched all the vulnerabilities rated "critical" or "high" in its online services.

"We questioned a number of surprising findings concerning Google's vulnerability rate and response record, and after discussions with IBM, we discovered a number of errors that had important implications for the report's conclusions," said Adam Mein, a security program manager at Google, in an entry on a company blog.

Last week, X-Force's report claimed that 9% of all Google bugs disclosed in the first half of 2010 were unpatched, and 33% of the vulnerabilities ranked as critical or high had not been fixed.

According to IBM's revised tabulations, Google patched every vulnerability revealed in the first six months of this year.

"After we released our trend report ... we received feedback from two software vendors regarding the severity and remedy information for some of the vulnerabilities behind this chart," said Tom Cross, a researcher with X-Force, in a mea culpa blog posted on Saturday. "As a consequence of this feedback, we have manually reassessed the CVSS scoring, remedy information, and vendor information for every vulnerability that impacted the percentages that appear in this chart."

Cross' blog post included a revamped table that showed the new numbers.

Although Cross did not name the other vendor that complained about the patching results, the numbers for Sun Microsystems also changed dramatically. Where the original table had Sun letting 24% of all first-half 2010 bugs and 9% of the most serious flaws go unfixed, the recalculated figures were 8% and 0%, respectively. The changes dropped Sun from the vendor with the largest percentage of unpatched vulnerabilities to the one in fifth place.

In April, Oracle announced plans to acquire Sun for $7.4 billion; X-Force listed the two companies' vulnerabilities separately.

After X-Force re-examined its data, unpatched percentages also decreased for other vendors, including Microsoft and Mozilla, as did the unpatched percentage for the catch-all category of Linux.

What caught Google's eye, said Mein, was X-Force's assertion that one in three critical bugs had not been patched.

"We learned after investigating that the 33% figure referred to a single unpatched vulnerability out of a total of three -- and importantly, the one item that was considered unpatched was only mistakenly considered a security vulnerability due to a terminology mix-up," Mein said.

Mein pointed to a 2009 blog post by Jonathan Ness, a member of Microsoft's security team, as proof of what he called mistaken identity. Ness' blog discussed the difference between "stack overflows" and "stack buffer overflows," and said the former were not security vulnerabilities because they could not be used on their own to insert attack code onto a PC.

It's not unusual for software vendors to dispute the findings of independent security researchers. Mozilla, for instance, has repeatedly disagreed with reports that claim Firefox has more bugs than rival browsers, calling some of those reports "misleading" because Mozilla's open-source approach requires that all vulnerabilities be disclosed, while vendors like Apple and Microsoft can fix flaws without revealing that they were ever there.

At times, developers also quarrel with researchers over the severity of a bug, or even whether a flaw should be labeled a vulnerability. More than two years ago, Microsoft first claimed that a Windows bug was a "design flaw," then weeks later changed its mind and called it a security problem.

X-Force has also had problems with its vulnerability counts and calculations. In the report it issued last week, the company admitted that the methodology it used to compile the 2009 edition was flawed and said it had corrected the problem to make the results more accurate in the mid-2010 report.

Cross said that X-Force would release a revised report this week.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is

Copyright © 2010 IDG Communications, Inc.

Shop Tech Products at Amazon