Microsoft is publicly criticizing Google for releasing details about a security vulnerability in Windows 8.1 two days before the Redmond company was slated to patch the bug — saying that Google is putting users at risk by rejecting Microsoft’s request to wait until the fix is released.
Google made the latest disclosure as part of its “Project Zero” security initiative, which provides companies a 90-day deadline to fix vulnerabilities before they are disclosed publicly, giving hackers key details to exploit the bug. In this case, the flaw in the Windows 8.1 log-on mechanism would allow an attacker to escalate their privileges on a user’s computer, effectively taking over the machine.
“Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result,” writes Chris Betz, senior director of the Microsoft Security Response Center, in a post today outlining Microsoft’s position. “What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.”
The dispute between Microsoft and Google highlights a debate in the security world over best practices for reporting and fixing security holes, balancing the need to protect users against the positive effects of pressuring a software vendor to expedite a patch.
It’s the latest in a long series of spats between the two companies, and the second time in recent weeks that Google has disclosed an unpatched Windows 8.1 bug through Project Zero.
In a Dec. 31 post on the earlier Windows 8.1 disclosure, Project Zero researcher Ben Hawkes left the door open to potential changes in the disclosure policy, but defended the approach overall.
“On balance, Project Zero believes that disclosure deadlines are currently the optimal approach for user security – it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face,” the Google security researcher wrote. “By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner, and to exercise their power as a customer to request an expedited vendor response.”
In the Microsoft post today, Betz hints at why this latest fix has taken longer than the 90-day period.
“Responding to security vulnerabilities can be a complex, extensive and time-consuming process,” he writes. “As a software vendor this is an area in which we have years of experience. Some of the complexity in the timing discussion is rooted in the variety of environments that we as security professionals must consider: real world impact in customer environments, the number of supported platforms the issue exists in, and the complexity of the fix. Vulnerabilities are not all made equal nor according to a well-defined measure. And, an update to an online service can have different complexity and dependencies than a fix to a software product, decade old software platform on which tens of thousands have built applications, or hardware devices. Thoughtful collaboration takes these attributes into account.”
We contacted Google about Microsoft’s statement, and the company doesn’t have a comment at this point.