Microsoft, Google in Security Squabble Over Windows 8.1 Bug
Google last week published details of a Windows 8.1 vulnerability two days before Microsoft planned to issue a fix for the bug.
No one would mistake Microsoft (MSFT) and Google (GOOG) for the best of friends. An uneasy truce between the two frayed over the weekend when the search giant went public with news of a known Windows 8.1 bug only two days before the software kingpin planned to issue a fix.
Boiled down, here’s what happened: As part of its security Project Zero, Google last week published details of a second Windows 8.1 vulnerability two days before Microsoft planned to issue a fix for the bug. Google’s January 11 outing of the bug came exactly 90 days after it served Redmond with initial advance warning, in keeping with its public disclosure policy.
It’s the second time in the past few weeks Google has gone public with details of a Windows 8.1 bug before Microsoft released a patch. In this latest incident, Microsoft claims it told Google of its plans to supply a fix in its Patch Tuesday updates, complaining that the search provider’s actions could injure customers.
“Google has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so,” wrote Chris Betz, Microsoft Security Response Center senior director, in a January 11 blog post.
“Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix,” he said.
While acknowledging Google’s Project Zero disclosure policy, Betz said the “decision feels less like principles and more like a ‘gotcha,’ with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.”
In the December incident, Google told Engadget that its Project Zero’s policies are the “result of many years of careful consideration and industry-wide discussions about vulnerability remediation.”
Project Zero “allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face,” Google said. “By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner, and to exercise their power as a customer to request an expedited vendor response.”
Betz argued there’s danger inherent in that practice. “Those in favor of full, public disclosure believe that this method pushes software vendors to fix vulnerabilities more quickly and makes customers develop and take actions to protect themselves,” he wrote. “We disagree. Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment.”
Ultimately, researchers and software companies must “come together and not stand divided over important protection strategies, such as the disclosure of vulnerabilities and the remediation of them,” Betz wrote.
In the snafu’s aftermath, there may be more wiggle room than initially thought on Google’s part, with its concession that it’s “going to be monitoring” its policy closely.
“We want our decisions here to be data driven, and we’re constantly seeking improvements that will benefit user security,” Google told Engadget.
About the Author
You May Also Like