Microsoft slams Google for publishing a security vulnerability in Windows 8.1

[Petrovic]

Content source

http://www.neowin.net/news/microsoft-slams-google-for-publishing-a-security-vulnerability-in-windows-81

Microsoft has said Google's disclosure of the security vulnerability in Windows 8.1 was more of a "gotcha" moment than about protecting customers as Google claims, it also argued Google should be more flexible and be willing to work with other companies privately to help fix vulnerabilities.

Senior Director of the Microsoft Security Response Center, Chris Betz, said in a blog post that Google knew Microsoft had a fix in the pipeline and was due to be released on "Patch Tuesday", however, Google went ahead with the disclosure just two days out, despite being asked not to do so.

In a post published on Google's security research site earlier, a researcher disclosed the vulnerability and how to execute the flaw. The vulnerability allows for an elevation of privilege in Windows 8.1, an example application was also included that could launch calc.exe using the method.

Betz argued that responding to "security vulnerabilities can be a complex, extensive and time-consuming process" and that Google should be more flexible and be willing to coordinate with other companies in the interest of the millions of people who depend upon on the software.

The Google researcher earlier defended the disclosure, saying they waited 90 days before letting the world know how to exploit it, following their company's public disclosure philosophy, which is meant to pressure companies into fixing vulnerabilities more quickly.

Betz argued that privately disclosed vulnerabilities are more likely to be fixed and less likely to be exploited by "cybercriminals" than ones that are publicly disclosed.

Google is unlikely to change it long-held philosophy though.

 

[frogboy]

For once Google did the right thing after all they gave them some time to remedy the situation.

 

[starchild76]

Google disclosed a Windows 8.1 bug publicly last week having privately reported the vulnerability to Microsoft in September as a part of its ongoing Project Zero security initiative.



Project Zero is a security initiative launched by Google in July 2014 that initially discloses flaws in private to the firms concerned and gives them a 90-day deadline to release a fix before making the research public.



Microsoft Trustworthy Computing senior director Chris Betz criticised Google's January disclosure, claiming the firm had responded to Google's disclosure and was developing a fix in a blog post.



"[Google] has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well-known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so," he said.



"Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix."



He added that Google's actions would undoubtedly benefit hackers more than end users.



"Although following through keeps to Google's announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha', with customers the ones who may suffer as a result," he said.



"What's right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.



"Even for those able to take preparatory steps, risk is significantly increased by publicly announcing information that a cyber criminal could use to orchestrate an attack and assumes those that would take action are made aware of the issue."



Betz said the disclosure is part of a wider issue with operations like Project Zero, arguing companies should instead follow a Coordinated Vulnerability Disclosure (CVD) policy.



"Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment," he said.



"It is necessary to fully assess the potential vulnerability, design and evaluate against the broader threat landscape, and issue a ‘fix' before it is disclosed to the public, including those who would use the vulnerability to orchestrate an attack."



Google had not responded to a request for comment from V3 when contacted.



Experts within the security community have been divided over the merits of public versus private disclosure policies for many years.



F-Secure security adviser Sean Sullivan told V3, while he is sympathetic to Microsoft's point, the firm should have made its argument earlier.



"Microsoft should have complained about Google's policy months ago if it has a problem with it. Google Online Security has recommended 60 days in some cases since at least May 2013," he said.



"On the other hand, just because Google discovered this vulnerability on September 30, 2014 doesn't mean it should disclosure exactly 90 days later - that's just evil.



"There's no reason Google's official formula can't be 90 days plus or minus some X number of days for the nearest scheduled monthly update."



Microsoft has been criticised for its slow response to privately disclosed flaws in the past.



The firm failed to patch a critical vulnerability in Internet Explorer 8 leaving users open to attack more than 180 days after researchers privately disclosed the bug in May 2014.