Microsoft has slammed Google for disclosing a security vulnerability in Windows a mere two days before Redmond planned to fix the bug.
Google revealed the flaw on 11 January, 90 days after reporting it to Microsoft; the ad giant said the bug can elevate a user's privileges to administrator-level, thanks to some inelegant action during the Windows 8.1 login process.
More ReadingGoogle cuts Microsoft and pals some slack in zero-day vuln crusade – an extra 14 days topsGoogle reveals bug Microsoft says is mere gnatGRENADE! Project Zero pops pin on ANOTHER WINDOWS 0-DAYAre you running a Telnet server on Windows? Oh thank God. THANK GODMicrosoft thinks of the children with VS2013 Git release
This isn't the first such disclosure by Google, which revealed a nasty takedown for Windows 8.1 on December 30th, after reporting it in September.
Google did so because the rules of its Project Zero security regime sees the text ad giant reveal flaws 90 days after it reports them to vendors. In the case of this new flaw, Microsoft was notified on October 13th.
Microsoft's feels Google's acted irresponsibly because it not only planned a fix for the problem on January 13th but also asked Google not to go public until that day.
“Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix,” writes Chris Betz, Microsoft's senior director for trustworthy computing.
Betz accuses Google of sticking to its 90-day-disclosure regime in order to annoy Microsoft, opining that Google's announcement “ ...feels less like principles and more like a 'gotcha', with customers the ones who may suffer as a result.”
“What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal,” he adds.
Betz calls for Google – and everybody else – to sign up to Redmond's Coordinated Vulnerability Disclosure policy.
“We don’t believe it would be right to have our security researchers find vulnerabilities in competitors’ products, apply pressure that a fix should take place in a certain timeframe, and then publically disclose information that could be used to exploit the vulnerability and attack customers before a fix is created,” he writes, adding that all stakeholders need to work in “partnership” to sort things out in ways that ensure bad guys get the smallest possible window during which to exploit flaws.
“Policies and approaches that limit or ignore that partnership do not benefit the researchers, the software vendors, or our customers. It is a zero sum game where all parties end up injured,” he writes.
We can't see a Google response to this new incident, but when this last happened the company's Ben Hawkes wrote that the 90-day deadline is an attempt to change the way bugs are handled, as “By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner, and to exercise their power as a customer to request an expedited vendor response.”
Microsoft clearly disagrees with that stance and the benefits it provides to customers.
Game on. ®