Microsoft slams Google for revealing security vulnerability in Windows
13 Jan 2015
Microsoft has slammed Google for revealing a security vulnerability in Windows only two days before the software giant planned to fix the bug, The Register reported.
The revelation of the flaw came on 11 January, 90 days after reporting it to Microsoft. According to the ad giant, the bug could elevate a user's privileges to administrator-level, thanks to some inelegant action during the Windows 8.1 log-in process.
This does not come as the first disclosure of the kind by Google, which revealed a nasty takedown for Windows 8.1 on 30th December after reporting it in September.
The search giant did so as the rules of its Project Zero security regime saw the text ad giant reveal flaws 90 days following reporting to vendors. Google notified Microsoft of the new flaw on 13th October.
According to Microsoft Google acted irresponsibly as it not only planned a fix for the problem on 13 January but also asked Google not to go public until that day.
''Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix,'' wrote Chris Betz, Microsoft's senior director for trustworthy computing.
Meanwhile, according to The Sydney Morning Herald, the spat highlighted an ever-present tension in the software security sector between those who believed flaws should be revealed sooner rather than later to put pressure on companies to tackle the issues, and developers who at times needed more time to come up with a solution.
In this case Google stood in the former camp, through its "Project Zero" team, which scanned all types of software for bugs and reported problems privately to the developers who created them. Google gave developers 90 days to fix a problem before making the issue public.
Microsoft planned to publish a fix this week as part of its regular security update, known in the industry as "Patch Tuesday."
"Although following through keeps to Google's announced timeline for disclosure, the decision feels less like principles and more like a 'gotcha,' with customers the ones who may suffer as a result. What's right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal", Betz wrote.