Advertisement

We need your help now

Support from readers like you keeps The Journal open.

You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.

If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.

AP Photo/Ron Harris
Backlash

Microsoft criticises Google for revealing a Windows bug before it could fix it

The company has criticised Google’s Project Zero for revealing details of a Windows 8.1 vulnerability two days before it was due to fix it.

MICROSOFT HAS CRITICISED Google’s decision to reveal a software vulnerability relating to Windows 8.1 two days before it had planned to fix it.

Google Project Zero is a service which tracks software flaws and reports them to the relevant parties before they are exploited. To ensure that all bugs are fixed, Project Zero gives them 90 days to patch it or else it publishes the details.

The senior director of Microsoft’s Security Response Centre Chris Betz described Google’s decision as “less like principles and more like a ‘gotcha’”.

In a post detailing Microsoft’s stance on the issue, Betz mentioned that the bug would be fixed as part of Patch Tuesday, a planned event which happens on the second Tuesday of every month. Microsoft had asked Google to keep the vulnerability under wraps until then, but Google published the details of said bug on 29 December as its 90-day deadline wasn’t met.

CVD (Coordinated Vulnerability Disclosure) philosophy and action is playing out today as one company – Google – has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so.

Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.

Betz said that the process of dealing with security vulnerabilities can be a “complex, extensive and time-consuming process” where issues like the real world impact in consumer environments, the number of platforms said bug exists in and the complexity of the fix must be considered.

Vulnerabilities are not all made equal nor according to a well-defined measure. And, an update to an online service can have different complexity and dependencies than a fix to a software product, decade old software platform on which tens of thousands have built applications, or hardware devices. Thoughtful collaboration takes these attributes into account.

Batz made a request to researchers to privately disclose vulnerabilities to software providers and work with them until a fix is made before making the details public, said it’s a “partnership that customers benefit the most.” Not doing this would result in a “zero sum game where all parties end up injured.”

After Project Zero released the details of the bug, one of its members defended its decision to publish it saying “on balance… disclosure deadlines are currently the optimal approach for user security,” and would monitor the effects of its policy “very closely.”

Read: Here’s the right way to set a New Year’s Resolution >

Read: So far, the latest version of Android is only on a tiny number of devices >

Your Voice
Readers Comments
10
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.