#Open journalism No news is bad news

Your contributions will help us continue to deliver the stories that are important to you

Support The Journal
Dublin: 10°C Thursday 19 May 2022

Microsoft criticises Google for revealing a Windows bug before it could fix it

The company has criticised Google’s Project Zero for revealing details of a Windows 8.1 vulnerability two days before it was due to fix it.

Image: AP Photo/Ron Harris

MICROSOFT HAS CRITICISED Google’s decision to reveal a software vulnerability relating to Windows 8.1 two days before it had planned to fix it.

Google Project Zero is a service which tracks software flaws and reports them to the relevant parties before they are exploited. To ensure that all bugs are fixed, Project Zero gives them 90 days to patch it or else it publishes the details.

The senior director of Microsoft’s Security Response Centre Chris Betz described Google’s decision as “less like principles and more like a ‘gotcha’”.

In a post detailing Microsoft’s stance on the issue, Betz mentioned that the bug would be fixed as part of Patch Tuesday, a planned event which happens on the second Tuesday of every month. Microsoft had asked Google to keep the vulnerability under wraps until then, but Google published the details of said bug on 29 December as its 90-day deadline wasn’t met.

CVD (Coordinated Vulnerability Disclosure) philosophy and action is playing out today as one company – Google – has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so.

Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.

Betz said that the process of dealing with security vulnerabilities can be a “complex, extensive and time-consuming process” where issues like the real world impact in consumer environments, the number of platforms said bug exists in and the complexity of the fix must be considered.

Vulnerabilities are not all made equal nor according to a well-defined measure. And, an update to an online service can have different complexity and dependencies than a fix to a software product, decade old software platform on which tens of thousands have built applications, or hardware devices. Thoughtful collaboration takes these attributes into account.

Batz made a request to researchers to privately disclose vulnerabilities to software providers and work with them until a fix is made before making the details public, said it’s a “partnership that customers benefit the most.” Not doing this would result in a “zero sum game where all parties end up injured.”

After Project Zero released the details of the bug, one of its members defended its decision to publish it saying “on balance… disclosure deadlines are currently the optimal approach for user security,” and would monitor the effects of its policy “very closely.”

Read: Here’s the right way to set a New Year’s Resolution >

Read: So far, the latest version of Android is only on a tiny number of devices >

About the author:

Quinton O'Reilly

Read next:


This is YOUR comments community. Stay civil, stay constructive, stay on topic. Please familiarise yourself with our comments policy here before taking part.
write a comment

    Leave a commentcancel