Readers like you keep news free for everyone.
More than 5,000 readers have already pitched in to keep free access to The Journal.
For the price of one cup of coffee each week you can help keep paywalls away.
AP Photo/Ron Harris
# Backlash
Microsoft criticises Google for revealing a Windows bug before it could fix it
The company has criticised Google’s Project Zero for revealing details of a Windows 8.1 vulnerability two days before it was due to fix it.
MICROSOFT HAS CRITICISED Google’s decision to reveal a software vulnerability relating to Windows 8.1 two days before it had planned to fix it.
Google Project Zero is a service which tracks software flaws and reports them to the relevant parties before they are exploited. To ensure that all bugs are fixed, Project Zero gives them 90 days to patch it or else it publishes the details.
The senior director of Microsoft’s Security Response Centre Chris Betz described Google’s decision as “less like principles and more like a ‘gotcha’”.
In a post detailing Microsoft’s stance on the issue, Betz mentioned that the bug would be fixed as part of Patch Tuesday, a planned event which happens on the second Tuesday of every month. Microsoft had asked Google to keep the vulnerability under wraps until then, but Google published the details of said bug on 29 December as its 90-day deadline wasn’t met.
CVD (Coordinated Vulnerability Disclosure) philosophy and action is playing out today as one company – Google – has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so.Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.
Betz said that the process of dealing with security vulnerabilities can be a “complex, extensive and time-consuming process” where issues like the real world impact in consumer environments, the number of platforms said bug exists in and the complexity of the fix must be considered.
Vulnerabilities are not all made equal nor according to a well-defined measure. And, an update to an online service can have different complexity and dependencies than a fix to a software product, decade old software platform on which tens of thousands have built applications, or hardware devices. Thoughtful collaboration takes these attributes into account.
Batz made a request to researchers to privately disclose vulnerabilities to software providers and work with them until a fix is made before making the details public, said it’s a “partnership that customers benefit the most.” Not doing this would result in a “zero sum game where all parties end up injured.”
After Project Zero released the details of the bug, one of its members defended its decision to publish it saying “on balance… disclosure deadlines are currently the optimal approach for user security,” and would monitor the effects of its policy “very closely.”
Read: Here’s the right way to set a New Year’s Resolution >
Read: So far, the latest version of Android is only on a tiny number of devices >
