There is a possible war brewing between Microsoft and Google after the Redmond-based giant publicly criticised its Mountain View counterpart for releasing details about a security vulnerability in Windows 8.1 two days before it could patch the bug. Microsoft accuses Google of putting users at risk by rejecting Microsoft’s request to wait until the fix was released.
No ad to show here.
Google made the disclosure as part of its “Project Zero” security initiative, which provides companies a 90-day deadline to fix vulnerabilities before they are disclosed publicly. The flaw in the Windows 8.1 log-on mechanism would allow a hacker to escalate their privileges on a user’s computer, effectively taking over the machine.
In a blog post, Chris Bertz, senior director of the Microsoft Security Response Center, argues that the company needed more than the 90 day period that Google’s Project Zero affords companies.
“Responding to security vulnerabilities can be a complex, extensive and time-consuming process,” he writes. “As a software vendor this is an area in which we have years of experience. Some of the complexity in the timing discussion is rooted in the variety of environments that we as security professionals must consider: real world impact in customer environments, the number of supported platforms the issue exists in, and the complexity of the fix. Vulnerabilities are not all made equal nor according to a well-defined measure. And, an update to an online service can have different complexity and dependencies than a fix to a software product, decade old software platform on which tens of thousands have built applications, or hardware devices. Thoughtful collaboration takes these attributes into account.”
He further relays his feelings about Google’s disclosure of the bug:
“Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha’, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.”
Project Zero researcher Ben Hawkes defended Google’s approach to disclosing bugs but did not completely dismiss a change in the approach.
“On balance, Project Zero believes that disclosure deadlines are currently the optimal approach for user security – it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face,” the Google security researcher said. “By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner, and to exercise their power as a customer to request an expedited vendor response.”
Microsoft wishes for more collaboration on outing bugs.
“To arrive at a place where important security strategies protect customers, we must work together. We appreciate and recognize the positive collaboration, information sharing and results-orientation underway with many security players today. We ask that researchers privately disclose vulnerabilities to software providers, working with them until a fix is made available before sharing any details publicly. It is in that partnership that customers benefit the most. Policies and approaches that limit or ignore that partnership do not benefit the researchers, the software vendors, or our customers. It is a zero sum game where all parties end up injured” writes Bertz.