Microsoft is not happy with Google. On Sunday, Google released details of a security glitch in Windows 8.1 that allows low-level user profiles to gain administrator-level privileges. Google’s post came from its Project Zero team, a group of researchers who scan the internet and operating systems for security issues, and report them. Project Zero notifies companies of their glitches and gives them 90 days to fix it; after that, the problems are published for the masses.
This particular Windows issue was reported to Microsoft on Oct. 13; thus, Google published details of the issue on Sunday. But the timing irked Microsoft — the company was set to fix the bug on Tuesday, and it let Google know as such. So when Google beat Microsoft to the punch, Redmond was upset, and it took to the Web to air its grievances.
“Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha,’ with customers the ones who may suffer as a result,” Chris Betz, senior director of the Microsoft Security Response Center, wrote in a blog post Sunday night.
Betz discussed coordinated vulnerability disclosure, the idea that disclosing security bugs should be a unified effort between the administrator responsible for fixing the issue (Microsoft in this case) and the party disclosing the issue (Google). “Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment,” wrote Betz. “It is necessary to fully assess the potential vulnerability, design and evaluate against the broader threat landscape, and issue a ‘fix’ before it is disclosed to the public, including those who would use the vulnerability to orchestrate an attack.”
On one side is Google, which says Project Zero holds companies accountable and keeps consumers in the know. On the other is Microsoft, which says glitches should be kept under wraps until a fix is in place, thus minimizing the probability of wrongdoers taking advantage of the bug. On a broad scale, it’s a discussion with great ramifications in an increasingly digital world. In this particular instance, it’s Microsoft being upset it was left high and dry by Google.
Betz wrote that “those who fully disclose a vulnerability before a fix is broadly available are doing a disservice to millions of people and the systems they depend upon.” It’s true this information in the wrong hands can be dangerous, but it wasn’t as though Google dropped a bombshell on Microsoft. Google makes it clear companies have a 90-day window to fix bugs, so Microsoft had nearly three months to issue a fix.
To this, Betz argues that timing is sensitive. Fixing these issues is a complex and time-consuming endeavor, he wrote, but this isn’t a situation in which Microsoft is months away from discovering a solution. Rather, it wanted Google to rework its disclosure to coordinate with Microsoft’s “Patch Tuesday cadence” in which updates on all security patches occur on the second Tuesday of each month. It’s important to adequately fix bugs, but if Microsoft is essentially asking the tech world to not disclose Microsoft bugs on days other than second Tuesdays. Of course, Microsoft could have fixed the Windows glitch and given an advance update, but it stopped that practice three days before Google publicized the bug.
Nevertheless, Microsoft hopes Google will be more understanding in the future. “We ask that researchers privately disclose vulnerabilities to software providers, working with them until a fix is made available before sharing any details publically,” Betz wrote. “It is in that partnership that customers benefit the most.”