Microsoft Security Response Center senior director of Trustworthy Computing, Chris Betz, recently penned a lengthy blog post criticizing Google for discussing details about a Windows 8.1 security flaw before the company had a chance to publish a fix.
The bug was first revealed back in Oct. of last year, but was just made public, and discussed a way that a user might be able to impersonate another user on a Windows 8.1 machine. Google said it provides a 90-day disclosure deadline before the details are revealed to the public, though Microsoft says it had planned to issue a patch just one day from now, on Jan. 13. Google made the information public anyway.
Betz said that Microsoft believes in coordinated vulnerability disclosure (CVD), in which software and hardware firms can work together on bugs to limit “the field of opportunity so customers and their data are better protected against cyberattacks,” but instead, Google released the information early as a sort of “gotcha” to Microsoft.
“CVD philosophy and action is playing out today as one company – Google – has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so,” Betz said in his blog post. “Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.”
Betz argued that a company can’t always respond to a security matter quickly, but that it has the experience to do so in an appropriate and timely manner for each vulnerability it discovers. “An update to an online service can have different complexity and dependencies than a fix to a software product, decade old software platform on which tens of thousands have built applications, or hardware devices,” Betz explained.
Ultimately, Betz argued that no software is perfect and that companies should collaborate to benefit customers with the most secure software possible and, when security flaws are found, publishing them can end up injuring customers. The way Microsoft tells the story, it seems like Google published the information just to make itself look better.