Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Microsoft Blasts Google for Early Disclosure of Windows Bug

    By
    Jaikumar Vijayan
    -
    November 2, 2016
    Share
    Facebook
    Twitter
    Linkedin
      Microsoft rebukes Google

      Microsoft rebuked Google for releasing details of a security flaw in the Windows kernel for which a patch is not yet available. Microsoft officials said that Google’s disclosure potentially endangers customers and that they believe in coordinated vulnerability disclosures.

      In an Oct. 31 blog post, Neel Mehta and Billy Leonard, security researchers with Google’s Threat Analysis Group, said a local privilege escalation bug exists in the Windows kernel. Attackers can take advantage of the flaw to escape a security sandbox, the researchers warned. The vulnerability is especially serious because attackers are already exploiting it in the wild, the two Google researchers said.

      However, in an statement emailed to eWEEK, Microsoft challenged Google’s description of the issue. “We disagree with Google’s characterization of a local elevation of privilege as ‘critical’ and ‘particularly serious,'” the statement said.

      In a Nov. 1 blog post, Terry Myerson, executive vice president of Microsoft’s Windows and Devices group, said the attack identified by Google’s Threat Analysis Group used two-zero days, one in the Windows kernel and the other in Adobe Flash.

      Adobe has already patched the flaw, so the attack scenario that the Google researchers described has already been fully mitigated. Patches for all affected Windows versions are being tested and will be released Nov. 8, Myerson wrote.

      “We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure,” Myerson wrote. “Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.”

      The Google researchers claimed to have notified Microsoft of the issue on Oct. 21 and then disclosed the flaw publicly after seven days, in keeping with Google’s vulnerability disclosure policy for zero-day bugs that are being actively exploited.

      Typically, Google gives software developers 60 days to address critical vulnerabilities that are reported in their product before going public with the data.

      For companies that are unable for some reason to get a fix out in that time frame—especially flaws that are being exploited—Google has recommended they at least issue within seven days some sort of a mitigation procedure for working around the issue. Google has admitted that seven days is an aggressive timeline, but insists it is enough to at least publish advice about potential mitigations.

      Google’s decision to release details of the vulnerability before Microsoft had a chance to get out a fix has surfaced a long-standing debate over responsible disclosure. Many security researchers have long held that vendors should be given a reasonable shot at fixing reported flaws in their products before details of the vulnerability are publicly disclosed.

      Others, especially bug hunters, have said the only way to get some vendors to address security issues quickly is to give them a tight deadline for fixing the issues and to threaten them with public disclosure if they don’t.

      The latest incident shows why some sort of regulatory requirement is implemented to guide disclosure practices, said Udi Yavo, chief technology officer and co-founder at security vendor enSilo.

      “The Google-Microsoft disclosure dispute is yet another example of why the 90-day window for vulnerability disclosure that has been industry practice for some time should be an actual regulatory requirement,” he said in an emailed statement.

      The legislation should spell out the grace time that is available for vendors that are not able to meet the 90-day window and the consequences for violating these rules.

      Releasing vulnerability information prematurely before a vendor has fixed a zero-day flaw, as Google did in this instance, serves no one, except the small community of researchers who know how to take advantage of it, Yavo said.

      “We have been here before,” said Cris Thomas, strategist at Tenable Network Security. “Vendors need to remember that when it comes to releasing bugs the researcher has all the power. They can do whatever they want with their information, including completely ignoring their carefully crafted disclosure policies.”

      In this instance, it appears that the Google researchers did not feel that Microsoft’s policy for addressing actively exploited bugs was reasonable, Thomas said in a statement.

      Jaikumar Vijayan
      Vijayan is an award-winning independent journalist and tech content creation specialist covering data security and privacy, business intelligence, big data and data analytics.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×