Google first raised eyebrows in the waning days of 2014 when it publicly disclosed a zero-day vulnerability in Windows 8.1.
In Google’s report of the privilege-escalation bug, the company noted that its 90-day disclosure deadline—the time between a vulnerability being reported privately and a patch subsequently being made available—had elapsed. Microsoft failed to issue a patch in time within the 90-day window, but the company downplayed the bug’s severity.
“It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid log-on credentials and be able to log on locally to a targeted machine,” a Microsoft spokesperson revealed to eWEEK’s Sean Michael Kerner last week. “We encourage customers to keep their antivirus software up-to-date, install all available security updates and enable the firewall on their computer.”
On Sunday, Jan. 11, Google released details about another Windows rights escalation flaw, this one first reported to Microsoft on Oct. 13. Now, as the disclosures pile up, Microsoft is striking a more confrontational tone.
On that same day, Microsoft Security Response Center (MSRC) Senior Director Chris Betz took Google to task for letting slip the details of the latest vulnerability just days before the software giant was scheduled to issue a patch addressing the issue. In an MSRC blog post, he accused Google of releasing “information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so.”
Betz further asserted that Google’s strict deadline can hurt more than it helps.
“Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha’, with customers the ones who may suffer as a result,” Betz said. “What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.”
There are conflicting views between those who support full transparency disclosure of IT security issues as they arise and software providers that subscribe to a privately coordinated approach, or Coordinated Vulnerability Disclosure (CVD), as Microsoft terms it. More often than not, CVD enables vendors to stop potentially dangerous bugs before users are affected, argued Betz.
“Of the vulnerabilities privately disclosed through coordinated disclosure practices and fixed each year by all software vendors, we have found that almost none are exploited before a ‘fix’ has been provided to customers, and even after a ‘fix’ is made publicly available only a very small amount are ever exploited,” he stated. “Conversely, the track record of vulnerabilities publicly disclosed before fixes are available for affected products is far worse, with cybercriminals more frequently orchestrating attacks against those who have not or cannot protect themselves.”
Microsoft has been in Google’s shoes, but has walked a different path when it comes to disclosing bugs. “You can see our values in action through our own security experts who find and report vulnerabilities in many companies’ products, some of which we receive credit for, and many that are unrecognized publically,” said Betz.
“We don’t believe it would be right to have our security researchers find vulnerabilities in competitors’ products, apply pressure that a fix should take place in a certain timeframe, and then publically disclose information that could be used to exploit the vulnerability and attack customers before a fix is created,” he added.