Microsoft criticises Google for Windows 8.1 bug disclosure tactics

[Aerosol]

Microsoft has criticised Google for its public disclosure of a Windows flaw, claiming the company's actions were irresponsible and benefited hackers.

Google disclosed a Windows 8.1 bug publicly last week having privately reported the vulnerability to Microsoft in September as a part of its ongoing Project Zero security initiative.

Project Zero is a security initiative launched by Google in July 2014 that initially discloses flaws in private to the firms concerned and gives them a 90-day deadline to release a fix before making the research public.

Microsoft Trustworthy Computing senior director Chris Betz criticised Google's January disclosure, claiming the firm had responded to Google's disclosure and was developing a fix in a blog post.

"[Google] has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well-known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so," he said.

"Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix."

He added that Google's actions would undoubtedly benefit hackers more than end users.

"Although following through keeps to Google's announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha', with customers the ones who may suffer as a result," he said.

"What's right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.

"Even for those able to take preparatory steps, risk is significantly increased by publicly announcing information that a cyber criminal could use to orchestrate an attack and assumes those that would take action are made aware of the issue."

Betz said the disclosure is part of a wider issue with operations like Project Zero, arguing companies should instead follow a Coordinated Vulnerability Disclosure (CVD) policy.

"Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment," he said.

"It is necessary to fully assess the potential vulnerability, design and evaluate against the broader threat landscape, and issue a ‘fix' before it is disclosed to the public, including those who would use the vulnerability to orchestrate an attack."

Google had not responded to a request for comment from V3 when contacted.

Experts within the security community have been divided over the merits of public versus private disclosure policies for many years.

F-Secure security adviser Sean Sullivan told V3, while he is sympathetic to Microsoft's point, the firm should have made its argument earlier.

"Microsoft should have complained about Google's policy months ago if it has a problem with it. Google Online Security has recommended 60 days in some cases since at least May 2013," he said.

"On the other hand, just because Google discovered this vulnerability on September 30, 2014 doesn't mean it should disclosure exactly 90 days later - that's just evil.

"There's no reason Google's official formula can't be 90 days plus or minus some X number of days for the nearest scheduled monthly update."

Microsoft has been criticised for its slow response to privately disclosed flaws in the past.

The firm failed to patch a critical vulnerability in Internet Explorer 8 leaving users open to attack more than 180 days after researchers privately disclosed the bug in May 2014.

Source