Microsoft Upset with Google over Bug Report
It seems that Microsoft and Google aren’t getting along too well at the moment, at least when it comes to the best way to talk about bugs in each other’s products and services. A post on ZDNet points the way back to a couple of posts that show that the two companies haven’t figured out a good way to cooperate on the subject of “Coordinated Vulnerability Disclosure.”
The trouble seems to have started a few months ago, when Google sent Microsoft a 90-day notice that it intended to post about an exploit in Windows 8.1, in which low-level users could monkey with the operating system to obtain administrator access. The posting was part of Google’s Project Zero initiative, in which exploits and bugs are posted publicly so as to crowd-source solutions to security problems like this.
While that in and of itself shouldn’t have raised Microsoft’s hackles in and of itself, it seems that Microsoft had plans to publish a fix for the bug on January 13 – and the posting was set to go up on January 11. Microsoft had specifically asked Google not to publish its findings on that day since the fix was only two days away, but they went ahead and posted it anyway. In short, the two companies couldn’t coordinate the disclosure of a particular security vulnerability.
As a result, Chris Betz, director of the Microsoft Security Response Center, condemned Google’s move in a post on a Microsoft blog:
“[Coordinated Vulnerability Disclosuer] philosophy and action is playing out today as one company – Google – has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so. Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha,’ with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.”
The patch will hit Windows 8.1 machines tomorrow, so hopefully no one will take advantage of the exploit between now and then. But this incident underscores the many ways that tech companies might seek to undermine each other. If nothing else, Microsoft might reconsider its plans to stick to a Tuesday schedule for releasing patches – especially if Google tells them that it will post information about bugs 90 days in advance. Maybe a Saturday or Sunday patch would’ve been in order here…
[Source: ZDNet]