Gotcha! Google angers Microsoft by exposing Windows vulnerability
At the end of last week, Google took the somewhat unusual step of releasing details of a Windows vulnerability before a patch had been produced. Microsoft is unhappy. Very unhappy. The bug, which affects the 32- and 64-bit versions of Windows 8.1 Update, was publicized as part of Google's Project Zero, but Microsoft is calling it a "gotcha".
So angered was Microsoft that Chris Betz, Senior Director of Microsoft Security Response Center hit out at Google in a strongly worded blog post. Citing the war against cyberattacks, Betz expresses anger that Google made public a security issue about the elevation of privileges in Windows user accounts, saying that companies should "come together and not stand divided".
The vulnerability was not a brand new discovery. Details were published to Google Security Research back in October with a 90-day embargo on it. Once this deadline was hit -- yesterday, 11 January -- details of the security problem were automatically made public. Microsoft is due to publish a fix in tomorrow's Patch Tuesday updates, but details of the problem are now out in the wild, giving attackers a window of opportunity to exploit the vulnerability.
Betz is furious that Google did not give Microsoft time to publish its patch before making the security issue known publicly. He points out that Microsoft believes in Coordinated Vulnerability Disclosure, an agreement by which companies work together to warn each other of security problems in their products in a bid to avert cyberattacks.
Microsoft was warned about the issue by Google -- the company is just annoyed that the publicity fell outside of the release schedule for patches. While Google is of the belief that giving companies a deadline to fix problems before they are made public helps to force security issues to be addressed quickly Microsoft disagrees:
Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment. It is necessary to fully assess the potential vulnerability, design and evaluate against the broader threat landscape, and issue a 'fix' before it is disclosed to the public, including those who would use the vulnerability to orchestrate an attack.
We know that Google told Microsoft about the problem. Betz even tells us that Microsoft requested that things be kept under wraps for another 48 hours, suggesting that there is a danger Windows users will suffer as a result of the disclosure:
Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a 'gotcha', with customers the ones who may suffer as a result.
He says that in order to address security problems, there is a need to work together, a need for better coordinated vulnerability disclosure. He suggests that Google has been rather selfish in using the Windows vulnerability to gain exposure for itself:
What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.
Should Google have waited for the right time in Microsoft's timetable to release details of the vulnerability, or should Microsoft have pushed forward its patch schedule?