Talking tech since 2003
exploit Google Microsoft Project Zero //security windows Windows 8.1

Microsoft Upset with Google over Bug Report

by Brian P. Rubin 2 min read

It seems that Microsoft and Google aren’t getting along too well at the moment, at least when it comes to the best way to talk about bugs in each other’s products and services. A post on ZDNet points the way back to a couple of posts that show that the two companies haven’t figured out a good way to cooperate on the subject of “Coordinated Vulnerability Disclosure.”

The trouble seems to have started a few months ago, when Google sent Microsoft a 90-day notice that it intended to post about an exploit in Windows 8.1, in which low-level users could monkey with the operating system to obtain administrator access. The posting was part of Google’s Project Zero initiative, in which exploits and bugs are posted publicly so as to crowd-source solutions to security problems like this.

While that in and of itself shouldn’t have raised Microsoft’s hackles in and of itself, it seems that Microsoft had plans to publish a fix for the bug on January 13 – and the posting was set to go up on January 11. Microsoft had specifically asked Google not to publish its findings on that day since the fix was only two days away, but they went ahead and posted it anyway. In short, the two companies couldn’t coordinate the disclosure of a particular security vulnerability.

As a result, Chris Betz, director of the Microsoft Security Response Center, condemned Google’s move in a post on a Microsoft blog:

“[Coordinated Vulnerability Disclosuer] philosophy and action is playing out today as one company – Google – has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so.  Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha,’ with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.”

The patch will hit Windows 8.1 machines tomorrow, so hopefully no one will take advantage of the exploit between now and then. But this incident underscores the many ways that tech companies might seek to undermine each other. If nothing else, Microsoft might reconsider its plans to stick to a Tuesday schedule for releasing patches – especially if Google tells them that it will post information about bugs 90 days in advance. Maybe a Saturday or Sunday patch would’ve been in order here…

[Source: ZDNet]

Read more posts by this author

Brian P. Rubin

Brian's been a writer-for-hire for the better part of ten years, creating content for Geek Magazine, Machinima, and even Hasbro's Trivial Pursuit. After living in New York for most of his life, he re

The link has been copied!
You've successfully subscribed to BestTechie
Welcome back! You've successfully signed in.
Great! You've successfully signed up.
Your link has expired
Success! Your account is fully activated, you now have access to all content.