Microsoft Protests Bug Disclosure By Google - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile // Mobile Devices
News
1/12/2015
03:25 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
100%
0%

Microsoft Protests Bug Disclosure By Google

After Google discloses Win 8.1 vulnerability two days prior to planned patch, Microsoft argues in favor of vulnerability publication schedules.

8 Wacky Cyberattacks Worse Than Sony Hack
8 Wacky Cyberattacks Worse Than Sony Hack
(Click image for larger view and slideshow.)

Microsoft on Sunday chided Google for allowing its vulnerability disclosure schedule to undermine Microsoft's vulnerability fix schedule.

On January 11, Google released details about a user privilege escalation flaw in the User Profile Service of Windows 8.1, two days before Microsoft planned to patch the bug. The disclosure followed the expiration of the 90-day deadline Google established last year as part of Project Zero, an initiative to improve online security.

Chris Betz, Microsoft's senior director for trustworthy computing, noted in a blog post that Google released information about the User Profile Service vulnerability despite being asked to withhold the information until January 13, the date of Microsoft's monthly Patch Tuesday.

"Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a 'gotcha,' with customers the ones who may suffer as a result," said Betz. "What’s right for Google is not always right for customers."

Betz reiterated Microsoft's support for "Coordinated Vulnerability Disclosure," a process by which security researchers report issues privately to the vendor and then release details once a fix has been published.

[Windows gets more secure, while IE shows most vulnerabilites. Read Microsoft Software Flaws Increase But Majority Affect IE.]

This is not the first time the two companies have clashed over this issue. Earlier this month, Google released details about another privilege elevation bug affecting Windows 8.1, having reported the bug privately to Microsoft in September.

Google security engineer Ben Hawkes defended Google's 90-day deadline policy in a comment appended to that earlier disclosure, arguing that it provides a reasonable amount of time to fix bugs while also respecting the rights of users to know about the risks that may affect them.

"By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner, and to exercise their power as a customer to request an expedited vendor response," Hawkes said.

Google launched Project Zero in July 2014 as an effort to improve Internet security. Citing last year's Heartbleed bug and the ongoing use of zero-day vulnerabilities to target activists and businesses, the company committed to working transparently, by alerting vendors immediately, in private, and by placing vulnerability details in a public database so that vendor responsiveness can be tracked once the 90-day publication deadline passes.

Google raised the issue in 2010 when it criticized slow vendor responses to security disclosures. "We've seen an increase in vendors invoking the principles of 'responsible' disclosure to delay fixing vulnerabilities indefinitely, sometimes for years; in that timeframe, these flaws are often rediscovered and used by rogue parties using the same tools and methodologies used by ethical researchers," Google's security team said.

Back then, Google suggested waiting just 60 days before disclosing a genuinely critical vulnerability.

In response to Microsoft's contention that Google's disclosure policy is irresponsible, Google argues that it is irresponsible to leave flaws unfixed for an excessive period to time.

As to what constitutes an excessive period of time, that may never be resolved to everyone's satisfaction. For Microsoft, 92 days would have worked because that would have fallen within its patch schedule. But that's two more days than Google's present policy allows, and once you start making exceptions, then everyone wants one.

Apply now for the 2015 InformationWeek Elite 100, which recognizes the most innovative users of technology to advance a company's business goals. Winners will be recognized at the InformationWeek Conference, April 27-28, 2015, at the Mandalay Bay in Las Vegas. Application period ends Jan. 16, 2015.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
asksqn
50%
50%
asksqn,
User Rank: Ninja
1/29/2015 | 5:40:40 PM
Pssst, Bill
Methinks thou doth protest waaay too much.  The only "harm" in releasing bugs is in the fevered imagination of Microsoft lawyers.
hho927
50%
50%
hho927,
User Rank: Ninja
1/14/2015 | 1:10:50 PM
Re: Cheap
LOL androids are full of bugs. About 60% of android users are using old androids.

Google refuse to fix bugs on old versions. They only fix bugs on the latest version. The problem is by the time you can find a bug, they already move to the next version. The old bugs are fixed on the next version. Users with old versions are ignored.

MS does not need to prove/find anything.
hho927
50%
50%
hho927,
User Rank: Ninja
1/14/2015 | 1:03:55 PM
Don't do evil
If you use old android versions with full of bugs, Google will tell you to go away (upgrade). They only fix bugs on the current version. Can't upgrade the old phones. So bascially, Google is very ignorant. They don't care about anything else except themself. Why should they? They only care when it hits their wallets.

Google is doing evil things (opposite to their slogan).
GonzSTL
50%
50%
GonzSTL,
User Rank: Strategist
1/14/2015 | 9:38:50 AM
Microsoft Protests Bug Disclosure By Google
What a fisaco! In today's ever increasing threat environment, vendors should work faster than ever to fabricate and test fixes to any vulnerability, and get it out to comsumers as soon as possible. Time deadlines are artificial, and can vary depending on the severity and complexity of the vulnerability and its remedy. Forget the deadlines - fix as soon as possible, and get the fix out immediately after it is ready.
mak63
50%
50%
mak63,
User Rank: Ninja
1/13/2015 | 9:10:18 PM
Hawkes said
"By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner"

I wonder how regular users would react, if they happen to know/read that their systems has a security vulnerability.
Some Guy
50%
50%
Some Guy,
User Rank: Strategist
1/13/2015 | 1:57:15 PM
A Pox on Both Their Houses
The issue isn't 90 days vs. 92 days. It's 92 days vs. 7. 

In the HW world, world class responsiveness is problem repeatable in 24 hours, immediate corrective action within 1 week, and a permanent corrective action or plan and schedule for permanent corrective action within 4 weeks.

It's all part of the 8D (D=disciplines), and the SW world is woefully behind.

And, finally to both Google and Microsoft: fix the problem, not the blame. A pox on both your houses until you get it that SW should be held to the same strict quality & liability standards as every other product.
danielcawrey
50%
50%
danielcawrey,
User Rank: Ninja
1/13/2015 | 12:32:34 PM
Re: Cheap
From the outside, this sounds like a lot of squabbling. But it seems as though Google is sticking to its rules here. It would be interesting to see if Microsoft could find a flaw in Google's Chrome OS and do a bit of retaliation. But that doesn't seem realistic. 
David Wagner
50%
50%
David Wagner,
User Rank: Strategist
1/13/2015 | 12:01:01 PM
Re: Cheap
@nasimon- I'll assume it wasn't ready. But even if it was, what exactly did Google get out of embarrassing Microsoft? Nt more secure computing for sure.
Midnight
100%
0%
Midnight,
User Rank: Strategist
1/13/2015 | 10:54:13 AM
Patch timelines are excessive
For an organization the size of microsoft, 90 days is equivalent to years of developer time. If a single security bug is so massively severe that they can't get the patch together and tested in 30 days, the flaw can only be a symptom of a much larger problem. The problem of poor coding in the initial product. This policy of releasing pre-beta quality code as a finished product, and releasing fixes (not feature enhancements but actual code fixes) across the entire planned lifespan of the product (sometimes even through extended lifespans) Is Not Normal and should not be considered Acceptable.

- Just because everyone starts bashing themselves in the face with a hammer one day does Not make the behavior normal -

The problem is only getting worse, not better. So kudos to Google for automating the notification process and shame to Microsoft for dragging it's feet on fixing a Security bug in it's current flagship desktop product. If there is a problem here, it is in Microsoft's bureaucracy not it's technical resources to achieve a timetable. And if the flaw is so severe that it actually took more than 2 months to create a fix, consider the timetable of development for the whole Windows 8 abomination and it subsequent 8.1 reboot. That 2 months is suddenly a pretty significant chunk of development time in which massive changes can alter a product for good or ill. (Sorry, but I really dislike supporting Windows 8.x)

I will fully acknowledge debugging code is harder than writing crap code to start with, but ya know what's easier? Supporting code that was well written and tested to start with. oh, but sales and marketing says it's not as profitable than the eternal bug fix. Nuff said'
nasimson
50%
50%
nasimson,
User Rank: Ninja
1/13/2015 | 8:16:54 AM
Re: Cheap
@David:

Why didnt Microsoft release the patch 5 days before on the Tuesday a week earlier?
Page 1 / 2   >   >>
Slideshows
Strategies You Need to Make Digital Transformation Work
Joao-Pierre S. Ruth, Senior Writer,  11/25/2019
Commentary
Enterprise Guide to Data Privacy
Cathleen Gagne, Managing Editor, InformationWeek,  11/22/2019
News
Watch Out: 7 Digital Disruptions for IT Leaders
Jessica Davis, Senior Editor, Enterprise Apps,  11/18/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll