Microsoft Protests Bug Disclosure By Google - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile // Mobile Devices
News
1/12/2015
03:25 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
100%
0%

Microsoft Protests Bug Disclosure By Google

After Google discloses Win 8.1 vulnerability two days prior to planned patch, Microsoft argues in favor of vulnerability publication schedules.

8 Wacky Cyberattacks Worse Than Sony Hack
8 Wacky Cyberattacks Worse Than Sony Hack
(Click image for larger view and slideshow.)

Microsoft on Sunday chided Google for allowing its vulnerability disclosure schedule to undermine Microsoft's vulnerability fix schedule.

On January 11, Google released details about a user privilege escalation flaw in the User Profile Service of Windows 8.1, two days before Microsoft planned to patch the bug. The disclosure followed the expiration of the 90-day deadline Google established last year as part of Project Zero, an initiative to improve online security.

Chris Betz, Microsoft's senior director for trustworthy computing, noted in a blog post that Google released information about the User Profile Service vulnerability despite being asked to withhold the information until January 13, the date of Microsoft's monthly Patch Tuesday.

"Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a 'gotcha,' with customers the ones who may suffer as a result," said Betz. "What’s right for Google is not always right for customers."

Betz reiterated Microsoft's support for "Coordinated Vulnerability Disclosure," a process by which security researchers report issues privately to the vendor and then release details once a fix has been published.

[Windows gets more secure, while IE shows most vulnerabilites. Read Microsoft Software Flaws Increase But Majority Affect IE.]

This is not the first time the two companies have clashed over this issue. Earlier this month, Google released details about another privilege elevation bug affecting Windows 8.1, having reported the bug privately to Microsoft in September.

Google security engineer Ben Hawkes defended Google's 90-day deadline policy in a comment appended to that earlier disclosure, arguing that it provides a reasonable amount of time to fix bugs while also respecting the rights of users to know about the risks that may affect them.

"By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner, and to exercise their power as a customer to request an expedited vendor response," Hawkes said.

Google launched Project Zero in July 2014 as an effort to improve Internet security. Citing last year's Heartbleed bug and the ongoing use of zero-day vulnerabilities to target activists and businesses, the company committed to working transparently, by alerting vendors immediately, in private, and by placing vulnerability details in a public database so that vendor responsiveness can be tracked once the 90-day publication deadline passes.

Google raised the issue in 2010 when it criticized slow vendor responses to security disclosures. "We've seen an increase in vendors invoking the principles of 'responsible' disclosure to delay fixing vulnerabilities indefinitely, sometimes for years; in that timeframe, these flaws are often rediscovered and used by rogue parties using the same tools and methodologies used by ethical researchers," Google's security team said.

Back then, Google suggested waiting just 60 days before disclosing a genuinely critical vulnerability.

In response to Microsoft's contention that Google's disclosure policy is irresponsible, Google argues that it is irresponsible to leave flaws unfixed for an excessive period to time.

As to what constitutes an excessive period of time, that may never be resolved to everyone's satisfaction. For Microsoft, 92 days would have worked because that would have fallen within its patch schedule. But that's two more days than Google's present policy allows, and once you start making exceptions, then everyone wants one.

Apply now for the 2015 InformationWeek Elite 100, which recognizes the most innovative users of technology to advance a company's business goals. Winners will be recognized at the InformationWeek Conference, April 27-28, 2015, at the Mandalay Bay in Las Vegas. Application period ends Jan. 16, 2015.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
David Wagner
50%
50%
David Wagner,
User Rank: Strategist
1/13/2015 | 12:01:01 PM
Re: Cheap
@nasimon- I'll assume it wasn't ready. But even if it was, what exactly did Google get out of embarrassing Microsoft? Nt more secure computing for sure.
David Wagner
100%
0%
David Wagner,
User Rank: Strategist
1/13/2015 | 12:24:20 AM
Re: Cheap
@nasimon- Well the issue to me is that the patch was coming out. And Google knew the patch was coming out. The point of disclosing the bug is to compell the company to do something. Even Google says so. Microsoft was already doing something. They patch on tuesdays. Google announces on Sunday. Why? To either give someone two days to exploit it or to embarrass Microsoft. No purpose was served. If Microsoft didn't have a patch on the way, I totally agree Google should put it out there.
David Wagner
100%
0%
David Wagner,
User Rank: Strategist
1/12/2015 | 7:03:22 PM
Cheap
It really was cheap of Google in this case. Microsoft was already working on it and had a patch ready in 48 hours. I buy the idea that Google should allow customers to pressure Microsoft when they don't have a planned patch. But it seems disingenuous in this case. 

At the same time, Microsoft is a bit sensitive. 

It makes me feel like the folks at both companies need to grow up a bit. 
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Commentary
New Storage Trends Promise to Help Enterprises Handle a Data Avalanche
John Edwards, Technology Journalist & Author,  4/1/2021
Slideshows
11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
Commentary
How to Submit a Column to InformationWeek
InformationWeek Staff 4/9/2021
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Slideshows
Flash Poll