Microsoft condemns Google for revealing Security hole in Windows 8
Google has recently released a bug in Microsoft Windows 8.1 that could give an attacker elevated privileges and Microsoft is furious over the issue and the main reason for the anger of Microsoft is that they were gonna release a fix within next two days and Google revealed it before its fix release.
Google gave first notification regarding the bug to Microsoft on Oct. 13, 2014 as a part of their initiative Project Zero that identifies security holes in various software and inform the companies about it and give them a deadline of 90 days before publicly disclosing the bug. Now since 90 days are over so Google publicly revealed the bug in the Windows 8.1 login function that would allow attackers to gain control of the system.
Google says that if 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public. Read this blog post.
Microsoft, however, claims that representatives asked Google to hold it two more days beyond its 90-day deadline. In a statement published on Sunday,
Microsoft’s Chris Betz, senior director of the Microsoft Security Response Center, scolded Google for too-stringent deadlines that ultimately hurt customers.
Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.
“Let’s face it, no software is perfect,” Betz wrote. “Microsoft has a responsibility to work in our customers’ best interest to address security concerns quickly, comprehensively, and in a manner that continues to enable the vast ecosystem that provides technology to positively impact people’s lives.”
This is the second incident of its kind to occur in only the last few weeks. On December 29th Google revealed a similar vulnerability in Windows 8.1 before Microsoft had readied a fix, with the search giant saying at the time that it believed its 90-day time limits were fair.
Although both the giants have their own understanding over this 90 day deadline –
GOOGLE BELIEVES TIME LIMITS ENCOURAGE ACTION — MICROSOFT SAYS IT JUST MAKES COMPLEX SITUATIONS MORE DIFFICULT TO DEAL WITH
But their is one more opinion from Rob Graham, CEO of security consultancy Errata Security and that seems quite convincing to me.
According to Graham, Microsoft would sometimes delay fixing bugs for years and rely on its industry muscle to keep researchers and critics quiet. Now, however, Google is the company setting the “industry standard” for reporting, Graham says. “It’s just whining…They [Microsoft] resent how Google exploits its unfair advantage. Since Microsoft can’t change their development, they try to change public opinion to force Google to change.”
Share your views in comments. 🙂
My wild-assed guess about Microsoft’s situation is that they have a very wide range of products and services that every patch has to be tested against, and a fairly well-established day of the week on which they push patches out (Tuesday). It does seem pretty cheap to establish a 90 rule for reporting when the end of that 90 days happens two days before patch Tuesday. Maybe the rule should be ‘the first tuesday after 90 days’ to at least let the largest OS vendor on the planet a chance to stick to their patch schedule.
Yaa agree too.. But I agree with Rob Graham, CEO of security consultancy Errata Security also and I think that this 90 day limit is like setting a new standard in the industry.
Although Google should understand that customer is above all and if some acts are doing harm to the customer then they should be given a proper thought. But still this will really set standards and force companies to work at their full pace.