Google has recently released a bug in Microsoft Windows 8.1 that could give an attacker elevated privileges and Microsoft is furious over the issue and the main reason for the anger of Microsoft is that they were gonna release a fix within next two days and Google revealed it before its fix release.
Google gave first notification regarding the bug to Microsoft on Oct. 13, 2014 as a part of their initiative Project Zero that identifies security holes in various software and inform the companies about it and give them a deadline of 90 days before publicly disclosing the bug. Now since 90 days are over so Google publicly revealed the bug in the Windows 8.1 login function that would allow attackers to gain control of the system.
Google says that if 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public. Read this blog post.
Microsoft, however, claims that representatives asked Google to hold it two more days beyond its 90-day deadline. In a statement published on Sunday,
Microsoft’s Chris Betz, senior director of the Microsoft Security Response Center, scolded Google for too-stringent deadlines that ultimately hurt customers.
Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.
“Let’s face it, no software is perfect,” Betz wrote. “Microsoft has a responsibility to work in our customers’ best interest to address security concerns quickly, comprehensively, and in a manner that continues to enable the vast ecosystem that provides technology to positively impact people’s lives.”
This is the second incident of its kind to occur in only the last few weeks. On December 29th Google revealed a similar vulnerability in Windows 8.1 before Microsoft had readied a fix, with the search giant saying at the time that it believed its 90-day time limits were fair.
Although both the giants have their own understanding over this 90 day deadline –
GOOGLE BELIEVES TIME LIMITS ENCOURAGE ACTION — MICROSOFT SAYS IT JUST MAKES COMPLEX SITUATIONS MORE DIFFICULT TO DEAL WITH
But their is one more opinion from Rob Graham, CEO of security consultancy Errata Security and that seems quite convincing to me.
According to Graham, Microsoft would sometimes delay fixing bugs for years and rely on its industry muscle to keep researchers and critics quiet. Now, however, Google is the company setting the “industry standard” for reporting, Graham says. “It’s just whining…They [Microsoft] resent how Google exploits its unfair advantage. Since Microsoft can’t change their development, they try to change public opinion to force Google to change.”
Share your views in comments.