Microsoft blasts Google over Windows 8.1 bug report

News
By
published

Redmond claims Google was wrong to publicly disclose flaw as it was days away from being fixed

magnifying glass showing bug on binary code

Microsoft has hit back at Google's decision to publicly disclose a Windows 8.1 security flaw several days before the software giant was due to patch it.

As reported by IT Pro last week, Google decided to speak up about the bug over claims Microsoft had failed to fix it within 90 days of its discovery.

The flaw could have left Windows 8.1 users open to Elevation of Privilege attacks, and is set to be fixed tomorrow in Microsoft's first Patch Tuesday of 2015.

Perhaps unsurprisingly, Microsoft has not reacted kindly to Google publicly announcing details of the bug, given that it was days from being rectified.

In a lengthy blog post by Chris Betz, leader of the Microsoft Security Response Centre (MSRC), he said the vendor specifically asked Google to withhold details of the security flaw until tomorrow, but the search firm declined.

"Although following through keeps to Google's announced timeline for disclosure, the decision feels less like principles and more like a gotcha', with customers the ones who may suffer as a result," Betz wrote.

Now details of the flaw are out in the open, Microsoft fears users could be put at increased risk of cyber attacks.

"What's right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal," Betz added.

"We believe those who fully disclose a vulnerability before a fix is broadly available are doing a disservice to millions of people and the systems they depend upon."

Betz then goes on to talk about Microsoft's preference for Co-ordinated Vulnerability Disclosure, which he claims "limits the field of opportunity" for hackers to carry out attacks, as it gives vendors ample time to address issues.

The alternative approach of full disclosure, which is the one Google employed, forces customers to take action to protect themselves, Betz said. But it's not always terribly successful.

"The vast majority take no action, being largely reliant on a software provider to release a security update," Betz explained.

"Even for those able to take preparatory steps, risk is significantly increased by publicly announcing information that a cybercriminal could use to orchestrate an attack and assumes those that would take action are made aware of the issue."

IT Pro contacted Google for its response, but had not received one at the time of publication.

Microsoft has decided to restrict its Advanced Notification Services (ANS) about upcoming software updates to its Premium customers, rather than alerting all users via a blog post.

Caroline Donnelly
Caroline Donnelly is the news and analysis editor of IT Pro and its sister site Cloud Pro, and covers general news, as well as the storage, security, public sector, cloud and Microsoft beats. Caroline has been a member of the IT Pro/Cloud Pro team since March 2012, and has previously worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.