facebook rss twitter

Microsoft hits back after Google publicises Windows bug

by Mark Tyson on 13 January 2015, 10:20

Tags: Google (NASDAQ:GOOG), Windows 8

Quick Link: HEXUS.net/qacnr5

Add to My Vault: x

Google's Project Zero team publicised an unpatched flaw in Windows systems on Sunday. The Windows 8.1 affecting bug was therefore more likely to be exploited by hackers, malware writers and the like before it could be patched later today – Patch Tuesday.

The Project Zero team find software bugs and vulnerabilities and give developers 90 days to fix the problem before making the problems public. Google initially told Microsoft about the Windows 8.1 bug on 13th October 2014. So following its own pre-set rule it publicised the bug on Sunday, the 11th January.

The inter-company friction arises from the following: Microsoft had asked Google to delay its making public of the bug information for a couple of days so Windows users could be patched. However it seems like Google wouldn't break its own 90 day rule and went ahead to make public the flaw on Sunday.

Google 'Gotcha'

In response to Google's lack of flexibility, Microsoft exec Chris Betz wrote in a blog on the company's site on Sunday "We asked Google to work with us to protect customers by withholding details until Tuesday, Jan. 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a 'gotcha,' with customers the ones who may suffer as a result." Betz added "What's right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal."

Opinion is split between whether Google was right to publicise the bug on principal, or it should have had some flexibility to help protect Windows users. The BBC has quotes from supporters on both sides of the argument but at the time of writing Google is yet to officially respond to the Microsoft TechNet blog post by Chris Betz.

What do readers think about Google Project Zero and its disclosure of the unpatched bug in this case?



HEXUS Forums :: 49 Comments

Login with Forum Account

Don't have an account? Register today!
As I see it, if Google didn't realise these bugs every once in a while, businesses like Microsoft would have no incentive to patch it quickly. So to many respects Google still is working on the side of Microsoft by reminding them to do their jobs…
In response to Google's lack of flexibility, Microsoft exec Chris Betz wrote in a blog on the company's site on Sunday “We asked Google to work with us to protect customers by withholding details until Tuesday, Jan. 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha,’ with customers the ones who may suffer as a result.” Betz added “What's right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.”

Opinion is split between whether Google was right to publicise the bug on principal, or it should have had some flexibility to help protect Windows users. The BBC has quotes from supporters on both sides of the argument but at the time of writing Google is yet to officially respond to the Microsoft TechNet blog post by Chris Betz.

What do readers think about Google Project Zero and its disclosure of the unpatched bug in this case?
If the above is an accurate summation of what occurred (and the BBC and other sites seem to be telling the same story) then I'm going to side with Microsoft in this case. Sure, I'm happy that Google's Project Zero folks are trying to keep developers “honest” wrt security. But to release details of the flaw when they'd been told that it was going to be patched in two days time seems vindictive.

On the other hand I have no problem with the idea that Google turn around and says "sure, you're patching on the 13. Okay we'll release details on the 15th", as that would have been the sensible thing to do since it'd be giving Microsoft a chance to do the correct thing and patch the flaw.
I think we are forgetting that Microsoft actually had two releases prior to this one, and they could maybe had urged a bit more to have it fixed with in the given time by google ?
I'm surely standing with google on this one. two patch cycles is a lot, yea it takes time to make the fix, but should not take 50+ days.
Microsoft knew the deadline of 90 days and if Tuesday was such an issue, why wasn’t it released on the Tuesday prior to the deadline. Sure it may look vindictive of Google, but what about any hypocrisy by allowing a giant company such as Microsoft to dictate when it can release its statements, while smaller companies would not be given that chance. By sticking to their guns Google at least remain honest to the terms that they set and as a result I side with them.
Meanwhile, Google is ignoring security flaws in Jelly Bean (Android 4.3)…

http://blogs.wsj.com/digits/2015/01/12/google-not-fixing-some-old-android-bugs/

Considering that Jelly Bean *still* powers roughly 2/3rds of all Android devices worldwide, you'd think they would take care of their business before calling out someone else - especially when they'd already been in contact with Microsoft, and had been given a repair date. So no, Google wasn't being honest, nor good guys. They were being hypocrites of the worst kind.