Google discloses another unpatched Windows flaw, irritates Microsoft

Microsoft is unhappy that Google didn't want to wait another two days before publicly releasing details about the vulnerability

Google released details of a second unpatched privilege escalation flaw in Windows 8.1 in less than a month, drawing criticism from Microsoft.

Microsoft is unhappy with the 90-day public disclosure deadline enforced by Google's security research team known as Project Zero.

Project Zero members routinely find vulnerabilities in products from other companies. These flaws get reported to the affected software vendors and if they are not patched in 90 days, Google automatically makes the vulnerability details public.

On Dec. 29, Google Project Zero disclosed an elevation of privilege (EoP) vulnerability affecting Windows 8.1 that Microsoft hadn't yet patched. The vulnerability was reported to Microsoft on Sept. 30, so the 90-day deadline expired, Google said at the time.

On Sunday, the company's researchers disclosed yet another unpatched EoP flaw in Windows 8.1, which had been reported to Microsoft on Oct. 13. This time the disclosure irked Microsoft, which planned to fix the vulnerability tomorrow. Microsoft releases security patches on the second Tuesday of every month, which has come to be known as Patch Tuesday in the industry.

As the name suggests, an EoP flaw can be exploited to gain administrator privileges on a system from a low privileged account. They are not critical vulnerabilities, like those that allow for arbitrary code execution, but they can make such flaws even more dangerous and should be patched.

"We asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix," said Chris Betz, senior director with Microsoft's Security Response Center, in a blog post Sunday. "Although following through keeps to Google's announced timeline for disclosure, the decision feels less like principles and more like a 'gotcha', with customers the ones who may suffer as a result."

The entry corresponding to this vulnerability on Google's security research tracker confirms that Microsoft was denied a deadline extension.

"Microsoft were informed that the 90 day deadline is fixed for all vendors and bug classes and so cannot be extended," the entry reads. "Further they were informed that the 90 day deadline for this issue expires on the 11th Jan 2015."

In practice, companies like Microsoft, which follow monthly or quarterly patching cycles and only rarely deviate from them to fix actively exploited, high-risk flaws, have less than 90-days to push out fixes to security issues reported by Google.

For example, if Google's researchers contact Microsoft about a flaw a few days after the company released its latest monthly batch of security updates, the company will have to develop a patch and have it ready for the next Patch Tuesday or the one after that -- in around 60 days. If it waits longer, the deadline will expire before it's next scheduled patch release, like it happened in this case.

"We believe those who fully disclose a vulnerability before a fix is broadly available are doing a disservice to millions of people and the systems they depend upon," Betz said. "Other companies and individuals believe that full disclosure is necessary because it forces customers to defend themselves, even though the vast majority take no action, being largely reliant on a software provider to release a security update. Even for those able to take preparatory steps, risk is significantly increased by publicly announcing information that a cybercriminal could use to orchestrate an attack and assumes those that would take action are made aware of the issue."

Microsoft, whose researchers also find vulnerabilities in products from other companies, encourages and practices what it calls "Coordinated Vulnerability Disclosure" (CVD), a policy where those who find vulnerabilities work with the vendor until fixes are made available and only then share details about those flaws publicly.

This might sound like the responsible thing to do, but software vendors are not equal in how they handle vulnerability reports. Some may take months or years to fix a particular flaw, and some are very bad at communicating with external security researchers.

There have been many cases in the past where different researchers independently discovered the same vulnerability, which means that given enough time malicious hackers might also find and exploit flaws found by researchers, but not yet patched by vendors. Google's deadline attempts to strike a balance between the vulnerability remediation needs of software vendors and the public interest.

"Project Zero believes that disclosure deadlines are currently the optimal approach for user security -- it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face," said Project Zero researcher Ben Hawkes in December following the disclosure of the first EoP flaw. "By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner, and to exercise their power as a customer to request an expedited vendor response."

Google is right, said Robert Graham, the CTO of security research firm Errata Security, in a blog post. "Since we can't make perfect software, we must make fast and frequent fixes the standard. Nobody should be in the business of providing 'secure' software that can't turn around bugs quickly. Rather than 90 days being too short, it's really too long."

Join the CSO newsletter!

Error: Please check your email address.

Tags patchesGoogleMicrosoftsecuritypatch managementExploits / vulnerabilities

More about GoogleMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place