Google reveals Windows flaw mere days before Patch Tuesday fix, irking Microsoft

Google published a bug it found in Windows 8.1 before Microsoft could patch it. But Microsoft is crying foul, saying a fix is in the works.

Google just spilled the beans on a Windows 8.1 vulnerability that could give an attacker elevated privileges and Microsoft is not happy about it.

Currently, Google's policy is to publish any vulnerabilities it finds 90 days after notifying the software vendor of the issue. Google publicized this latest flaw on Google Code on Sunday before Microsoft had a chance to release a fix. A similar Windows bug was publicized in late December.

What's got Microsoft so miffed is that Google released the information just two days before the Windows maker planned to release a fix during the company's usual "patch Tuesday" on January 13, 2015. What's more, Microsoft claims it was in touch with Google and that the search giant was well aware of Microsoft's timeline.

"The decision [to publish the bug] feels less like principles and more like a 'gotcha,' with customers the ones who may suffer as a result," Microsoft said in a recent blog post.

Why this matters: How and when companies and researchers decide to release software bugs can have serious implications if businesses, home users, or large organizations are left without a patch. Nevertheless, putting vulnerability fixes on some kind of timeline is also important since larger organizations sometimes delay fixing problems if not faced with a firm deadline, thereby leaving users exposed. But security researchers and companies with affected software need to work together on publishing the flaw and a fix in a timely manner so that end users are not left vulnerable.

Turned tables

Although Microsoft isn't happy about Google's decision, at least one security researcher says Microsoft's complaints are too little, too late.

Ten years ago, "Microsoft dictated the 'industry standard' of how security problems were reported," Rob Graham, CEO of security consultancy Errata Security, recently said on his company's blog.

According to Graham, Microsoft would sometimes delay fixing bugs for years and rely on its industry muscle to keep researchers and critics quiet. Now, however, Google is the company setting the "industry standard" for reporting, Graham says. "It's just whining...They [Microsoft] resent how Google exploits its unfair advantage. Since Microsoft can't change their development, they try to change public opinion to force Google to change."

Microsoft certainly has its hands full when it comes to bug fixes, and the company does move more slowly than other companies. But Google couldn't delay publication for two days when Microsoft had already promised a fix?

Putting companies on a deadline for timely, responsible patching is a great policy to have. Keeping to that deadline even when a promised fix is mere days away, however, doesn't help users. It just makes Google look like it's trying to stick it to Microsoft.

Join the CSO newsletter!

Error: Please check your email address.

Tags GoogleMicrosoftsecurity

More about GoogleMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ian Paul

Latest Videos

More videos

Blog Posts