Google reveals Windows flaw mere days before Patch Tuesday fix, irking Microsoft

Google published a bug it found in Windows 8.1 before Microsoft could patch it. But Microsoft is crying foul, saying a fix is in the works.

Google just spilled the beans on a Windows 8.1 vulnerability that could give an attacker elevated privileges and Microsoft is not happy about it.

Currently, Google's policy is to publish any vulnerabilities it finds 90 days after notifying the software vendor of the issue. Google publicized this latest flaw on Google Code on Sunday before Microsoft had a chance to release a fix. A similar Windows bug was publicized in late December.

What's got Microsoft so miffed is that Google released the information just two days before the Windows maker planned to release a fix during the company's usual "patch Tuesday" on January 13, 2015. What's more, Microsoft claims it was in touch with Google and that the search giant was well aware of Microsoft's timeline.

"The decision [to publish the bug] feels less like principles and more like a 'gotcha,' with customers the ones who may suffer as a result," Microsoft said in a recent blog post.

Why this matters: How and when companies and researchers decide to release software bugs can have serious implications if businesses, home users, or large organizations are left without a patch. Nevertheless, putting vulnerability fixes on some kind of timeline is also important since larger organizations sometimes delay fixing problems if not faced with a firm deadline, thereby leaving users exposed. But security researchers and companies with affected software need to work together on publishing the flaw and a fix in a timely manner so that end users are not left vulnerable.

Turned tables

Although Microsoft isn't happy about Google's decision, at least one security researcher says Microsoft's complaints are too little, too late.

Ten years ago, "Microsoft dictated the 'industry standard' of how security problems were reported," Rob Graham, CEO of security consultancy Errata Security, recently said on his company's blog.

According to Graham, Microsoft would sometimes delay fixing bugs for years and rely on its industry muscle to keep researchers and critics quiet. Now, however, Google is the company setting the "industry standard" for reporting, Graham says. "It's just whining...They [Microsoft] resent how Google exploits its unfair advantage. Since Microsoft can't change their development, they try to change public opinion to force Google to change."

Microsoft certainly has its hands full when it comes to bug fixes, and the company does move more slowly than other companies. But Google couldn't delay publication for two days when Microsoft had already promised a fix?

Putting companies on a deadline for timely, responsible patching is a great policy to have. Keeping to that deadline even when a promised fix is mere days away, however, doesn't help users. It just makes Google look like it's trying to stick it to Microsoft.

Join the CSO newsletter!

Error: Please check your email address.

Tags GoogleMicrosoftsecurity

More about GoogleMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ian Paul

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts