Microsoft blasts Google for baring Windows bugs before they're patched

After Google posted detailed information about another Windows vulnerability before Microsoft could patch the flaw, Microsoft lashed out, calling its rival's move a "gotcha" that puts users at risk.

After Google posted detailed information about a second Windows vulnerability in less than two weeks - before Microsoft was able to patch the flaws - Microsoft has lashed out, calling its rival's move a "gotcha" that puts users at risk.

Some security experts sided with Google -- saying that in a changed world, patching must speed up -- while others saw the search giant's decision to reveal vulnerability information, including proof-of-concept attack code, as arbitrary and counter-productive.

No matter who's in the right, if anyone, Google's policy of automatically releasing bug information 90 days after reporting it to Microsoft has reignited a smoldering debate about how security researchers should handle their discoveries.

But Microsoft was clearly peeved on Monday.

"Google has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well-known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so," said Chris Betz, senior director of the Microsoft Security Response Center (MSRC), in a blog post early today.

"Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix," added Betz. "[Google's] decision feels less like principles and more like a 'gotcha,' with customers the ones who may suffer as a result."

The latest bug report was published by Google on its Project Zero website Sunday, and like the other disclosed Dec. 29, involved Windows 8.1, Microsoft's newest operating system.

Project Zero is composed of several Google security engineers who investigate not only the company's own software, but that of other vendors as well. After reporting a flaw, Project Zero starts a 90-day clock, then automatically posts details, including sample attack code in most cases, if the bug has not been patched.

There are currently five such vulnerabilities in the group's "Open" category: two in Windows and three in Apple's OS X.

The two that affected Windows 8.1, and which Microsoft took exception to, were both uncovered and reported by James Forshaw, a noted researcher who joined Google and Project Zero last August. Ironically, Forshaw was awarded a $100,000 bounty by Microsoft in October 2013 for demonstrating a new way to circumvent Windows' defensive technologies.

Microsoft and Google have been at odds before over vulnerability disclosure policies.

In 2010, Microsoft pitched its concept of "coordinated vulnerability disclosure," or CVD, a name change for what had it had earlier called "responsible disclosure." Under that policy, which under the latter moniker harks back decades, researchers are to wait until a patch is available before going public.

Around the same time, Google proposed that there should be a hard deadline of 60 days to patch a problem.

Both companies had reacted to an increasingly-heated discussion among researchers and vendors about disclosure, prompted in part by an incident that year when Google security engineer Tavis Ormandy went public with a critical Windows XP bug just five days after reporting it to Microsoft.

Although the public debate about vulnerability disclosure practices had waned in the interim, it had never really disappeared, said Chet Wisniewski, a security researcher with Sophos, in an interview. Now that the discussion has again gone mainstream, years of progress towards what Wisniewski saw as a more civil debate could easily be ruined. "Holding back a bug is never appropriate, but neither is always disclosing a bug," Wisniewski argued. "Everyone gets the most leverage when disclosure is coordinated."

Wisniewski took exception to Google's practice of automatically revealing information and its inclusion of proof-of-concept code that demonstrated an exploit, which cyber criminals could use or leverage to build their own attacks.

By disclosing information after 90 days, no matter how close a developer like Microsoft was to patching, Google "tries to puts pressure on vendors without being a dick," said Wisniewski. "They say, 'It will be automatic, so you can't accuse us of being vindictive.' But I don't agree that humans should not be involved.

"And patching something as big and complicated as Windows is not like patching a Web app or Yahoo Mail," Wisniewski continued. "The 90 days is arbitrary, but what concerned me the most was that Google dropped proof-of-concept code. That's unnecessary and a bit show-offy."

John Pescatore, director of emerging security trends at the SANS Institute, backed Google's 90-day approach. "It's good that Google is pushing the envelope. "The world is really changing, and it's worthwhile to revisit the norms of disclosure," Pescatore said in an interview.

But Pescatore's point wasn't that pressure to patch will motivate vendors like Microsoft. Instead, he called out corporations as the weak link. "Attacks are not taking advantage of missing patches, they're taking advantage of vulnerabilities that haven't been patched by customers," Pescatore said. "It's time for this process to speed up. Not Microsoft's process, but those of enterprises. The race is not before the patch comes out, but after, when enterprises apply the patch. IT is so stuck in the old days."

And Pescatore contrasted how that IT mindset -- bolstered by Microsoft's monthly patch schedule -- is increasingly out of sync with reality. "I think part of this debate is about Microsoft not driving the world anymore," opined Pescatore. "iOS and Android are now in the mode of pushing stuff out constantly. The world, other than corporate IT, has gotten used to that, with the exception of Windows."

Not surprisingly, Microsoft saw things very differently, reiterating its long-standing position that it, and other vendors, should be given as much time as necessary to fix flaws. "The focus should be on protecting customers," said Betz. "Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment."

Betz said nothing about Pescatore's point about slow customer patching, however.

Betz also implied that Google wouldn't like it if the shoe were on the other foot. "We don't believe it would be right to have our security researchers find vulnerabilities in competitors' products, apply pressure that a fix should take place in a certain timeframe, and then publicly disclose information that could be used to exploit the vulnerability and attack customers before a fix is created," Betz wrote.

Microsoft will ship its January Patch Tuesday slate of updates tomorrow at around 10am US PT. While Betz said that the bug that went public Sunday would be fixed then, he did not claim the same about the Windows 8.1 vulnerability Forshaw had reported, then disclosed, late last year.

Because Microsoft suddenly halted its public distribution of pre-Patch Tuesday alerts last week -- those alerts sometimes hinted at the bugs that would be quashed -- it was impossible for outsiders to predict whether the second Windows 8.1 vulnerability will also be addressed.

Join the CSO newsletter!

Error: Please check your email address.

Tags Malware & VulnerabilitiesGoogleantispamMicrosoftsecurity

More about AppleGoogleMicrosoftSANS InstituteSophosYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place