UK Government advisor slates Google for Microsoft flaw disclosure

Decision put users at risk, says TSI executive

A senior member of the Government-backed Trustworthy Software Initiative (TSI) has heavily criticised last weekend's controversial decision by Google to publish details of a significant flaw in Windows 8.1 only days before it was due to be patched by Microsoft.

According to TSI director of knowledge transfer Tony Dyhouse, Google's action flew in the face of the interests of end users who were left exposed without a patch for a short period for no good reason.

Despite allegedly knowing the flaw was due to be patched imminently, Google's Project Zero team went ahead with disclosure, something a senior Microsoft exec described as a "gotcha" moment in an unusually combative blog on the affair.

"What's right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal," commented Chris Betz, senior director of the Microsoft Security Response Center (MSRC).

"Google's action could be seen as an unnecessary jibe at Microsoft," said Dyhouse. "I don't think they did the right thing."

Google's stated policy is to report flaws under a regime of full disclosure 90 days after it is privately reported, in this case on 13 October 2014.

Although Microsoft had exceeded the generous 90-day period, Google should have appreciated the complex software problem Microsoft must manage, he suggested.

"If you're a large software vendor then you should bundle up patches rather than issuing them one by one," he said. Clearly Microsoft was unlikely to issue an out of band patch, something Google should have known.

"If Microsoft had refused to discuss the matter then Google would have been within its rights."

Microsoft adheres to a 'responsible disclosure' regime called coordinated vulnerability disclosure which places no time limits on patching, which some argue makes it too easy for software vendors to ignore problems. Meanwhile, in some cases, the flaws are potentially being exploited in attacks until patches start to appear - and beyond.

"The fundamental aim of vulnerability disclosure must be to minimise the risk to the end-user. If a software manufacturer is refusing to patch an existing vulnerability, then the threat of full disclosure can be an effective tool to encourage compliance," agreed Dyhouse.

"On this occasion, however, Google was fully aware that a patch was due to come out in line with Microsoft's well-known and accepted patching strategy, and needlessly put users at risk by making it public."

The TSI promotes a policy of coordinated vulnerability disclosure where firms synchronise their disclosure and patching behavior in the interests of wider security. On that score, Google has little defence for its decision.

"Where untrustworthy software is involved, consumer safety must never be held hostage to competing corporate agendas," said Dyhouse.

Funded since 2011 to be an influence on cybersecurity policy and now run under the auspices of Warwick University's Cyber Security Centre, the TSI's management board includes representatives from the Department of Business, Innovation and Skills (BIS), the Centre for Protection of National Infrastructure (CPNI), as well as private firms and experts.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsGoogleMicrosoftsecuritysoftware

More about GoogleMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place