Microsoft says it believes in ‘responsible disclosure’ and has accused Google of doing the opposite by revealing a Windows bug that puts customers at risk.
Google and Microsoft are at loggerheads over how software vendors should report security bugs to their users.
Google leans towards full disclosure, where researchers publicize bugs as soon as they find them, with the proviso the vendor is given three months to fix the issue or tell users something is wrong. If the bug is being actively exploited, Google commits to publishing details seven days after discovering it.
Microsoft doesn’t set any deadline but would like security researchers, including those who work for Google, to work with it to fix a bug and conceal its existence until such a fix is released.
Google on Monday lived up to its policy and in doing so broke Microsoft’s code by publishing some details about a Windows bug that is under attack, linked to a bug in Adobe’s Flash Player.
Adobe patched the bug within Google’s seven-day deadline, Microsoft didn’t.
According to Microsoft, the exploit would only work against Windows if the system was running a vulnerable version of Adobe’s Flash Player.
Google and Microsoft have clashed over their differing perspectives on how bugs should be reported, despite a common goal to keep end-users secure.
Terry Myerson, Microsoft executive vice president of Windows and Devices, has issued a statement in response to Google’s disclosure:
“Recently, the activity group that Microsoft Threat Intelligence calls STRONTIUM conducted a low-volume spear-phishing campaign. Customers using Microsoft Edge on Windows 10 Anniversary Update are known to be protected from versions of this attack observed in the wild. This attack campaign, originally identified by Google’s Threat Analysis Group, used two zero-day vulnerabilities in Adobe Flash and the down-level Windows kernel to target a specific set of customers.”
“We have coordinated with Google and Adobe to investigate this malicious campaign and to create a patch for down-level versions of Windows. Along these lines, patches for all versions of Windows are now being tested by many industry participants, and we plan to release them publicly on the next Update Tuesday, Nov 8.
“We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.
To address these types of sophisticated attacks, Microsoft recommends that all customers upgrade to Windows 10, the most secure operating system we’ve ever built, complete with advanced protection for consumers and enterprises at every layer of the security stack. Customers who have enabled Windows Defender Advanced Threat Protection (ATP) will detect STRONTIUM’s attempted attacks thanks to ATP’s generic behavior detection analytics and up-to-date threat intelligence.”