Microsoft and Google get in spat over early vulnerability exposure

13 Jan 2015

Microsoft is more than a little peeved with Google over the latter’s decision to go against standard practice and reveal a vulnerability before a patch could be issued.

The head of Microsoft’s Security Response Center (MSRC), Chris Betz, took to the service’s blog to discuss the issue of coordination of disclosure when it comes to software vulnerabilities, but specifically pointed at Google for their release of one bug online entitled ‘Windows Elevation of Privilege in User Profile Service’.

According to Betz, Google announced the vulnerability that affects users of Windows 8.1 on 11 January, despite the fact that Microsoft had asked Google to hold off until 13 January to issue a patch to fix the bug.

Compared to ‘schoolyard antics’

The BBC reports that the decision to post information on the bug prior to a patch being issued was due to the principles of Google’s Project Zero that aims to pressure companies and developers to fix bugs that could potentially harm their users.

As per the company’s guidelines, Project Zero will give the original developer 90 days to fix the bug before going public with it – in this instance, it was revealed to Microsoft back on 13 October 2014.

However, for this vulnerability, Betz does not feel that this is particularly ethical or right from an industry standard.

“Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha’, with customers the ones who may suffer as a result,” said Betz. “What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.”

Likewise, Google’s actions have seemingly caught negative attention from other security experts online, with one comparing Google’s actions as akin to ‘schoolyard antics’.

Windows 8.1 image via Shutterstock

Colm Gorey was a senior journalist with Silicon Republic

editorial@siliconrepublic.com