Crestfallen by Google’s stride, Microsoft has condemned Google’s entire act that included publishing Windows 8.1 vulnerability globally under its “Project Zero” initiative before a working fix could be devised.
Earlier this month, Google published a Windows 8.1 vulnerability on a global scale that allows lower-level users on Windows 8.1 systems to make themselves system administrators, hence, gaining access to the server settings and other top level privileges.
The stride, led by Google’s Project Zero initiative, tracks software flaws, conducts an in-depth research and eventually informs the software developer about possible ways of the bug’s exploitation. Google offers 90 days time period to the developer team to find a fix before it publishes the bug along with the code. If the developer fails to keep the deadline (which happened with Microsoft), Google publishes the entire code, along with the bug.
Microsoft yesterday showered a post full of criticism, clearly expressing its downheartedness. The company says that it notified Google about the developed fix which was to be bundled with the next update. Microsoft further claims that it also informed about the release date of the update, which was just two day post the publish of the bug.
This has offended the Redmond giant even more, considering the fact that it is the second incident of such kind, which has happened with Microsoft. A similar vulnerability in Windows 8.1 was earlier published by Google in September, before Microsoft could publish a fix.
Chris Betz, Senior Director, Microsoft Security Research Center vented out his anger,
Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result.
What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.
Commenting on the risk that Google’s act could have posed to Microsoft’s customers, Chris Betz further writes-
Other companies and individuals believe that full disclosure is necessary because it forces customers to defend themselves, even though the vast majority take no action, being largely reliant on a software provider to release a security update.
Betz also said that such moves alert potential hackers rather than customers thus posing a possible threat to millions of people, especially in times when large-scale cyber attacks are at peak. Microsoft criticized Google’s approach of making the bug known publicly and said that it could have found a better way to inform users so that they can make preparations against the threat.
He further said that Microsoft believes that majority of users rely on the software vendor to fix the issues and Google’s pre-publishing approach hardly offered any help to users.
Google, which has been repeatedly criticised for its Project Zero ‘initiative’ had earlier justified itself, by saying that 90 days should be enough for a tech giant as big as Microsoft or other software developers out in the market to find out a relevant solution and fix the bug.
The company also mentioned to make amendments to the project’s policies after closely monitoring the results. This mess may force it make minor changes, possibly an extension to the 90 days time period that it provides.