The Schwartz Report

Blog archive

Windows Chief Slams Google for Premature Vulnerability Alert

Microsoft officials appeared to be fuming this week over Google's disclosure Monday of a 0-day vulnerability just days after alerting the company. The company said yesterday a patch will be available next week and said Google should have waited. Google defended its decision to disclose the vulnerability, saying it's a serious flaw that has been actively exploited.

The search giant acknowledged it was disclosing the vulnerability despite the fact that Microsoft still hasn't issued a fix, urging users to use the auto-updater for Adobe Flash and to apply the patches to Windows when Microsoft releases them.

Myerson made known his displeasure with Google's decision to issue its alert before Microsoft had a patch ready. "We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure," Myerson stated. "Google's decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk."

Myerson noted it wasn't the first time Google has done so, pointing to another occasion nearly two  years ago and the company's call for better coordinated disclosure to avoid vulnerabilities from being exploited before patches can be readied.

The disclosure fueled continued debate over how disclosure of vulnerabilities should be disclosed in the best interest of users. Udi Yavo, co-founder and CTO of threat detection vendor enSilo, in an e-mail sent to media said that Google was wrong. In addition to advocating for a 90-day window for disclosure, Yavo called for legislation to hold companies legally accountable.

"In the case of Google's disclosure, justification for only allowing a week for Microsoft to develop a patch is because Google researchers were seeing the vulnerability actively exploited in the wild," Yavo noted. "To me, this doesn't ultimately help achieve everyone's goal, which should be keeping consumers and their data safe. By disclosing a vulnerability early, without allowing time for a patch, Google opened-up the small pool of people who found the vulnerability and knew how to exploit it, to all."

Not everyone shares that view. Ilia Kolochenko, CEO of Web security firm, High-Tech Bridge, said in an e-mail that Google did the right thing. "I think it's not a question of days, but rather of efficient cooperation to fix the vulnerability," he said. "Google has great cybersecurity experts and engineers who can definitely help other companies to understand the problem faster and help fixing it. Instead of endless discussions about the ethics of full disclosure, we should rather concentrate on inter-corporate coordination, cooperation and support to make the Internet safer."

What's your take? Should Google have waited or do you think it did the right thing by making the vulnerability known?

Posted by Jeffrey Schwartz on 11/02/2016 at 11:38 AM


Featured

  • AI, IoT and Machine Learning To Challenge Traditional Networking

    The next phase of networking will depend on IT learning to wrangle modern technologies in ways that simplify operations and help humans make decisions, according to a new report by Cisco.

  • Coming in 2020: .NET 5, The Next Phase of Microsoft's .NET Framework

    .NET 5 (no "Core" and no "Framework") will mark the transition from the aging, proprietary, Windows-only .NET Framework to a modern, open source, cross-platform .NET.

  • What Computing Will Look Like in 2030: Top 5 Tech Predictions for the Next Decade

    For better or worse, the next 10 years will bring more intelligent devices to more areas of our daily lives. From the proliferation of AI to what that means for user privacy, here are Brien's tech predictions for 2020 and beyond.

  • Azure Arc: A Deeper Look at Microsoft's Multicloud Play

    Arguably one of Microsoft's biggest announcements this year was the introduction of Azure Arc at Ignite. But is this really a game-changer or is Microsoft just falling for the multicloud buzz?

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.