Security Advisor
Microsoft Calls Google's Windows Security Disclosure a 'Gotcha' Move
Microsoft said that Google released information on a Windows 8.1 flaw even though a fix was on its way.
Microsoft's Chris Betz criticized Google for the manner in which the company publicly released information on a zero-day Windows 8.1 flaw at the end of the year.
In a blog titled "A Call for Better Coordinated Vulnerability Disclosure," Betz said that companies need to coordinate when it comes to security. "With all that is going on, this is a time for security researchers and software companies to come together and not stand divided over important protection strategies, such as the disclosure of vulnerabilities and the remediation of them," wrote Betz.
Google released information on a somewhat minor elevation of privilege bug on Dec. 19 -- more than three months after it first alerted Microsoft to the issue. At the time of release, Microsoft commented that a fix was currently being worked on, and it had no information to share on the matter.
While Google did follow a widely practiced 90-day waiting period to release the information to the public, Betz said that Microsoft asked Google to sit on the information until the scheduled fix was released in this month's security update. "Google has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so. Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix."
Betz followed by saying that Google's move to release the information earlier was a "gotcha" move done to only embarrass Microsoft at the expense of user safety. He then urged Google to make sure the end goal of reporting flaws is for public safety by agreeing to Microsoft's Coordinated Vulnerability Disclosure (CVD).
The CVD is a set of practices adopted by Microsoft and others to allow vendors time to fix a flaw before public disclosure occurs. "We ask the security research community to give us an opportunity to correct a vulnerability before publicly disclosing it, as we ourselves do when we discover vulnerabilities in other vendors' products," reads the program brief. "This serves everyone's best interests by ensuring that customers receive comprehensive, high-quality updates for security vulnerabilities but are not exposed to malicious attacks while the update is being developed."
Microsoft adopted the security practice standards in 2010 after another ugly battle with Google after security researchers for the company released information on an XP bug four days after privately disclosing the issue to Microsoft.
Google has not commented on the latest blog condemning the company's move.