The Schwartz Report

Blog archive

Windows Chief Slams Google for Premature Vulnerability Alert

Microsoft officials appeared to be fuming this week over Google's disclosure Monday of a 0-day vulnerability just days after alerting the company. The company said yesterday a patch will be available next week and said Google should have waited. Google defended its decision to disclose the vulnerability, saying it's a serious flaw that has been actively exploited.

The search giant acknowledged it was disclosing the vulnerability despite the fact that Microsoft still hasn't issued a fix, urging users to use the auto-updater for Adobe Flash and to apply the patches to Windows when Microsoft releases them.

Myerson made known his displeasure with Google's decision to issue its alert before Microsoft had a patch ready. "We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure," Myerson stated. "Google's decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk."

Myerson noted it wasn't the first time Google has done so, pointing to another occasion nearly two  years ago and the company's call for better coordinated disclosure to avoid vulnerabilities from being exploited before patches can be readied.

The disclosure fueled continued debate over how disclosure of vulnerabilities should be disclosed in the best interest of users. Udi Yavo, co-founder and CTO of threat detection vendor enSilo, in an e-mail sent to media said that Google was wrong. In addition to advocating for a 90-day window for disclosure, Yavo called for legislation to hold companies legally accountable.

"In the case of Google's disclosure, justification for only allowing a week for Microsoft to develop a patch is because Google researchers were seeing the vulnerability actively exploited in the wild," Yavo noted. "To me, this doesn't ultimately help achieve everyone's goal, which should be keeping consumers and their data safe. By disclosing a vulnerability early, without allowing time for a patch, Google opened-up the small pool of people who found the vulnerability and knew how to exploit it, to all."

Not everyone shares that view. Ilia Kolochenko, CEO of Web security firm, High-Tech Bridge, said in an e-mail that Google did the right thing. "I think it's not a question of days, but rather of efficient cooperation to fix the vulnerability," he said. "Google has great cybersecurity experts and engineers who can definitely help other companies to understand the problem faster and help fixing it. Instead of endless discussions about the ethics of full disclosure, we should rather concentrate on inter-corporate coordination, cooperation and support to make the Internet safer."

What's your take? Should Google have waited or do you think it did the right thing by making the vulnerability known?

Posted by Jeffrey Schwartz on 11/02/2016 at 11:38 AM


  • Weird Blue Tunnel Graphic

    Microsoft Goes Deep on 'Solorigate' Secondary Attack Methods

    Microsoft on Wednesday published an analysis of the second-stage "Solorigate" attack methods used by an advanced persistent threat (APT) attack group.

  • Microsoft Talks Teams and SharePoint at Modern Workplace Event

    It's a hybrid world, but remote work is here to stay, according to Microsoft's Teams and SharePoint head Jeff Teper.

  • Malwarebytes Affirms Other APT Attack Methods Used Besides 'Solorigate'

    Security solutions company Malwarebytes affirmed on Monday that alternative methods besides tainted SolarWinds Orion software were used in the recent "Solorigate" advanced persistent threat (APT) attacks.

  • How To Fix the Hyper-V Read Only Disk Problem

    DOS might seem like a relic now, but sometimes it's the only way to fix a problem that Windows seems ill-equipped to deal with -- like this one.

comments powered by Disqus