Microsoft Exec Scolds Google For Security Vulnerability Disclosure 'Gotcha'

Microsoft is publicly scolding Google for revealing details of an unpatched Windows 8.1 vulnerability two days before the software giant was scheduled to fix it in its monthly Patch Tuesday release.

Google's Project Zero vulnerability hunting team reported the Windows 8.1 bug to Microsoft on Oct. 13, explaining in a bulletin that it could enable ordinary users to gain administrative privileges, potentially opening the door for them to access higher-level system functions.

As a matter of policy, Google's Project Zero team gives vendors 90 days to fix bugs after reporting them. Microsoft said it would fix the flaw in its January Patch Tuesday release, but Google would not budge on its 90-day deadline, and published details about it on Sunday.

[Related: Google's New Partner Program Increases Margins, But Partners Irked About Premier Changes]

Chris Betz, senior director of the Microsoft Security Response Center, said in a blog post Sunday that Google's decision to go public with the flaw "feels less like principles and more like a 'gotcha,' with customers the ones who may suffer as a result."

Microsoft's stance is that Google was more interested in publicly shaming Microsoft -- which has a reputation in security circles for taking a long time to fix bugs -- than with protecting Windows users that might have been affected by this particular vulnerability.

CRN has reached out to Google and will update this story if we hear back.

Andrew Plato, president of Anitian, a Beaverton, Ore.-based security consultancy, told CRN on Tuesday that he thinks Microsoft has a point. He also believes Google is glossing over the fact that patching major bugs can be an enormous task.

"Google does not have the challenge of compiled, consumer software like Microsoft does," Plato said. "Ninety percent of Google’s software is cloud-based, which means they can issue updates anytime they want, and in rapid succession.

"Microsoft has to perform extensive regression testing on compiled modules across a diverse universe of hardware, something that is significantly more complex to do. There is much less room for error on Microsoft's part," Plato said.

Microsoft and Google have been tangling over the issue of responsible disclosure for the past several years. In 2010, Google security engineer Tavis Ormandy found a zero-day vulnerability in Windows and then published a working exploit just five days after informing Microsoft.

More recently, Google has been talking publicly about its efforts to boost security in its products. Google has a team of some 450 full-time security engineers who work to identify and respond to threats, and Project Zero is part of its efforts to give security researchers incentive to keep vulnerabilities they find out of the wrong hands.

However, Microsoft also has come a long way in improving security in its products, especially Windows Server, which Plato described as "a very stable and very secure platform."

In light of this, Plato doesn't think Google's efforts to put pressure on Microsoft by publishing vulnerability details will reflect well on its own developing security reputation.

"It is good that Google is committing more effort and focus to security, but they need to drop the attitude. It sounds like they have something to hide," Plato said.

PUBLISHED JAN. 13, 2015