Google has come under heavy criticism for releasing details of an elevation of privileges flaw it found in Windows 8.1 just 90 days after notifying Microsoft.
The Project Zero team publicly disclosed the vulnerability on 29 December.
As reported by Infosecurity last week, it affects the NtApphelpCacheControl function used for caching application compatibility data. If exploited, it allows a malicious app to run as an administrator by bypassing the user account control (UAC).
The flaw itself is not particularly critical, as users must have already been compromised for it to be effective, according to Sophos Canada’s senior security advisor, Chester Wisniewski.
“There are also several mitigations that can be employed to reduce the risk from this flaw,” he wrote in a blog post.
“People testing the vulnerability are saying that using UAC at its maximum setting prevents the flaw from working without a warning being presented. Better yet, if you don't log in to your computer with administrative credentials at all when surfing the web or performing everyday tasks, there is no UAC to bypass.”
However, Google was criticized on its Google Security Research forum for its strict 90-day disclosure deadline.
“Automatically disclosing this vulnerability when a deadline is reached with absolutely zero context strikes me as incredibly irresponsible and I'd have expected a greater degree of care and maturity from a company like Google,” wrote one user.
“I find it hard to believe that a company like Google is automatically disclosing a vulnerability affecting billions of PCs during a holiday season,” another added.
Project Zero researcher, Ben Hawkes, added to the forum comments to defend the web giant’s actions, clarifying that the incident was reported to Microsoft on 30 September.
He argued:
“On balance, Project Zero believes that disclosure deadlines are currently the optimal approach for user security - it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face. By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner, and to exercise their power as a customer to request an expedited vendor response.”
Although the majority of bugs reported under the program get fixed before the 90-day deadline passes, Google promised to monitor the effects of this policy.
However, the amount of information disclosed by Google after this particular deadline had passed was also problematic, Sophos’s Wisniewski argued.
“Without getting into the full disclosure debate, there is one thing about this particular disclosure that doesn't lend credibility to Google's arguments that Project Zero is doing a public service and abiding by its famous ‘Don't be evil’ policy,” he explained.
“The public disclosure included proof-of-concept (PoC) code that allows anyone with interest the immediate ability to exploit the vulnerability. In my book, that's not compatible with behavior that is allegedly in the public interest.”