Microsoft Hits Back in Row Over Windows Flaw Disclosure

Written by

Microsoft has gone on the offensive, slamming Google for releasing details of a Windows flaw just days before it was due to fix the issue in its regular Patch Tuesday update cycle.

In a strongly worded blog post, Microsoft Security Response Center’s senior director, Chris Betz, claimed that security researchers and software vendors need to come together over protection strategies and follow a Coordinated Vulnerability Disclosure policy (CVD) which will limit the “field of opportunity” for attackers.

“Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment,” he added.

“It is necessary to fully assess the potential vulnerability, design and evaluate against the broader threat landscape, and issue a ‘fix’ before it is disclosed to the public, including those who would use the vulnerability to orchestrate an attack. We are in this latter camp.”

Despite Redmond’s request that Google wait two days until its regular security update round before disclosing a flaw in Windows 8.1, the Mountain View giant went ahead anyway – following its strict 90 day disclosure policy.

“Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha’, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers,” argued Betz.

“We urge Google to make protection of customers our collective primary goal.”

Disclosing vulnerabilities before a fix has been engineered is “doing a disservice to millions of people and the systems they depend upon,” he added, claiming that “almost none” of those flaws disclosed responsibly through private channels are exploited before a fix is found.

“Conversely, the track record of vulnerabilities publicly disclosed before fixes are available for affected products is far worse, with cybercriminals more frequently orchestrating attacks against those who have not or cannot protect themselves,” said Betz.

Security fixes take time, especially given the vast number of platforms, applications and hardware devices that need to be taken into consideration, so researchers and vendors must work together in the best interests of their customers, he concluded.

Microsoft isn’t the only company angered by the Google Project Zero team’s public disclosure last week.

“Automatically disclosing this vulnerability when a deadline is reached with absolutely zero context strikes me as incredibly irresponsible and I'd have expected a greater degree of care and maturity from a company like Google,” wrote one user.

However, Project Zero researcher Ben Hawkes claimed that the 90-day deadline ensures vendors don’t sit on vulnerabilities indefinitely.

What’s hot on Infosecurity Magazine?