Microsoft yesterday excoriated Google for disclosing information about a Windows security vulnerability just days ahead of the Patch Tuesday release slated to fix the bug. The rebuke came in the form of a Technet blogpost calling for better coordinated vulnerability disclosure.

In reality, the tiff represents a showdown between the two tech giants over differing bug disclosure policies and security philosophies. Briefly put, Microsoft believes that no security vulnerability should be made public before the affected vendor has issued a patch or bulletin resolving the issue. Google on the other hand, has a policy of publishing their security research findings 90 days after reporting a problem to the affected vendor.

It may seem a small difference – one company offers vendors the chance to fix bugs while the other waits until the vendor has fixed the bugs before releasing vulnerability details. However, the disagreement embodies a larger and longstanding debate within the security community: so-called responsible disclosure versus full or public disclosure.

“Those in favor of full, public disclosure believe that this method pushes software vendors to fix vulnerabilities more quickly and makes customers develop and take actions to protect themselves,” said Chris Betz, senior director of the Microsoft Security Resource Center. “We disagree. Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment.”

In essence, Microsoft’s position is that pre-patch public bug disclosures provide all the information necessary for criminals to exploit vulnerabilities, and, therefore, put users at risk of attack.

In this particular instance, Google published the details of a privilege elevation vulnerability in Windows just days before Microsoft’s well-known, monthly patch Tuesday security update release.

“Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix,” Betz claimed. “Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha’, with customers the ones who may suffer as a result.”

Threatpost reached out to Google, but the search giant did not respond to our request for comment before publication.

However, Robert Graham, a security researcher at Errata Security  wrote in a blogpost yesterday that “Microsoft forced a self-serving vulnerability disclosure policy on the industry 10 years ago, but cries foul when Google does the same today.”

Graham claims that for a long time, beginning perhaps a decade ago, Microsoft dictated the terms of the vulnerability disclosure process. It employed most of the security experts, he says, either directly or through consultancies. It built the vast majority of the software platforms. And companies depended on Microsoft to develop security products for Windows.

“Microsoft is powerless to threaten the industry,” Graham wrote. “It’s now Google who sets the industry’s standard for reporting vulnerabilities. Their policy is that after 90 days, vulnerabilities will be reported regardless if the vendor has fixed the bug. This applies even to Google itself when researchers find bugs in products like Chrome.”

The reason, Graham claims, that Google is comfortable with its 90-day bug disclosure timeframe is that the company deploys more modern and agile processes to develop software. Changes in Google products, he says, are tested automatically and shipped to customers within 24 hours. Microsoft on the other hand, he says, continues to rely on a slow, manual process for software changes.

“Google’s standard doesn’t affect everyone equally,” Graham argued, “it hits old vendors like Microsoft the hardest.”

“I enjoyed reading Microsoft’s official response to this event, full of high-minded rhetoric why Google is bad, and why Microsoft should be given more time to fix bugs,” Graham wrote on the Errata Security blog. “It’s just whining — Microsoft’s alternative disclosure policy is even more self-serving than Google’s. They are upset over their inability to adapt and fix bugs in a timely fashion. They resent how Google exploits its unfair advantage. Since Microsoft can’t change their development, they try to change public opinion to force Google to change.”

Categories: Vulnerabilities

Comments (7)

  1. cj
    1

    We wouldn’t have to worry about exploits or bugs if the big companies would thorough test their product instead of using us consumers as testers. When we pay for a product we do not expect crap but that’s what we get handed. Big companies just need to get their act together and release better quality products.

    • Juan P
      2

      While it is true that companies need to thoroughly test their products, catching all bugs is virtually impossible, specially with big and complex software. You can ask any software developer you know, they will all tell you the same.

      This is not an excuse for companies to have a crappy testing process, my point is only that bugs arise even in the most strict environments. Even software that is made by organizations without budget limit or market pressures (e.g. some specialized government agencies) has bugs (a lot fewer of course, but still). With commercial companies that need to ship software into the market fast, it gets a lot worse.

  2. Jeremiah
    3

    Google can play this game, but it’s enterprise IT customers who pay for it. Releasing a zero day exploit 24 hours before the vendor pushes an automated update for it is just an attack on their customer base; It makes no sense. Microsoft’s monthly release schedule is more than just “self serving”, it facilitates orderly patch management processes in most IT shops, which are already deluged with daily security updates from hundreds of products — including Google’s.

    • DLR
      4

      What do you mean orderly patch management? Google clearly gave them 90 days to fix it. That’s 3 patch intervals given MS’s patch release management cycle. That’s 3 whole months to have it fixed before being disclosed. So it may be the enterprise IT customers that pay for it, but not by Google’s fault.

  3. Dr. Hilliard Haliard
    5

    To protect customers? I’m sure Google would be more than happy to accommodate if it meant protecting Google customers. Microsoft customers, not so much.

  4. Hank Richardson
    6

    There is no way to eliminate all vulnerabilities in software. Anyone who chocks up these issues to poor testing has never been part of the SDLC for a project with any complexity to it.

    I do not believe the vulnerability should have been exposed unless Microsoft did not provide adequate proof that the bug was not being patched in the next published release cycle.

    90 days seems like a long time, but you don’t know exactly what the backlog of items is for the maintenance team or how many items are shot to MS from Google’s research.

    Depending on the flaw there might be a lot of regression testing to ensure that the exact same vulnerability does not appear in any other area of the application.

    There are a lot of variables at play here, but if MS has the issue fixed and has a plan for the release near the deadline I do not believe that the issue should be exposed and bring forward potential attacks.

  5. Suneel
    7

    There is a difference between fixing a bug in a browser versus fixing a bug in most complex software used by many enterprises. If google is so worried about security why did they left so many security bugs in Android open

Comments are closed.