Microsoft yesterday excoriated Google for disclosing information about a Windows security vulnerability just days ahead of the Patch Tuesday release slated to fix the bug. The rebuke came in the form of a Technet blogpost calling for better coordinated vulnerability disclosure.
In reality, the tiff represents a showdown between the two tech giants over differing bug disclosure policies and security philosophies. Briefly put, Microsoft believes that no security vulnerability should be made public before the affected vendor has issued a patch or bulletin resolving the issue. Google on the other hand, has a policy of publishing their security research findings 90 days after reporting a problem to the affected vendor.
It may seem a small difference – one company offers vendors the chance to fix bugs while the other waits until the vendor has fixed the bugs before releasing vulnerability details. However, the disagreement embodies a larger and longstanding debate within the security community: so-called responsible disclosure versus full or public disclosure.
“Those in favor of full, public disclosure believe that this method pushes software vendors to fix vulnerabilities more quickly and makes customers develop and take actions to protect themselves,” said Chris Betz, senior director of the Microsoft Security Resource Center. “We disagree. Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment.”
In essence, Microsoft’s position is that pre-patch public bug disclosures provide all the information necessary for criminals to exploit vulnerabilities, and, therefore, put users at risk of attack.
In this particular instance, Google published the details of a privilege elevation vulnerability in Windows just days before Microsoft’s well-known, monthly patch Tuesday security update release.
“Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix,” Betz claimed. “Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha’, with customers the ones who may suffer as a result.”
Threatpost reached out to Google, but the search giant did not respond to our request for comment before publication.
However, Robert Graham, a security researcher at Errata Security wrote in a blogpost yesterday that “Microsoft forced a self-serving vulnerability disclosure policy on the industry 10 years ago, but cries foul when Google does the same today.”
Microsoft forced a self-serving disclosure policy on the industry 10 years ago, now whines when Google does same http://t.co/S8n0MigWea
— Rob Graham (@ErrataRob) January 12, 2015
Graham claims that for a long time, beginning perhaps a decade ago, Microsoft dictated the terms of the vulnerability disclosure process. It employed most of the security experts, he says, either directly or through consultancies. It built the vast majority of the software platforms. And companies depended on Microsoft to develop security products for Windows.
“Microsoft is powerless to threaten the industry,” Graham wrote. “It’s now Google who sets the industry’s standard for reporting vulnerabilities. Their policy is that after 90 days, vulnerabilities will be reported regardless if the vendor has fixed the bug. This applies even to Google itself when researchers find bugs in products like Chrome.”
The reason, Graham claims, that Google is comfortable with its 90-day bug disclosure timeframe is that the company deploys more modern and agile processes to develop software. Changes in Google products, he says, are tested automatically and shipped to customers within 24 hours. Microsoft on the other hand, he says, continues to rely on a slow, manual process for software changes.
“Google’s standard doesn’t affect everyone equally,” Graham argued, “it hits old vendors like Microsoft the hardest.”
“I enjoyed reading Microsoft’s official response to this event, full of high-minded rhetoric why Google is bad, and why Microsoft should be given more time to fix bugs,” Graham wrote on the Errata Security blog. “It’s just whining — Microsoft’s alternative disclosure policy is even more self-serving than Google’s. They are upset over their inability to adapt and fix bugs in a timely fashion. They resent how Google exploits its unfair advantage. Since Microsoft can’t change their development, they try to change public opinion to force Google to change.”