Microsoft publicly criticizes Google for publishing a Windows 8.1 security hole 2 todays before patch gets enrolled
Yesterday Microsoft publicly criticized Google for publishing a security hole which existed in Windows 8.1 tough Microsoft was about to fix the security vulnerability, Microsoft is now claiming that Google has put Windows Users at risk by publishing that.
Google is currently running a ‘Project Zero’ Security initiative where they are drawing attention to security wholes and give the company which is responsible for it a 90 day time period to fix it. If the company didn’t make it to fix the problem before the 90 days expire, for whatever reason, Google publishes the security flaw so that it is open to everyone. Well it seems like Google has named it self as god of security to expose the vulnerabilities of other software companies, maybe the company should just look at their own mistakes they have made in the past and they are still making. Don’t get me wrong, it is basically a good thing if there are companies which aren’t interested in fixing any security bugs or are not caring for their customers, but is Microsoft really a company which Google needs to take care of and if they don’t obey them, they are just publishing a security flaw which effects millions of users world wide? Well Microsoft has introduced the Patch Tuesdays back in 2003 for fixing bugs in their operating systems and office suits on a regular basis, I am sure Microsoft would not have just ignored the vulnerability, even if Google has not published it.
However here is a short extraction of what Microsoft has said about this topic on their TechNet Blog:
“CVD philosophy and action is playing out today as one company – Google – has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so. Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.”
But Microsoft is not only criticizing Google for publishing the security flaw, the company is also explaining why it can take a while to fix such a vulnerability, as you can read below:
“Responding to security vulnerabilities can be a complex, extensive and time-consuming process. As a software vendor this is an area in which we have years of experience. Some of the complexity in the timing discussion is rooted in the variety of environments that we as security professionals must consider: real world impact in customer environments, the number of supported platforms the issue exists in, and the complexity of the fix. Vulnerabilities are not all made equal nor according to a well-defined measure. And, an update to an online service can have different complexity and dependencies than a fix to a software product, decade old software platform on which tens of thousands have built applications, or hardware devices. Thoughtful collaboration takes these attributes into account.
Source: Microsoft TechNet Blog