Microsoft isn’t too happy about Google’s recent disclosure of an exploit within Windows 8.1. The exploit, which is local-only, allows a non-administrator to escalate his or her privileges in order to gain administrator rights. Google discovered the vulnerability as a part of its Project Zero program, and gave Microsoft 90 days — a timeframe that Google itself has instituted — to patch the bug.
Things started unraveling earlier this month when Microsoft failed to release a patch before its 90 days were up. Google took matters into its own hands and published the exploit for all to see. At the time, Microsoft was rather cordial, issuing the following statement:
We are working to release a security update to address an Elevation of Privilege issue. It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer.
However, the gloves have now come off and Microsoft is hitting back hard at Google’s policy of “full, public disclosure” which forces “software vendors to fix vulnerabilities more quickly and makes customers develop and take acetone to protect themselves.” According to Chris Betz, Senior Director for Microsoft’s Trustworthy Computing efforts, Google’s actions are reckless as they accelerate the timetable for patching exploits that may not be easily tackled in three months time.
“Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment,” Betz explained. “It is necessary to fully assess the potential vulnerability, design and evaluate against the broader threat landscape, and issue a “fix” before it is disclosed to the public, including those who would use the vulnerability to orchestrate an attack.
“We believe those who fully disclose a vulnerability before a fix is broadly available are doing a disservice to millions of people and the systems they depend upon.”
What made the whole incident even more frustrating for Microsoft is that it told Google that a patch would be made available on January 13 — less than two weeks after Google’s 90-day time limit officially expired. However, as we all know, Google stuck to its guns and published the exploit anyway.
“Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha’, with customers the ones who may suffer as a result,” Betz warned. “What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.”
I must say that I’m starting to side a bit with Microsoft after hearing its side of things. Yes, I understand that Google wants to adhere to rules outlined in Project Zero, but 1) Microsoft had a fix in the works and 2) Microsoft gave Google the date for when the patch would be released. It might not have lined up with what Google was expecting, but it wasn’t like Microsoft was unreceptive to Google’s efforts in discovering the exploit.