Microsoft Chastises Google for Reporting Windows Flaw – Redmond Firm Says Google's Actions Put Customers at Risk of Cyber-Attack

(Before It's News)

Microsoft is calling foul after Google publicly posted the details of a Windows 8.1 vulnerability — a move the software giant says left its customers susceptible to attack.

Google posted details of the flaw on its bug reporting site before Microsoft could issue a patch to fix the problem. And now Microsoft is calling Google out for its actions, intimating the technology titan’s attempt to embarrass Microsoft was irresponsible.

Microsoft senior director of research Chris Betz said his firm asked Google to keep a lid on the information until Jan. 13, the date that Microsoft would have a patch available.

“Google has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and co-ordinated Patch Tuesday cadence, despite our request that they avoid doing so,” Betz said in a blog post.

“Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, Jan. 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.”

Betz said Microsoft believes “co-ordinated disclosure” is the best way to reduce risk to customers.

“We believe those who fully disclose a vulnerability before a fix is broadly available are doing a disservice to millions of people and the systems they depend upon,” Betz continued in his tongue-lashing of Google.

“Other companies and individuals believe that full disclosure is necessary because it forces customers to defend themselves, even though the vast majority take no action, being largely reliant on a software provider to release a security update. Even for those able to take preparatory steps, risk is significantly increased by publicly announcing information that a cyber-criminal could use to orchestrate an attack and assumes those that would take action are made aware of the issue.”

The issue was debated on Google’s bug reporting site with the sides appearing to be evenly split.

Samplings from the pro-Google camp:

• “No one is done any good by keeping it secret. By exposing the vuln they allow those billions who may be running vulnerable systems to be aware of the threat to their own security and take countermeasures. A patch isn’t the only way to mitigate the issue. Given the nature of this vulnerability, there are other steps administrators can take to start protecting their vulnerable systems while they await a patch. Kudos to Google for sticking to their deadline.”
• “Attackers are not going to take the day off because it’s the Holidays. Microsoft dropped the ball, did not perform a security assessment of the new features before releasing them into production, and now have to deal with the consequences.   Google isn’t doing this to make friends. They are doing this to address a widespread problem of companies releasing insecure products. Ignoring a security vulnerability isn’t going to fix it either.”
• “Microsoft had three months to resolve this and were aware of Google’s disclosure timeline. If they chose not to address it, that is their decision. I have waited years (sometimes 4+) for Microsoft to address security issues I reported. A 90-day timeline makes a lot more sense in terms of improving overall security.”

Those siding with Microsoft:

• “Automatically disclosing this vulnerability when a deadline is reached with absolutely zero context strikes me as incredibly irresponsible and I’d have expected a greater degree of care and maturity from a company like Google.”
• “I find it hard to believe that a company like Google is automatically disclosing a vulnerability affecting billions of PCs during a holiday season. No matter the rivalries between Google and Microsoft we, your users, deserve a more responsible behavior from both companies.”
•  “You Google suck-ups are sickening. This is bad form by Google. No, attackers don’t take the holiday off, that’s precisely why you don’t reveal the vulnerability when they can take most advantage of the head start they’d be getting before a patch is made. Think, people!”

The issue is also being debated on Twitter:

Bentz, in his blog post, issued a call for all companies and researchers to work together for the good of the customer.

“We ask that researchers privately disclose vulnerabilities to software providers, working with them until a fix is made available before sharing any details publically,” he wrote. “It is in that partnership that customers benefit the most.”

Bentz added that asking for such a partnership is not “in any way an abdication of responsibility,” adding it is the company’s job to “build the best possible software that we can, and to protect it continuously to the very best of our ability.”

Is Microsoft right to expect researchers and companies to work together, or was Google in the right to expose the flaw when it did? We want to hear from you in the comments below.

Post from: SiteProNews: Webmaster News & Resources

Microsoft Chastises Google for Reporting Windows Flaw

Jennifer Cowan is the Managing Editor for SiteProNews.

The post Microsoft Chastises Google for Reporting Windows Flaw appeared first on SiteProNews.

• The making of a superstar business journalist
• King of the A-heds returns for WSJ
• Quartz hires design reporter Quito
• How To Overcome Fear of Failure
• Facebook Freedom of Speech Debate Pops Up Yet Again
• New and Easy Way to Apply for a Visa to Vietnam
• 2015 Handsets and Service Pricing Tool International Research Report
• International Gum Rosin Market 2015 Research Analysis
• Google Analytics Intelligence: How to Create Useful Events
• 2015 Research Report on Global Polyethylene Naphthalate (PEN) Market