Google and Microsoft are butting heads once again over the former's decision to disclose a critical vulnerability in Windows days after alerting Microsoft. Detailed on Google's security blog, the disclosure relates to a 0-day (meaning it hasn't been publicly described before) vulnerability that could allow privilege escalation. The bug was initially reported to Microsoft on October 21, and Google then publicly disclosed the vulnerability just ten days later — before Microsoft could release a patch.
Update: Microsoft's Terry Myerson has now penned an article called 'Our commitment to our customer's security' going into more depth about the vulnerability and Microsoft's reaction to the disclosure by Google. Importantly, Myerson notes "Customers using Microsoft Edge on Windows 10 Anniversary Update are known to be protected from versions of this attack observed in the wild.", which takes a bit of the sting out.
Speaking to VentureBeat, Microsoft expressed seeming frustration at Google's choice to forego a delay in public disclosure in order to give Microsoft time to address the bug:
"We believe in coordinated vulnerability disclosure, and today's disclosure by Google puts customers at potential risk," a Microsoft spokesperson told VentureBeat. "Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."
Microsoft and Google previously had a public war of words of sorts in January 2015 when Google similarly disclosed a critical vulnerability in Windows 8.1 just two days before a planned patch was set to be published. In that case, Google published details of the vulnerability according to its normal disclosure policy despite a request from Microsoft to delay. In a blog post at the time, Microsoft Security Response Center's Chris Betz expressed similar frustration, stating:
Although following through keeps to Google's announced timeline for disclosure, the decision feels less like principles and more like a "gotcha", with customers the ones who may suffer as a result. What's right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.
According to Google, the recently disclosed vulnerability is currently being actively exploited, leading to its decision to publish details of the bug so early.