Microsoft has lashed out at Google for making a Windows 8.1 vulnerability public. Chris Betz, heading up the Microsoft Security Response Center (MSRC), published a new blog post over on TechNet talking about security and how tech companies should work together to better protect consumers against threats from exploits in software, something the company feels Google disregarded.
The blog post touches on preventing the full public disclosure of security vulnerabilities in software, which Microsoft believes is best kept under wraps.
Those in favor of full, public disclosure believe that this method pushes software vendors to fix vulnerabilities more quickly and makes customers develop and take actions to protect themselves. We disagree. Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment. It is necessary to fully assess the potential vulnerability, design and evaluate against the broader threat landscape, and issue a "fix" before it is disclosed to the public, including those who would use the vulnerability to orchestrate an attack. We are in this latter camp.
Betz then highlights how Google has released information about the vulnerability in Windows 8.1, just two days before a planned patch was set to be published on Patch Tuesday. Betz also states Microsoft requested Google to avoid releasing said details before January 13.
Although following through keeps to Google's announced timeline for disclosure, the decision feels less like principles and more like a "gotcha", with customers the ones who may suffer as a result. What's right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.
The blog post closes by reaffirming that software is by no means perfect. It is indeed made by humans after all, and we've continuously displayed strong signs of imperfection throughout our history. Here's hoping the giants behind our favorite devices band together to keep everyone safe from attacks and cyber crime.