Skip to main content

Microsoft butts heads with Google over critical Windows vulnerability disclosure

Google and Microsoft are butting heads once again over the former's decision to disclose a critical vulnerability in Windows days after alerting Microsoft. Detailed on Google's security blog, the disclosure relates to a 0-day (meaning it hasn't been publicly described before) vulnerability that could allow privilege escalation. The bug was initially reported to Microsoft on October 21, and Google then publicly disclosed the vulnerability just ten days later — before Microsoft could release a patch.

Update: Microsoft's Terry Myerson has now penned an article called 'Our commitment to our customer's security' going into more depth about the vulnerability and Microsoft's reaction to the disclosure by Google. Importantly, Myerson notes "Customers using Microsoft Edge on Windows 10 Anniversary Update are known to be protected from versions of this attack observed in the wild.", which takes a bit of the sting out.

Speaking to VentureBeat, Microsoft expressed seeming frustration at Google's choice to forego a delay in public disclosure in order to give Microsoft time to address the bug:

"We believe in coordinated vulnerability disclosure, and today's disclosure by Google puts customers at potential risk," a Microsoft spokesperson told VentureBeat. "Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."

Microsoft and Google previously had a public war of words of sorts in January 2015 when Google similarly disclosed a critical vulnerability in Windows 8.1 just two days before a planned patch was set to be published. In that case, Google published details of the vulnerability according to its normal disclosure policy despite a request from Microsoft to delay. In a blog post at the time, Microsoft Security Response Center's Chris Betz expressed similar frustration, stating:

Although following through keeps to Google's announced timeline for disclosure, the decision feels less like principles and more like a "gotcha", with customers the ones who may suffer as a result. What's right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.

According to Google, the recently disclosed vulnerability is currently being actively exploited, leading to its decision to publish details of the bug so early.

Dan Thorp-Lancaster is the Editor in Chief for Windows Central. He began working with Windows Central as a news writer in 2014 and is obsessed with tech of all sorts. You can follow Dan on Twitter @DthorpL and Instagram @heyitsdtl. Got a hot tip? Send it to daniel.thorp-lancaster@futurenet.com.

188 Comments
  • So Google leveraged its connections to patch Chrome quickly, but gave Microsoft 7 days to patch hundreds of millions of computers before disclosing the vulnerability to everyone. Is this how you "don't be evil"?
  • Every time Google pulls this crap Microsoft should respond, "We have discovered a serious security vulnerability in one of Google's products: it's called 'Android'. Yes, all of it".
  • Can we, the good people of Windows Central, get a team together to get on this and teach these ******** a lesson please? I mean.... Android is already open source....
  • AOSP Android is open source but Google Android isn't.
  • No it's not, uneducated fool
  • See that's where MS is very different from Google, they don't act in childish and selfish ways just to spite another company, instead they do the right thing for consumers in general no natter what platform or browser they use, inform the responsible company and wait for the fix to be released before making it public. That is the best practise and is the way to keep all consumers' and businesses safe, all Google does is put people at risk in a petty attempt to gain a few users for their products. While I would love to see MS retaliate just for the lolz, it doesn't help anyone so I'd prefer they stay mature.
  • Microsoft would surely release information on the exploit if they realised that the company was refusing to patch it, or was taking much longer than necessary to do so. But they would never give an unrealistic deadline like this, one that actually puts real users at much more risk than if they waited a reasonable amount of time.
  • Android is the most insecure vulnerable OS around, so Google really cannot claim to be better than Microsoft in any way.  Far from it.  They use stunts like this putting people's PC and data at risk in the name of marketing their browser.  Do you really want to trust any of your data to a company like that?
  • Well, regarding Stagefright and Quadrooter vulnerabilities around years ago, and it seems that not all devices are covered with patches regarding those 2 vuls. I'm quitting using Android as soon as I find out ways to buy Windows phone again.
  • where are you?
  • Google is 50 years behind Microsoft in terms of security
  • "Leveraged its connections", so they patched their own product? How is that a bad thing? 
  • No, Adobe patched Flash and Google updated Chrome with the new bundled Flash version. Everyone else using Flash on unpatched Windows is still vulnerable because the Adobe auto-updater is pretty rubbish.
  • So Microsoft needs to update the OS
  • Correct, but it seems like a dick move. Making an exploit public knowledge before the company can fix it does not "help customers".
  • Not only that but this vulnerability is in the wild and being actively used and Google just gave hackers ALL the information they need to actively exploit this. All while touting their own memory hogging POS called Chrome, seems kind of self-serving to me.
  • It absolutely helps customers because it informs customers that they're vulnerable to this exploit. 
  • But the customers can't do anything about it until Microsoft publishes a patch.
  • You are a dipshit.  They could let people know without disclosing the vulnerability but they are still jackasses and choose not to do that.
  • If you refer to IT departments in internet security as customers, then yes. But remember, most customers barely know what a patch does. Much less how to work around an exploit themselves. Also, like what was said, the fact that the people who would use this exploit now have open knowlege to it to use it, REALLY doesn't help customers.
  • I'm certain that your folks are proud of you.
  • Google is clearly an evil loser!
  • What connections do Google have that Microsoft doesn't? Anybody please answer I'm very curious
  • They have a licensing agreement with Adobe to bundle Flash in Chrome.
  • Ok thanks because I heard somewhere else they also own a majority of Internet servers so I didn't know if they were using that to limit Microsoft uploads or whatever, thanks,
  • Google don't own the majority of internet servers. Far from it.
  • Google doesn't even own decently written code
  • MS has the same agreement for Edge
  • Yes, but Google was the one who discovered the vulnerability and was therefore forewarned.
  • They changed their motto a long time ago. They needed to, otherwise they would be a hypocrite.
  • I know, but it's fun to still hold them to it especially in this scenario because it was originally a dig at Microsoft.
  • No, major hole... hackers could of known about it... Microsoft sat on the information for 7-10 days and did nothing about it... This makes me see windows as not secure of they could sit on a known hack for over a week.... Google is not evil, they TOLD microsoft before releasing the info...
  • Perhaps you'd like to enlighten us how they can triage, analyse, fix, and then deploy a fix to hundreds of millions of computers (many of which have users trying their best to disable updates) in just 7 days?
  • I have my doubts as to the many of which statement seeing the adoption that the anniversary update has. If people had deactivated updates then it wouldn't have the distribution it has ;). Vocal majority would be a good statement but far from an actual majority.
  • Which is still "many". I specifically did not say "most".
  • You really are clueless on how security on PCs work... Microsoft should notificed people of an issue, not let google do it.. How could one be 100% sure their computer is secure when Microsoft does not patch a known (and made them know about it) major security hole in Windows for almost 2 weeks before they even did anything about it. And getting a patch for a bad DLL that had a security hole could be released in under 2 dyas to Windows update... INCLUDING testing. This is a HUGE BILLION dollar company, not a little back yard garage IT company....
  • Just sat around eh? You sure? Where you having coffee with them all that time? Good to know someone who spends so much time with MS coders.
  • Googl then went on to say its windows version chrome is safe from this vulnerability...so its intention is very clear
  • Windows 10 version.
  • Well, the exploit involves an interaction between the OS and a browser. If Chrome has been updated to block the exploit, then it's safe from the vulnerability. 
  • It's no surprise really that Google would try to peddle that POS called Chrome!!!!
  • Yep...totally feels like a "Gotcha". Intentionally releasing information that would put MS customers at risk.
  • Microsft users are already at risk since Microsoft won't release the patch. The exploit was already in the wild when Google discovered it and notified Microsoft. 
  • Ok then...
  • In the wild, yes. Actively exploited, yes. But not publically known. Now that it's publically known anyone can go and exploit it until all computers are patched.
  • That's what I thought
  • If it's being exploited, it's known by enough people to make it dangerous. 
  • You really are an effin moron aren't you.
  • >You really are an effin moron aren't you. It's you who is a effin moron....you really dont have a clue do you ?
  • Me?
  • This is not necessarily true. This, and other exploits, could have been discovered be people who actively look for them for internet security companies or divisions of a company. This is not always the case, but don't make it known to the 12 year old ********* around the block.
  • Actively exploited could mean by the government which isn't necessarily dangerous for the user (of course it's bad but not anywhere near as bad as a malicious attacker), by publically disclosing the actual code for the exploit they've made it available to pretty much every 2bit coder out there; and giving MS 7 days to fix it is just insane and breaks their own rules that they'll wait 30 days to publically disclose something.
  • Don't try and defend this by making out people could already have known about this as Google announcing it is almost as public as it gets. I'd chastise Apple or Microsoft in the exact same way if they did something similar. It just stinks
  • and expected MS to patch it in 7 days!!!!
  • Yeah we know this the point is google should of given Microsoft time to patch it before making it public
  • Maybe MS should go through and publicize all of Android's vulnerabilities...
  • ... and we will see tons of Google "don't be evil" faboys shaming Microsoft. Well, meantime in europe Google will face issue for things like this: https://www.grahamcluley.com/conspiracy-cockup-google-hid-protonmails-encrypted-email-service-search-results/
  • Remember, This is the same company that drove around and hack peoples personl wifii in their homes from their streets car, they also hacked the Ipone's gps to send the google app gps locations even if you truned gps off.. How anyone can say that they trust this company to protect their data is insaine, and what they are doing in america with the schools makes me sick, there is no way you can tell me that they are not mining kids data in the schools.  
  • After giving google the standard 30 days to publish a patch of course, not some childish 7 days; which incidentally is what google actually promises they'll do. Anything else would be immature and it's not like google has any chance at all of patching android phones xD
  • Gotta side with Google here, this is an actively abused vulnerability. It is up to MS to warn their customers, and suggest preventive measures, while they are working on the fix.
  • I'm a pretty staunch MS supporter, but I agree with you on this one. It would be a different story if the vulnerability weren't being actively exploited, but that's not the case here. Communication is key. Let your users know that there's a problem and give us a workaround until an official patch is available.
  • Thank you. It is baffling to see how many people are against being informed of a vulnerability that is actively and widely being exploited. MS should have communicated this, they were given the time to do so, but they chose not to so Google did it. It should be mentioned, that if this was just your everyday vulnerability, then MS would have had 90 days before Google would have gone public, and additional 14 days if they informed Google that they were coming out with a fix. This is clearly something that system admins need to know.
  • Disagree, it can be communicated that there is a vulnerability, not giving every script kiddie the keys to the kingdom.  Typical google dick move.
  • The details may be important for preventive measures, I don't know, I doubt anyone here knows either.
  • Looks like we have very unpopular opinions here, but I still stand by mine. Microsoft could have easily mitigated this by telling users a problem was found that they need to disable Flash or use Edge until a patch is released. Like you said, the exploit is already in the wild, so it's not like Google revealed some big secret.
  • "Gotta side with Google here" yes google need another soldier for his crusade against the evil microsoft. LOL
  • Bad choice of words. "Gotta side with the consumer" would have been more accurate.
  • So publishing it so more people can exploit it is your answer? You must work for Google or own stock in Google or just hate people in general.
  • Nope, publish it so that users of Firefox or Edge can move to a more secure browser. It's already being exploited, no point in hiding it. 
  • Do you think users are reading the Google Security blog? Nope. But I bet you people looking to take advantages of exploits are. So this is self-defeating.
  • Edge in the Anniversary Update is already protected. This is for non-AU, non-Windows 10 PCs.
  • Ironic that you should mention "move to a more secure browser": http://www.windowscentral.com/microsoft-edge-takes-top-spot-over-chrome-...
  • There are so many users that dont follow tech news. Publicizing a vulnerability is not a help for them. Pubicizing made it viable for any enthusiast to exploit it.
  • And in the meantime, every hacker in the world now knows the exploit exists and every customer is at risk. 7 days to triage an issue, write a fix and test it to make sure it does not destabilize millions of computers running thousands of different configurations is highly unrealistic. Google is only out for themselves. They don't care about users, only their search and advertising.
  • And not every vulnerability has a workaround.
  • The exploit was already being used, so hackers already knew it existed and how to exploit it. 
  • Not all did. But they do now
  • And all consumers know about it too, so they can take actions to protect themselves. 
  • Do you really believe this stupid $#!+ coming out of your mouth?
  • Maybe some but not all now they do why don't you think I will never use google **** there a evil company and they don't give a crap about anyone but there shelves
  • The exploit was already in the wild when Google discovered it, so it was already known by hackers. Now, consumers are more informed to protect themselves. 
  • Any chance of your opinion in a different format. ie: Re-arrange the words in a different order, or grab a thesaurus and find some different ones. Starting to sound as if you have a bag full of shares in Gurgle. By shouting at the top of their voices, in a school playground four year olds 'my dads better than yours' manner, they cause much disruption over at MS. Owners of W10 now get sweaty palms even though MS had this covered, whilst Gurgle get sweaty palms playing with wood. If only people knew how many holes there are in Android. I've cooked roms, I know the issues with rooting, but alas, those issues are just as bad as stock! Don't get me started on Chrome. Data mining goes on, a plethora of data sets get sent, too many people 'allow' Chrome to store passwords etc, in which case you may as well just give your card details to some hooded youth. I guess MS will take the moral high ground and NOT let slip the muddy waters that are Gurgle splashing around in your data. Would the last person out of the mine please turn off the headlamps...
  • I don't have any shares at any of the companies. I'm explaining things in plain language because it's apparrently diificult to understand concepts such as telling consumers their device is vulnerable.  "Owners of W10 now get sweaty palms even though MS had this covered, whilst Gurgle get sweaty palms playing with wood" Microsoft doesn't have it covered, or they would have released the patch. 
      "I've cooked roms, I know the issues with rooting, but alas, those issues are just as bad as stock!" No it isn't. Root means your applications have a higher level of permission than they do when you are running stock. There are exploits that only work when they have root permissions, and that's something they don't get when you're running stock software.  "Data mining goes on, a plethora of data sets get sent, too many people 'allow' Chrome to store passwords etc, in which case you may as well just give your card details to some hooded youth." The same data mining that Windows 10, 8.1, 8 and 7 do. Edge also lets you store passwords, and Microsoft's data policy states that they share data with Yahoo (who just got hacked) and others.  "I guess MS will take the moral high ground and NOT let slip the muddy waters that are Gurgle splashing around in your data." They need to take the practical high ground and fix their OS. 
       
  • The 0 day is mitigated by the latest Flash update, the vulnerability is still in the Win32k.sys GDI interface however MS has clear procedures with dealing with security vulnerabilities that have become standard for many companies. This isn't the first time Google has pulled this stunt putting millions of people at risk for a publicity stunt.
  • Not every script kiddie in the world, but they sure do now.  You can put out the notification without giving the details, it isn't hard dumbass.
  • Microsoft should screw up chrome on windows and make it difficult for chrome to work correctly. These guys at google are pathetic and insecure
  • No need for that, google itself is screwing up chrome with their incompetence, like they do with every product they buy
  • Making a patch for it might take longer than 7 days to fix. So google knew exactly what they were doing by making it public by also throwing in that they already fixed Chrome.
  • Yep, they were letting consumers know so the consumers can take their own steps to be more secure, and putting pressure on Microsoft to do their job. 
  • And how exactly does the average consumer mitigate an attack that uses a function call to a kernel module, please enlighten me oh knowledgeable one!!?!
  • By using a different browser. Two clicks. 
  • Or by updating to the Anniversary Update where Edge is patched to mitigate this type of attack. No need to move to a POS called Chrome.
  • Use a patched browser like Chrome that isn't susceptible to this vulnerability.
  • LMAO
  • How can they communicate with every customer in the world? Most of the windows users are non-tech end users and they don't even know how to change the default browser. By revealing this bug, google put all those computers at risk. Do you even use brain? Or all you know is ctrl + C and ctrl + V  
  • "It is up to MS to warn their customers, and suggest preventive measures." There's a difference between "hey, there's a vulnerability you should know about" and "hey, there's a vulnerability you should know about, and here's enough detail to clue you in on how to exploit it." The whole point of public disclosure is to encourage companies to patch their holes early instead of putting it off forever, and the reason for that is to protect our computing ecosystem.  Google's motivations have nothing to do with any of that.  Their timing is clearly intended to give MS a black eye and nothing else.
  • What specific details did Google release on how to exploit the vulnerability? If they just said, "Switch to Chrome, it's more secure!" everyone would have chalked it up as PR fluff. 
  • They posted the specific security vulnerability in their security blog, you are dense as hell.
  • Google has multiple levels of procedure based on the severity of the vulnerability, this one is something that is important for the users, especially corporate, to know, so they released the info quite shortly after informing Microsoft. I assume they told the timeline to Microsoft, so there was plenty of time to inform their customers. I stress that this was a critical enough bug that it warranted this procedure, suggesting that it is already widely exploited. I don't know the final truth of this, maybe Google is just being an ass, but based on the little we do know, I won't go white knighting MS either.
  • Yes, multiple levels... like they openly state. They can tell users there's a vulnerability that's being actively exploited. What they can't do is tell people HOW to exploit it, which they did. That's the problem.
  • How about the perhaps 100s of software firms having the same vulnerability? Google may not know them all, but by releasing the info, and since they also revealed how they fixed it, they give those others a chance to do something about it until MS fixes it on their end. System admins may also be able to either disable features, or take other such preventive measures after knowing a bit more about the specifics. It's also an indirect ad for W10 as the fix is only available there.
  • Agreed 100%... People who are just fanboys with out a clue will down vote you but, anyone who watches and follows computer security knows that a open hole that could case damge out in the wild, that is known by hackers, even a day is too long to have it opened but, Microsoft sat on this info for over a week...  
  • The next day, one of your family member is hacked by a script kiddy that got the news from Google and goes to try it out.
  • The exploit was already in the wild and already known, so consumers were already at risk. Microsoft has no one to blame but themselves for not patching it. 
  • Google fanboy eh? I feel your pain man, i feel it.
  • Not a fanboy, just wish Microsoft would patch the exploit. 
  • It takes longer then seven days
  • I just wish you would stop spamming the comments with your spam.
  • Blah, blah... Are you just copying and pasting your posts? They ALL say the same thing. In my post above, I suggested you grab a thesaurus and find a different way of putting the same argument over and over and over and over.
    Zzzzzzz
  • ok, not patching it... well... firstly it is patched, if you're on the newest windows update... which is exactly why MS removed update controls from normal windows users, to make sure you're always on the newest version; is it acceptable now or are users still going to be angry at big bad MS for trying to prevent dumb asses from blocking updates and making their computer insecure. Secondly 7 days for a patch? Are you insane... Noone can patch such a vulnerability that fast, no one. Finally, they could have disclosed they had found an actively (widely - they don't say this actually even though you believe this) used exploit in the flash implementation of old windows versions that has been fixed in chrome. Not had the keys to the actual exploit to the public.
  • Google is an evil company, Microsoft isn't.The reason Google is attacking Microsoft with these dirt tactics propaganda is to see if dumb people will buy their Chromebooks which have a marketshare of less than 0.5% on desktop global market. 
  • Or because Windows is an unsecure platform. 
  • So is android, but you are you as quick to criticise google? Anytime you make an open platform that can be easily customized by developers, it will have security holes. Having thousands of different hardware configurations makes it even more difficult. It gives customers plenty of choices but you have to expect that this security exploits will happen.
  • Google patches Android every month, with different patches for more specific hardware. They also publish exactly what was fixed. When's the last time Microsoft released a changelog?
  • Yes, they do. But EVERY patch results in the same issues in different places. They HAVE to patch every month, not only for security, but also to try to resolve major bugs within the OS. When they finally crack one bug, another OS rolls along and the wheels keep turning, going round and round until they disappear up their own OS. As for changelogs, they are published, and available to view. Can't find them? Check on here! You sure you aren't Anne Droid?? ;-)
  • And every Windows update breaks things. The Anniversary Update broke Powershell, for example. And no, there aren't changelogs. Windows Central talks about new features, but that's based on their own testing. 
  • So if both platforms fixes and breaks things, then why are you here trolling? Then Google is no better than Microsoft and then maybe you should go and complain on your beloved Google's fanboy sites instead.
  • Confirmed tard
  • That'd why more then 89% of all android phones are infected with a viruses or malware
  • [citation needed]
  • https://technet.microsoft.com/en-us/security/bulletins.aspx changelog enough? And they provide even more info at the enterprise level...
  • Windows is the most secure platform. Everyone uses it which is why its targeted like it is. (And by everyone I mean almost everyone not everyone)
  • >Windows is the most secure platform. You really think so....huh ? You really need to learn a LOT about computers...
  • Jeez, will you please change the bloody record..... That ones for the children of the 80's ;-)
  • It's the most secure system there is look at android its a joke and always has been chrome no better why don't you leave us alone fanboy and go talk all you crap on a google website form
  • Chrome was rated the most secure browser until today. ChromeOS is rated as the most secure OS.    But yeah, try to make fun of people you disagree with. 
  • Chrome OS is a browser, stop saying the most secure OS
  • http://www.windowscentral.com/microsoft-edge-takes-top-spot-over-chrome-...  
  • Are you on drugs? Windows is on 93% PC, so its prone to attack unlike mac or Ubuntu which has less users. Same goes for android the more the user, the more the attacks, though android has some many holes. Mind you Windows is still considered the hardest to hack, I've seen it in different hacking contest.
  • Whatever the vulnerability is it patched?
  • No, and that is why it is kind of crappy that they brought it to light. Though, I kind of get the other side of this to warn. Though I will not install Chrome, so I guess I am vulnerable until MS patches. Edit: I am wrong, kind of. As Daniel pointed out, Anniversary Update seems to be protected.
  • I love how the story is not, "Windows is being actively exploited" -- instead it's about Google? We can't upset MS? Just tell it straight. (Bring on the downvotes.)
  • Google is the ultimate hypocritical company.
  • Yay! A decent word used in a post!! Well done editguy. Very sad I know, but that has made my day!! Then again, I've just sat through two hours of Peppa Pig with a house full of 2 year olds!!!
  • You are welcome. The story is about Microsoft complaining Google releasing vulnerability information before Microsoft has a chance to patch the vulnerability. The vulnerability is actively being exploited by Google for its own advantage. If you don't like it, make up your own story about "Windows is being actively exploited" and go pound sand.
  • No, the exploit is actively being exploited by hackers for their advantage since Microsoft is taking too long to patch the vulnerability. The exploit was already known and being used in hacking communities when Google discovered it, so there's no sense in hiding it. By going public, Google puts pressure on Microsoft to do their jobs and lets consumers know so they can secure themselves. 
  • "...put pressure on Microsoft to do their jobs..." and leaves millions of users at risk as full details were disclosed, not just an advisory, so Google can peddle their own wares.
  • @ neo158: How? The users were already at risk. 
  • Because Google revealed FULL DETAILS OF THE VULNERABILITY, what more do you need to know!!?!
  • 7 days isn't too long. Grow up now would you.
  • Hacker probably paid by google in the first place
  • I'd love to see some evidence to back this up. 
  • MS will getting much stronger !!
  • There is no clear right or wrong answer regarding disclosure in this case. Microsoft's job in the matter is far more difficult than Google's. Google only had to update their browser for Windows. Microsoft needs to test all variations of their products for this fix and that undoubtedly takes time. Meanwhile, customers are already being affected by the exploit. So if you are quiet, perhaps the exploit will not grow, but if you disclose, customer can decide for themselves how to proceed at the same time more malicious hackers would begin to exploit it. Again, no easy answer here. Google did their best, as I am sure Microsoft is doing theirs.
  • Couldn't agree more. I just hope MS don't stoop so low with these 'scaremonger' tactics'. They didn't do it out of the goodness of their heart. By shouting about it, all those spotty oiks in their bedrooms, who think they are about to enter the Tron set, will happily sort their wood out, clean the keyboard, and give it their best shot. The greatest purveyor of 'oddly' obtained data are Gurgle. If their chrome OS has ( sorry HAS ) any vulnerability, MS wouldn't shout about it. They could discreetly write to them and mail them for less than £10.00 / $10.00. ( delete as appropriate! )
  • Yeah, sorry, reading the Google blog post about this, it's obvious they are only looking out for Google here.  "We found an exploit. Our Chrome browser would never do this. We recommend you install your OS patches when they become available." How did Google know this is already being exploited? Are they a security company now, with the ability to know what is happening on every Windows computer not using Chrome or Google's websites? Or are they somehow exploiting this themselves, therefore making an excuse to reveal this?
  • There are no google services on windows 10 mobile. By that alone google is evil lol
  • I am hoping this vulenarability is not NSA related....
  • Just to play devil's advocate here (for real huh?), but if the vulnerability is already being exploited by hackers, this means that the hackers already knew about it. Since nobody had said anything about it publicly to this point, it also means that consumers were blissfully unaware of their potential vulnerability. Now that the information is released publicly, I know about this, but I know nothing about hacking. This does not help me in the slightest as a hacker. And I bet it doesn't help anyone as a hacker. Those who know what to do with it probably already know about it. It does, however, help me as a consumer. I now know to quit using whatever software is vulnerable. Is it good for Microsoft to leave things as they are, knowing full well that their users are being actively exploited? Shouldn't Microsoft have been telling their customers to quit using whatever was vulnerable until the patch is pushed out?
  • I agree, Google should have told Microsoft about this and left it up to Microsoft to publish details of the vulnerability. I'm sick of this whole Team Google, Tech Police.
  • Google did tell Microsoft, Microsoft decided to not inform their customers, so Google did instead.
  • Yes they did. The question is if they gave Microsoft a reasonable amount of time to patch it. We also do not know if Microsoft knew about the vulnerability. It could be that they knew about it and had been working on it already, and then Google found it and said, "Hey we're going to release the information to the public on November 1, 2017. Get crackin'!" Also, Microsoft might have a fire lit under them because they know that Google will eventually release the info to the public. Otherwise they might never do anything about it. Who knows? The only information we have is a news article or three. It is meant to be sensational, not to give us objective facts.
  • Google informed Microsoft, they knew, they did not have to fix it before informing their customers about it. Microsoft decided not to inform their customers that their computers were vulnerable, and that said vulnerability was being actively exploited. Even releasing some details on the vulnerability is unlikely to increase the risk on the customers since the most skilled crackers were already exploiting it, but now the customers can take at least some preventive actions. I'm not saying what Google did was absolutely right, I'm saying what MS did was absolutely wrong.
  • You need to reread my post before commenting!!!!!!
  • The hackers are not all linked together and openly sharing with each other the exploits they find. Most of the time they will hold on to it and try to let the exploits to last for longer by not letting the news spread out for it to be discovered. Breaking out the news only invites more malicious intend hackers joining in using the exploits. The end results are more users will suffers. The hackers and people like you that are sensitive to the IT world will be the one that get the memo and get some action going, while majority of the world are probably being exploited now without even knowing about this because they dont frequent IT sites.
  • well if it was the other way around it would be more worring, I mean, can google do anything about ~90% of their active android installations?
  • Google patches all of their phones released in the last three years, more than the average time of ownership.    Complain to HTC, LG, Motorola, etc if you're phone isn't being updated. 
  • so yea the 2 phones they release yearly, which account for an accounting error in android market share pie charts na the blame goes to the OS maker, nothing you can do to change public perception on that
  • HTC, LG, Motorola are the OS maker. They build their own changes on top of Google's base, and they're responsible for releasing fixes to their hardware. 
  • Not so. The OS is made by Google, and although each hardware maker customises the release to their device, it's still running Google Android services at its core.
  • Each version of Android is actually a separate OS all by itself, Google, and other fix the open source parts of it, Google fixes their parts of it, but it is up to the OS maker to release the updates, in this case those are OEMs, and they have to fix their parts. Naturally, that isn't exactly a healthy way of doing things since OEMs have little reason to update their software when it's hardware they want to sell.
  • And the Google Play services are updated irrespective of the phone. Google can't force OEMs to update their phones
  • Still a Google problem if Apple and MS can update their phones without carrier or OEM support. Plus a lot of phones are still using vulnerable versions of Android.  With many android rootkit packs now having over 60+ active attack vectors that can hit you with a drive by, of which some of those you'd never know you'd been infected. The simple fact of the matter Android is insecure by design, something that Google is desperately trying to change and so far failing.
  • Apple can update their phones without carrier support because they make everything inside the phone, and they sell so many phones that they can tell carriers to pound sand. Microsoft is the opposite in that they sell so few phones that carriers don't care if they break things. And again, Google updates their own phones without any carrier intervention. 
  • Sigh are you are really so ignorant and myopic? Microsoft can because they decoupled the OS from the firmware stack, just like Apple did (though their methods are different).  Google has a club over the OEMs, they already implement contracts which are under investigation for being anti-competitive so if they can force companies to agree to them then why not include terms to support their patch releases?
  • Nah it's just a poor troll
  • Android is never updated unless you got a Samsung high end phone or a high end phone from any own if your poor google cares nothing about you and your cheap trac phone will never get updated google sucks why can't you admit that google fanboy
  • My Nexus gets monthly updates though.
  • Only for two years, after that if any security vulnerabilities are discovered then they won't be patched!!
  • Exactly, the stagefright exploit springs to mind. Most of the devices running Android will never be patched.
  • google is a bunch of jackasses.
  • I detest everything Google.  On this occassion I think they are in the right.  They treat everyone the same in this regard, 60 days for vulnerabilities not being exploited and 7 days for those that are.  Microsoft with all thier resources coud have patched it and as people are at risk this will light the fire under them.  If it were the other way round we wouldnt give Google special treatment would we?
  • If you find an exploit, you warn a company about it, shortly afterwards you go around and tell everyone how to use it; yes, that is putting pressure on the affected company and reveals that the disclosing company is endorsing its use. If not, they could have simply described it and not give an instruction for everyone. If I am not mistaken, such behavior gets penalized in every company and online game for the endorsing part of this behavior. But alas, shortsightedness and ignorance of consequences of own words get more and more popular these days. Sadly, there is no defending argument in terms of protecting users from an exploit by telling even more people how to use it.
  • Microsoft have got the worst of the fanboys. Not even close to ish***ps. You guys' moronic level is unbelievable.. They had 10 days to solve the issue and they couldn't with no information.. Just today I've read a hospital was hacked (not sure if its related to this or not) can you imagine the cost of such intrusion? What Google have done is for the better of consumers at large
  • For the fanby part: speak for yourself. Telling the details to the affected company is not the same as telling it to everyone inside a blog. I am expecting that I do not have to explain the difference how there is a difference. It would be fruitless to have to do it.
  • 10 days later???? They would be evil if the moment they discovered they went ahead and cry out loud. First of all this have question Microsoft why in the first place a third part company had to discover the volnubalitiy and not them... They not serious
  • I hate Google. People only use Android hardware until they've saved up enough money to buy a better product.
  • Microsoft is also blaming "Russian Hackers", and saying its the same group that's messing with the election. Except, there are no Russian hackers. Microsoft is just sad that there endorsed candidate she-devil is losing.
  • Maybe if Microsoft would make edge Compatible across all website, people would be more inclined to use it. But I am more and more frequently running into circumstances' where a website (particularly with a form or log in) is nor compatible with edge and am told to use Chrome or Internet Explorer or Firefox, because edge isn't compatible.
  • And there you go...Windows is SO SECURE... but, they let a hack like this just hang around for a while....
  • My my what a bunch of dribble... okay there is an exploit. Okay Google tells Microsoft that some Google paid hacker found it to get some new articles written about itself... slow sales for the Pixel maybe. Okay so MS needs to get down and fix it. Humm lots of code... lots of different types of systems 1000's of hours... oh no MS ya got 7 days... gee thanks Google.. everyone is screwgled again... Remember don't be evil. I used to be a fan boy until I found a picture from my Google drive on another website... and the virus my system got from a shared Doc.. gee Google just keep it in your pants okay?
  • Everyone is complaining how Google revealed the specifics of the exploit (or some of them at least), that should make it pretty easy for MS to locate it. P.S. most of the OS code does not care about the underlying system
  • Google revealed EVERYTHING about this vulnerability which puts peoples devices at risk. That's why we are "complaining" about this!!!!!!!!
  • Google wants users to leave Windows platform and joint their Chrome OS
  • Lol good luck, they'll need it
  • What a bunch of retarded fanboys. Get your **** together and stop blaming google when microsoft cant fix their own ****.
  • Get back to your colouring book and leave the thinking to the adults.
  • I HATE GOOGLE