Google and Microsoft are butting heads once again over the former's decision to disclose a critical vulnerability in Windows days after alerting Microsoft. Detailed on Google's security blog, the disclosure relates to a 0-day (meaning it hasn't been publicly described before) vulnerability that could allow privilege escalation. The bug was initially reported to Microsoft on October 21, and Google then publicly disclosed the vulnerability just ten days later — before Microsoft could release a patch.
Update: Microsoft's Terry Myerson has now penned an article called 'Our commitment to our customer's security' going into more depth about the vulnerability and Microsoft's reaction to the disclosure by Google. Importantly, Myerson notes "Customers using Microsoft Edge on Windows 10 Anniversary Update are known to be protected from versions of this attack observed in the wild.", which takes a bit of the sting out.
Speaking to VentureBeat, Microsoft expressed seeming frustration at Google's choice to forego a delay in public disclosure in order to give Microsoft time to address the bug:
"We believe in coordinated vulnerability disclosure, and today's disclosure by Google puts customers at potential risk," a Microsoft spokesperson told VentureBeat. "Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."
Microsoft and Google previously had a public war of words of sorts in January 2015 when Google similarly disclosed a critical vulnerability in Windows 8.1 just two days before a planned patch was set to be published. In that case, Google published details of the vulnerability according to its normal disclosure policy despite a request from Microsoft to delay. In a blog post at the time, Microsoft Security Response Center's Chris Betz expressed similar frustration, stating:
Although following through keeps to Google's announced timeline for disclosure, the decision feels less like principles and more like a "gotcha", with customers the ones who may suffer as a result. What's right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.
According to Google, the recently disclosed vulnerability is currently being actively exploited, leading to its decision to publish details of the bug so early.
We may earn a commission for purchases using our links. Learn more.
Review: HP ENVY x360 13 with AMD Ryzen is our best pick for budget 2-in-1
HP refreshes its budget-friendly ENVY x360 13-inch laptop for 2020 by embracing AMD's latest Ryzen Mobile 4000 chips. With pricing starting as low at $650 and excellent design and display, it's easy to call this the best budget convertible pick for 2020.
Microsoft Teams appears to be down right now
If you're having issues with Microsoft Teams this morning, you're not alone. The service appears to be having problems today, with Down Detector showing a huge spike in reported issues.
Should you buy Intel or AMD processors?
Choosing between AMD and Intel processors for desktop and laptop PCs isn't a challenge since most processors will be more than capable of handling standard computing tasks, but if you're after the best CPU for gaming or enthusiast use, this guide runs through the differences.
Go sim racing in style with any one of these great cockpits
Sim racing has experienced a boom in 2020 and that's led to some serious interest in getting a good cockpit. Whether you're new to the scene or more experienced and looking to up your game, one of these cockpits will give you comfort and support while you race all day and night.