Google and Microsoft are butting heads once again over the former's decision to disclose a critical vulnerability in Windows days after alerting Microsoft. Detailed on Google's security blog, the disclosure relates to a 0-day (meaning it hasn't been publicly described before) vulnerability that could allow privilege escalation. The bug was initially reported to Microsoft on October 21, and Google then publicly disclosed the vulnerability just ten days later — before Microsoft could release a patch.
Update: Microsoft's Terry Myerson has now penned an article called 'Our commitment to our customer's security' going into more depth about the vulnerability and Microsoft's reaction to the disclosure by Google. Importantly, Myerson notes "Customers using Microsoft Edge on Windows 10 Anniversary Update are known to be protected from versions of this attack observed in the wild.", which takes a bit of the sting out.
Speaking to VentureBeat, Microsoft expressed seeming frustration at Google's choice to forego a delay in public disclosure in order to give Microsoft time to address the bug:
Microsoft and Google previously had a public war of words of sorts in January 2015 when Google similarly disclosed a critical vulnerability in Windows 8.1 just two days before a planned patch was set to be published. In that case, Google published details of the vulnerability according to its normal disclosure policy despite a request from Microsoft to delay. In a blog post at the time, Microsoft Security Response Center's Chris Betz expressed similar frustration, stating:
According to Google, the recently disclosed vulnerability is currently being actively exploited, leading to its decision to publish details of the bug so early.
Get the Windows Central Newsletter
All the latest news, reviews, and guides for Windows and Xbox diehards.