Microsoft hits back at Google for publishing Windows 8.1 vulnerability before being fixed

Microsoft has lashed out at Google for making a Windows 8.1 vulnerability public. Chris Betz, heading up the Microsoft Security Response Center (MSRC), published a new blog post over on TechNet talking about security and how tech companies should work together to better protect consumers against threats from exploits in software, something the company feels Google disregarded.

The blog post touches on preventing the full public disclosure of security vulnerabilities in software, which Microsoft believes is best kept under wraps.

Those in favor of full, public disclosure believe that this method pushes software vendors to fix vulnerabilities more quickly and makes customers develop and take actions to protect themselves. We disagree. Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment. It is necessary to fully assess the potential vulnerability, design and evaluate against the broader threat landscape, and issue a "fix" before it is disclosed to the public, including those who would use the vulnerability to orchestrate an attack. We are in this latter camp.

Betz then highlights how Google has released information about the vulnerability in Windows 8.1, just two days before a planned patch was set to be published on Patch Tuesday. Betz also states Microsoft requested Google to avoid releasing said details before January 13.

Although following through keeps to Google's announced timeline for disclosure, the decision feels less like principles and more like a "gotcha", with customers the ones who may suffer as a result. What's right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.

The blog post closes by reaffirming that software is by no means perfect. It is indeed made by humans after all, and we've continuously displayed strong signs of imperfection throughout our history. Here's hoping the giants behind our favorite devices band together to keep everyone safe from attacks and cyber crime.

Source: TechNet (opens in new tab)

Rich Edmonds
Senior Editor, PC Build

Rich Edmonds is Senior Editor of PC hardware at Windows Central, covering everything related to PC components and NAS. He's been involved in technology for more than a decade and knows a thing or two about the magic inside a PC chassis. You can follow him over on Twitter at @RichEdmonds.

240 Comments
  • I agree with his sentiments whole heartedly.
  • Yes, I agree too. Disregard for customer security is not acceptable in any form, especially publishing details of a vulnerability, seriously!
    Edit. Read this link about Google support....frightening! http://www.neowin.net/news/after-throwing-microsoft-under-the-bus-google...
  • And to top it off, it's not like Microsoft was just ignoring the bug. They obviously fixed it since they asked Google to wait a few extra days before publishing the vulnerability, which wasn't unreasonable considering the whole thing happened over the holidays. Instead, innocent consumers are put at risk so a few immature douchebags at Google can say, "lulz we screwed teh Micro$oft." Stay classy, Google.
  • This is also a dirty tactic that Google will use to get Chrome to become the new mainstream OS and it's further proof positive that Apple and Microsoft should collaborate on a answer to YouTube.
  • LOL Chrome will never be a mainstream OS.
  • I don't know anyone that uses chrome.
  • They're being used in schools. Like drug dealers dealers, they're trying to get them while they're young.
  • At my High School there were Windows PCs from the XP era with Windows 7 installed. For cloud collaboration we were required to use Google drive. We had the choice to use IE, Firefox, or Chrome as they were all installed. We were allowed to use phones in most classes and in the halls too. Next year they are moving books to electronics. Students will be allowed to use any device with a screen over 8 inches however the school will offer discounts to students for iPads. Kids in 5th-8th grade will be required to use iPads. I went through more than the web browser because I believe Apple is a bigger problem to our younger generation than Google is.
  • I do. I'd rather not, but sometimes I can't even see embedded video on a web page with IE on my SP3. Then I'd be using SquareSpace to update a website on IE, and there are some wonky things as well. Maybe I should see if FireFox works...
  • That's why some chrome books comes with Ubuntu LOL
  • What does YouTube has to do with all this? Lol bro, think before you write. That just doesn't make sense.
  • He was thinking ... and very clearly ... Google has been trying to muscle in on Microsoft for years ... if there was a competitor to Youtube there would be no reason to even need to have a Google account. Signing up for youtube forces you to make a Google Plus account. This was a big opportunity for Google to smear Microsoft publicly and now we find out Microsoft asked them for a couple more days and Google maliciously published the info. Google's "don't be evil" slogan is a joke.
  • Not directly linked to the article. But yeh I agree an alternative to YouTube would be cool (it is after all #1 website in terms of volume, and a big source of income if people adopt it). Just 1 risk to this: Google tends to allow mostly anything on their cloud and on YouTube (people can curse, can post pretty violent stuff, pretty controversial stuff, etc), which is great! If Microsoft makes a video service they need to change their shady "no vulgarity" policy, which basically says they can actually suspend your account if they find any partial nudity (even a painting, like a Picasso), or even any vulgarity (in theory even cuss words) anywhere in stuff you put on the cloud. I'm all for Microsoft, but they really need to change that policy!
  • This just in.. Microsoft wanted to get back at google for this by finding 2 bugs in Android. Google has asked Microsoft 90 days time so they can verify if its new from a list of 1 million bugs and security flaws that they already know exists in the platform.
  • ^^ this!
  • WTF are you talking about ?? Google have no rights to fudge microsoft It has its own issues google stopped security updates for web app view  apps working on jellybean and lower versions and it was talking about security patches of microsoft GREAT!!  
  • So do I. Blatant disregard for MS by Google.
  • I mean if google was worried it should coordinated with,MSFT!! Fudge principles
  • That's the part when we all say "Fuck Google"
  • Hahaha
  • Like wtf? Google scr** you! Smartass**s!
  • Relax people. There has and will be vulnerabilities in software since the beginning of coding time and will always be. It's the nature of what it is. Having said that, this is irresponsible from a standpoint of good reason and customer outlook.
  • LOL; you say that as if the "beginning of coding time" was somewhere around stone age.
  • Now you made me laugh :)
  • Relax mother fucker? Tell that to the... Probably billions by now, who have some of their I'd stolen.
  • Unlike the billions of Google/Android spyware sufferer's who have this everyday.
  • What! Google was just trying to level the playing field! It was to their level..... But.....
    FG
  • Agreed.
  • GOOOGLEEE.. MY A**..
  • Then am gonna smack it for sure..!!
  • I chose to Bing your ass and some nasty pictures came up. But yeah google sucks donkey balls
  • Lol
  • Given how google have yet to develop any app other than a search one for any windows device shows how much they despise Microsoft... It's also shocking given how dominant android is, that this is not seen as an anti trust issue. If it was on the other foot it definitely would be, and has already been!
  • Difference between blocking others and not making apps or software. Google doesn't need to make wp apps and you can't force them to do so.
  • ​They are blocking their customers.
  • Ow yes the 1% of google users on wp. They should make the software I agree but wp market share is so low it won't matter to Google
  • They blocked the YouTube application Microsoft made several times. They are infact blocking others, evidently the hope it will make people use their products.
  • Finally the good thing is that we got Tube Cast which is much more better LOL
  • Yep, better than the Android YouTube with ADS before the videos :)
  • Yeah and it's a sound strategy because most people don't care or are not hardcore (insert) OS fans and just buy the phone that allow them to use the app of choice
  • i'm glad they didn't put more crap on windows store, the google app is already one app too many
  • "We urge Google to make protection of customers our collective primary goal." BURN.
  • Burn...like genital warts (do they burn, idk)
  • THEY ALREADY BURNIN' CUS THEY IN HELL....
  • Microsoft should also do the same thing with google. And Increase android patents fee.
  • As far as I know Microsoft had 90 days to correct the bug then if they had done it in time there would have been no problem ... and we aren't talking about 2 days ... and we can imagine that Google is maybe not the only one to have discovered it so there is always an hurry to solve. Even 90 days delays is too long. Imagine the back door opened in your garden while it's freezing outside. The quickest u close it the best u will feel inside ...
  • You've never built an application and looked at code apparently. And don't let Google fool you, they did that only to rub it in Microsoft's face which is 100% why they have people at Google who do nothing all day but try to find vulnerabilities in others products. Has nothing to do with helping anyone but themselves so they can look like some hero. Don't ever think it is done to help you or I.
  • On the user side I don't ask about help. Just to have bugs corrected quickly enough before it turns into a problem, whoever the editor is and I think that 90 days is yet a long period of time for big companies like Microsoft or Google. It would be a car with a risk to crash, people would try to repair much quicklier ... ​
  • If a car has a defect, it had it from the beginning and it can sometimes take years before the defect is noticed and can take some time for a fix to be created. The same is true with software. That vulnerability has been there from the start and was just recently noticed. It doesn't matter how big a company is. You can only throw a certain number of people at a problem before they start getting in each other's way. Releasing details about a vulnerability before it is fixed puts everyone at a greater risk. What are companies going to do with that information? They are still going to sit there and wait for a fix and in the mean time hackers have detailed information they can use to exploit the vulnerability.
  • Just because your back door is open, doesn't mean you publish in the newspaper that your back door is open
    What Google has done here is purely for the sake of popularity and revenge against Microsoft
  • Nope but it doesn'ttake 90 days to be repaired and it's just my door with no rid for millions of other users, what I mean is whatever editor u are (Microsoft, Google or others) it would be fine to stop bullshitting users and move their ass to activate corrections in a reasonable delay and 90 days is already too long !
  • Be better if Google fixed their Crome and Android spyware. In fact its been there for longer than 90 days.
  • How would you know how long it takes to fix? An OS is a massive program and many interdependant parts. Fixing one problem can easily break another part or open other vulnerabilities. They have to fix and then test the software.
  • 90 days is too short to do whole process of programming. After all it's not just coding, every time you do some change in the code of the Windows you have to do checks for side effects and so on.
  • They already did much quicker. All is a question of pressure ...As far as there is no impact on their money, they take their time ... But when needed they can be extremely efficient ... ​
  • Shits gettin too complicated...and I have a fuckin Ph.D.
  • Lol, the value of a Ph.D just plummeted...
  • It's a joke limp dick, and I do have a Ph.D., just not in computer science, but id still beat your ass academically in any subject. Go ahead, you pick.
  • Hahaha. I was also joking! I refuse your challenge as I don't give a rat's ass about academics!
  • I'm playing too. Ok, were done here.
  • What, you don't wanna talk about my dick anymore? I do have a Ph.D on that topic. I tatood my dissertation on it! (though you can only read it when it's fully erect... Hahah)
  • I mistook your name for limp dick. Lippidp...it can happen
  • Yeah and look at the crapshoot that happend when Microsoft released a quick patch that stopped people's computers working - they were getting called out from all sides.   Microsoft has thousands of business users it has to protect that they have to fully ensure that a patch doesn't cause more problems than it solves.   I understand Google's stance of a time limit trying to pressure companies to get the software patched rather than ignore it, but there is a still a moral reason not to publically release vulnerabilities into the wild.   It could have been an internal conversation - G:"Hey hows that patch coming along?"  MS: "Yeah, it took more time than we would have liked but it will be out on our patch tuesday".  G: "Great!  No need for us to announce this one.  Was great working with you." It oozes from the walls at Google; they just like to stick it to Microsoft, plain and simple. 
  • This is more like your neighbour found that there is a under ground path through your basement and says that boss you fix it within 90 days even if it means rebuilding your house. If it is not fixed, I will tell the path to every one by 91st day. I am sure it is acceptable by you :-)
  • Personally i consider that delays are delays and better than waiting for the last day to see if it works it's better to be efficient, be ready quickly to have time to test it before the deadline ... The problem right now is that people spend their time asking for more time rather than managing correctly the time they have. ​
  • You're a project manager some place.... Aren't you?!
  • You talk like Microsoft hadn't developed a solution in 90 days, when, in fact, they had a fix for the vulnerability. The two extra days was to allow them to release it with their standard patch Tuesday (second Tuesday of the month). There is nothing unreasonable about that request. Had Microsoft asked for weeks or months, I could understand it, but two days? Come on! You know damn well why Google chose not to give them the 2 days, and it has nothing to do with pressuring Microsoft into being more proactive with developing fixes.
  • Is it really any of Google's fuckin business? No, mother fuckers.
  • You should not use such language... Especially in the internet. It will make you look like something you are not.
  • I think it is pretty clear I'm talking about Google but I respect your opinion, and yes, someone can easily misinterpret language.
  • It is pretty clear... At least to me :-) but words are words :-)
  • I am talking like some one who knows that all fixes/patches cannot be finished and pushed within 90 days... If you think different, I am fine with that too. By the way, I honestly don't understand why Google did not give Microsoft those two days. Not for arguing, but can you explain? I am thinking along the lines that it is not a show stopper and it can definitely Wai 2 more days. Am I missing something here???
  • If everyone who has accreditation in their workplace thought like you, dear gods, we would be so far ahead.
  • @Thierry JAUNAY I sincerely hope you aren't being this thick-headed on purpose. It's good to want a problem to be fixed but pushing out a fix without testing it when you have millions of computers owned by consumers, businesses and governments is irresponsible. You used an analogy of closing a door in your home, it's not even remotely similar but I'll humor you. It's more like having a home with millions of doors and some doors have the potential to explode if you don't close the open door properly. At the end of the day though, unless you actually work for Microsoft and code for them, you are in no position to make the statements you have about how long it should take to fix anything.
  • It's why being a locksmith is a job and u have not just one for all the doors, the same way u have good ones and bad ones ... Some working correctly and quickly ... others not ... The problem with stock holders is that they run for profit on sales at the expense of maintenance considered as costs
  • Okay, lets add corporate psychology to the list of things you don't understand in addition to coding. Microsoft is not going to risk it's bottom line by allowing a known vulnerability to exist longer than it's capable of. It makes no business sense to hit your bottom-line in that manner.
  • In fact I don't understand many things except that when a door is open, if Google found it others also have in less than 90 days ... And when I buy a door it's not to give the keys. That means having an efficient after sales ... Would u wait 90 days until your future Google car have a crash ?
  • I'm glad we can agree you don't understand. I'll leave you with one last thought, sometimes there is no fast fix for a problem, especially in coding. Sometimes fixing things things is more tedious than hard.
  • And if u want a good WF app to manage tasks (I manage 4000 items and 140 partners on it) and knowing that it will have soon a mini PowerPoint integrated etc. Then use GTD Flux on the WF store ... Just to say that even with a phone u can do a lot ...
  • You generally don't find out about a defect in a car until a crash or a large number of cars have the same part breakdown. This vulnerability has been there much longer than 90 days. What benefit do you get from publishing the vulnerability? The fix is still not available and now your computer is at risk. The only time I would publish is if the company is ignoring the vulnerability. I would warn the company first to get their act together and then if they ignore it, I would warn the public. Since the fix was already made, publishing early accomplishes no purpose other than to make the threat worse and fulfill Google's need to make MS look bad.
  • The difference with google cars is that it will not be just parts breaking but potential high risk real time systems ... And drivers are not the specialists from Apollo ... It's why I gave this example ... Knowing too that a car can be embossed etc. which changes driving parameters and we will not be playing an XBox or PS race car but moving real human beings ...
  • Microsoft maintains their software longer than any company I know. Google and Apple give you free update to the latest software. However, Apple makes their money from the hardware sales and pushing new updates tends to make older hardware slower and will get people to upgrade the hardware sooner. Google just cares that users will their OS so they can push ads to them and data mine user info to sell to advertisers. Both companies abandon the previous version as soon as the update is released. Microsoft maintains the previous versions and the current versions of their software for years.  
  • I totally agree o​n old software and it's why I'm happy with the new free update model that will force users to evolve in spite of keeping alive shit old programs of an other age ... There is also a time when programs need to be updated with OS ... On that, 10 will help a lot ... The age when u were thinking u would have the same job all your life is out of date !
  • You're a shoot them in the knee or shoot the gun out of their hand guy aren't you...
  • Google does this with it's own products as well, they've hosted contests offering people thousands of dollars to find exploits with Chrome OS. Google as a company does care about security. And the fact that they released an exploit after the 90 day period(if I am not wrong) isn't unfair, that is the policy of Google's security research and you can sure as hell bet that Google won't extend the time especially for one of its biggest competitor. Also last I checked Samsung was the only OEM paying for Android royalties, and even Samsung refused recently after Microsoft acquired Nokia and now they are working out a deal, Samsung makes Windows Phones in return for less(or no) royalties fees. Microsoft isn't in a position to increase the royalties, it is barely standing in a position where it is fighting to get it. Posted via the Windows Central App for Android
  • Google is currently fighting against the European Courts for their sharp practices. Basically, they only care about keeping their spyware working and making money. Time for anti trust action?
  • You checked wrong. For one, HTC is also paying royalties. And you expect anyone to fix and release a patch for an OS with millions of lines of code in 90 days??? Seriously? Besides, even in Pwn2own, whatever the vulnerability is, only the basic details are given out and not an application that exploits the behavior.