Microsoft criticize Google for publishing a security vulnerability in Windows 8.1

[ahhming]

so if you remember a google engineer finds a vulnerability in windows 8 and makes it public
(http://linustechtips.com/main/topic/282690-google-engineer-finds-critical-vulnerability-in-windows-81-makes-it-public/)

Senior Director of the Microsoft Security Response Center, Chris Betz said 
 
 

It is necessary to fully assess the potential vulnerability, design and evaluate against the broader threat landscape, and issue a “fix” before it is disclosed to the public, including those who would use the vulnerability to orchestrate an attack.

 
 

Responding to security vulnerabilities can be a complex, extensive and time-consuming process. As a software vendor this is an area in which we have years of experience. Some of the complexity in the timing discussion is rooted in the variety of environments that we as security professionals must consider: real world impact in customer environments, the number of supported platforms the issue exists in, and the complexity of the fix. Vulnerabilities are not all made equal nor according to a well-defined measure. And, an update to an online service can have different complexity and dependencies than a fix to a software product, decade old software platform on which tens of thousands have built applications, or hardware devices. Thoughtful collaboration takes these attributes into account.

Google - has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so. Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.

Betz argued that privately disclosed vulnerabilities are more likely to be fixed and less likely to be exploited by "cybercriminals" than ones that are publicly disclosed.
 
Source:
 
http://blogs.technet.com/b/msrc/archive/2015/01/11/a-call-for-better-coordinated-vulnerability-disclosure.aspx

 

http://www.theverge.com/2015/1/12/7530791/microsoft-criticizes-google-for-bug-disclosure-approach

 

http://www.theverge.com/2015/1/12/7530791/microsoft-criticizes-google-for-bug-disclosure-approach
 

[officiallyasimulator]

good guy google pointing out security hazards. you would think microsoft would be thanking them

[Jade]

Funny. Google let them know privately months before hand (90 days, to be exact.) and published it after said 90 days. Spoiler alert, if you're Microsoft, you have a team of developers, AND a team of testers, AND security experts. It doesn't take v3 months.

[XTankSlayerX]

MS Are loosing it arnt they?

[Master Disaster]

Funny. Google let them know privately months before hand (90 days, to be exact.) and published it after said 90 days. Spoiler alert, if you're Microsoft, you have a team of developers, AND a team of testers, AND security experts. It doesn't take v3 months.

It didn't, the patch was finished and ready to roll, MS asked them to hold off for 2 extra days until their official patch day, that's hardly an unreasonable request and in this instance Google did the wrong thing. Its not like MS asked them not to publish it at all, they asked for a 48hr delay.

[Jade]

It didn't, the patch was finished and ready to roll, MS asked them to hold off for 2 extra days until their official patch day, that's hardly an unreasonable request and in this instance Google did the wrong thing. Its not like MS asked them not to publish it at all, they asked for a 48hr delay.

Protip: If you can help it (which Microsoft could), you get functional security patches out immediately. By waiting, you're leaving users still vulnerable. They have their policy to do patches Tuesday, and Google has theirs of 90 days. Period. They weren't really in the wrong; policy is policy.

 

Example. Why didn't people wait to patch Heartbleed? Because data was in danger otherwise. 

[Master Disaster]

Protip: If you can help it (which Microsoft could), you get functional security patches out immediately. By waiting, you're leaving users still vulnerable. They have their policy to do patches Tuesday, and Google has theirs of 90 days. Period. They weren't really in the wrong; policy is policy.

So your arguing that its OK for a company to place millions of users in jepordy despite knowing a fix is 48hrs away because their policy dictates they must?

Listen, I'm not defending MS here, they could have pushed the patch earlier and closed the problem but two wrongs don't make a right. Google could of easily waited 2 days for the patch before releasing the details in order to protect the privacy of the user base.

MS were in the wrong for sure but what Google did was beyond contemptible, the only people who benefited from them releasing the details were the hackers.

[Jade]

So your arguing that its OK for a company to place millions of users in jepordy despite knowing a fix is 48hrs away because their policy dictates they must?

Listen, I'm not defending MS here, they could have pushed the patch earlier and closed the problem but two wrongs don't make a right. Google could of easily waited 2 days for the patch before releasing the details in order to protect the privacy of the user base.

MS were in the wrong for sure but what Google did was beyond contemptible, the only people who benefited from them releasing the details were the hackers.

You mean to tell me that Microsoft doesn't do it for 144 hours a week, of 168? Because at that point, Microsoft is putting users in danger by not releasing finished security updates immediately. Policy is policy and you risk losing your job if you don't follow it.

[WelshDdraig]

Original Article from the Verge: http://www.theverge.com/2015/1/12/7530791/microsoft-criticizes-google-for-bug-disclosure-approach

Additional Article from Engadget: http://www.engadget.com/2015/01/02/google-posts-unpatched-microsoft-bug/

 

 

Remember when Google published a major bug about Microsoft Windows 8.1 to the public a while back? 

If not, Click HERE to read that article to get a refresh. (Credit to @ahjolinna )

 

Well, Microsoft has come out criticizing Google about its method of what they think they were doing right, by alerting Windows 8 users.

The main reason they are being criticized is the announcement went out 2 days before Microsoft was going to release a solution. 

 

Paraphrased and quotes from The Verge, here on until my thoughts.

 

Google announced the bug as part of its Project Zero program which gives companies advanced warning before news of the bug/issue goes live to the internet, which is around 90 days since it being first reported to the company at hand. 

 

Well, Senior Director of Microsoft's Security Response Centre (That is a long Title) Chirs Betz has come out criticizing the Internet company in it's methods. 

Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a "gotcha," with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal. 

GOOGLE BELIEVES TIME LIMITS ENCOURAGE ACTION — MICROSOFT SAYS IT JUST MAKES COMPLEX SITUATIONS MORE DIFFICULT TO DEAL WITH

Following the latest disclosure to the public on the 11^th January 2015, Microsoft and Google's policies couldn't be further part about where each company stands.

 

Chris Betz (The guy from above,) has also come out saying:

Those in favor of full, public disclosure believe that this method pushes software vendors to fix vulnerabilities more quickly and makes customers develop and take actions to protect themselves. We Disagree... We believe those who fully disclose a vulnerability before a fix is broadly available are doing a disservice to millions of people and the systems they depend upon.

 

My Thoughts?

 

I think Google was in the right to release the bug data. (Don't start a flame war with me, just my opinions) Any respectful software company would issue a fix if there is a security issue in their software, and not wait for their "Patch Day of the Month". I feel that 90 days is adequate time to get this fix out. Even if the fix was to be released, it is nice to know what updates do what and to fix what issue (if any occur). 

 

What are your thoughts?

Please leave them down below!

 

EDIT: Crap, didn't see this topic. Sorry for the Repost.

[Albatross]

Piss off Microsoft.

[StingBull]

Piss off Google.

[Misanthrope]

Yeah I am also not happy when people make me look like a fucking fool, imagine that.

[Toddwjp]

if you cant fix a security bug in 90 days then you either announce the bug your self so people are aware and can plan around it. because if google can find it some one else could get hold of it. and if its a serious bug then certain compainies would want to know so they can back up data. disconnect things from the internet till a fix is ready, swap to another system etc

[Albatross]

if you cant fix a security bug in 90 days then you either announce the bug your self so people are aware and can plan around it. because if google can find it some one else could get hold of it. and if its a serious bug then certain compainies would want to know so they can back up data. disconnect things from the internet till a fix is ready, swap to another system etc

 

Microsoft would do anything to save their own ass. Including, apparently, letting a bug go on for 90 days without mentioning it.

[Thebman712]

microsoft thinks that time screws stuff up.

really

 

they are just pissy because google is actually giving competition in the os department, is reking microsoft in mobile and is taking a stab at the xbox with android tv and these micro consoles (that run as well as the next gen consoles)

[foxhound590]

how many lines of code are there in windows and how many of them are connected in obscure ways ALOT. with bugs this big ok say there there inform the public and the vendor but dont give a tutorial on how to do it 

[snowComet]

repost?

http://linustechtips.com/main/topic/289424-microsoft-criticize-google-for-publishing-a-security-vulnerability-in-windows-81/

[dalekphalm]

You mean to tell me that Microsoft doesn't do it for 144 hours a week, of 168? Because at that point, Microsoft is putting users in danger by not releasing finished security updates immediately. Policy is policy and you risk losing your job if you don't follow it.

I've got to agree with @Master Disaster here.

 

You can be damn sure that a vulnerability like this would be pushed higher up in Google. No one was going to "lose their job" over overriding the policy and adding a 48 hour extension. Google was wrong to do this. There's no "if's, and's, or but's" about it.

 

Your argument is basically "Well Microsoft is already wrong anyway so whatever". Even if Microsoft was wrong - which we're not entirely sure of. We only assume the patch was ready before the Tuesday - Though let's assume Microsoft withheld the patch until Patch Tuesday on purpose - Even if Microsoft was wrong, what Google did was malicious and unethical. The ONLY people who benefited here were Hackers. They basically got a 48 hour window in which Google basically said "Hey guys, have fun!"

[Trik'Stari]

It didn't, the patch was finished and ready to roll, MS asked them to hold off for 2 extra days until their official patch day, that's hardly an unreasonable request and in this instance Google did the wrong thing. Its not like MS asked them not to publish it at all, they asked for a 48hr delay.

So they wanted to wait an extra 2 days for.....what exactly? the day they put out patches? That's a great idea, don't put the patch out when it's ready, wait around until "patch day"

 

I've got to agree with @Master Disaster here.

 

You can be damn sure that a vulnerability like this would be pushed higher up in Google. No one was going to "lose their job" over overriding the policy and adding a 48 hour extension. Google was wrong to do this. There's no "if's, and's, or but's" about it.

 

Your argument is basically "Well Microsoft is already wrong anyway so whatever". Even if Microsoft was wrong - which we're not entirely sure of. We only assume the patch was ready before the Tuesday - Though let's assume Microsoft withheld the patch until Patch Tuesday on purpose - Even if Microsoft was wrong, what Google did was malicious and unethical. The ONLY people who benefited here were Hackers. They basically got a 48 hour window in which Google basically said "Hey guys, have fun!"

 

There's a good chance that the security problem was already known to them.

[WanderingFool]

I've got to agree with @Master Disaster here.

 

You can be damn sure that a vulnerability like this would be pushed higher up in Google. No one was going to "lose their job" over overriding the policy and adding a 48 hour extension. Google was wrong to do this. There's no "if's, and's, or but's" about it.

 

Your argument is basically "Well Microsoft is already wrong anyway so whatever". Even if Microsoft was wrong - which we're not entirely sure of. We only assume the patch was ready before the Tuesday - Though let's assume Microsoft withheld the patch until Patch Tuesday on purpose - Even if Microsoft was wrong, what Google did was malicious and unethical. The ONLY people who benefited here were Hackers. They basically got a 48 hour window in which Google basically said "Hey guys, have fun!"

 

Personally I don't really too much of a problem, this was just a simple privilege escalation attack.  You would need access to the computer or already or already have a program running on the target computer, and if I read the report correctly essentially all this attack allows you to do is create folders anywhere you want.  Ultimately this is a pretty minor bug, and there are likely already a few other bugs in the wild that do more than this.

[GoodBytes]

I must agree with Master Disaster.

It is easy to say that Microsoft had 3 months. But the reality of that Microsoft had other security updated to fix, and to be honest one that are more of a security threat, than the one found my Google, which requires an already compromised system.

Microsoft follows Patch Tuesday because there is a reason for this: businesses.

Microsoft USED to releases patches when they were ready. But what happened is that IT department in business wanted to test the updates with their systems before delaying them. As they were coming in at random, it lead IT simply not carrying about updating all the company system, and blocking Windows updates until they re-imagine their system (once a year, at best).

So now the way it works, is not ONLY Microsoft waits for Tuesday, but company are informed ahead of time, creating delays in releasing security patches.

Now, Microsoft is annoyed with this before hand delay to inform IT businesses. So, they are removing it. And now IT businesses are freaking out.

http://blogs.technet.com/b/msrc/archive/2015/01/08/evolving-advance-notification-service-ans-in-2015.aspx

[TAK]

.

[shujin]

WWW so it should be the fault of google for forcing them to fix a patch. hilarious now microsoft are lazy and criticize google when they force them don't stop being lazy. hilarious shit is hilarious 

[zacRupnow]

[MoonSpot]

I agree with Microsoft here. A real OS is complex and patching a vulnerability can easily create more if done in a haphazard manner. Who's to say that Microsoft security team 3 wasn't in the midst of analysing the patch to confirm its stability. And as stated in other posts, there's a whole world out there with IT and security personnel involved that aren't part of MS.

And just what the heck are users going to do having learned about their vulnerability 2 days earlier? Bitch and moan that it is there? Grandma going to stop baking cookies and put on her IT security pro programmer hat, create, apply and publish an open source patch for the world to use without verification, validation or credentials?