Microsoft on Sunday chided Google for allowing its vulnerability disclosure schedule to undermine Microsoft's vulnerability fix schedule.
On January 11, Google released details about a user privilege escalation flaw in the User Profile Service of Windows 8.1, two days before Microsoft planned to patch the bug. The disclosure followed the expiration of the 90-day deadline Google established last year as part of Project Zero, an initiative to improve online security.
Chris Betz, Microsoft's senior director for trustworthy computing, noted in a blog post that Google released information about the User Profile Service vulnerability despite being asked to withhold the information until January 13, the date of Microsoft's monthly Patch Tuesday.
"Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a 'gotcha,' with customers the ones who may suffer as a result," said Betz. "What’s right for Google is not always right for customers."
Betz reiterated Microsoft's support for "Coordinated Vulnerability Disclosure," a process by which security researchers report issues privately to the vendor and then release details once a fix has been published.
[Windows gets more secure, while IE shows most vulnerabilites. Read Microsoft Software Flaws Increase But Majority Affect IE.]
This is not the first time the two companies have clashed over this issue. Earlier this month, Google released details about another privilege elevation bug affecting Windows 8.1, having reported the bug privately to Microsoft in September.
Google security engineer Ben Hawkes defended Google's 90-day deadline policy in a comment appended to that earlier disclosure, arguing that it provides a reasonable amount of time to fix bugs while also respecting the rights of users to know about the risks that may affect them.
"By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner, and to exercise their power as a customer to request an expedited vendor response," Hawkes said.
Google launched Project Zero in July 2014 as an effort to improve Internet security. Citing last year's Heartbleed bug and the ongoing use of zero-day vulnerabilities to target activists and businesses, the company committed to working transparently, by alerting vendors immediately, in private, and by placing vulnerability details in a public database so that vendor responsiveness can be tracked once the 90-day publication deadline passes.
Google raised the issue in 2010 when it criticized slow vendor responses to security disclosures. "We've seen an increase in vendors invoking the principles of 'responsible' disclosure to delay fixing vulnerabilities indefinitely, sometimes for years; in that timeframe, these flaws are often rediscovered and used by rogue parties using the same tools and methodologies used by ethical researchers," Google's security team said.
Back then, Google suggested waiting just 60 days before disclosing a genuinely critical vulnerability.
In response to Microsoft's contention that Google's disclosure policy is irresponsible, Google argues that it is irresponsible to leave flaws unfixed for an excessive period to time.
As to what constitutes an excessive period of time, that may never be resolved to everyone's satisfaction. For Microsoft, 92 days would have worked because that would have fallen within its patch schedule. But that's two more days than Google's present policy allows, and once you start making exceptions, then everyone wants one.
Apply now for the 2015 InformationWeek Elite 100, which recognizes the most innovative users of technology to advance a company's business goals. Winners will be recognized at the InformationWeek Conference, April 27-28, 2015, at the Mandalay Bay in Las Vegas. Application period ends Jan. 16, 2015.