After laying off an unspecified number of its testing-focused Windows and Office software engineers over the summer, in recent months Microsoft has botched two major patches, to the consternation of numerous Windows users. It also failed to patch several different Windows flaws within 90 days of learning about them via Google's dedicated bug-hunting Project Zero team. As a result, Google has been releasing full bug details to the public (see Google Discloses Microsoft Zero Day Flaw).
See Also: Convenience vs Security: Do You Still Need to Compromise?
Adding potential fuel to the fire, Microsoft recently ceased the bulk distribution of its patch information, except for customers who pay for premium support. But much of the same information will reportedly still be available, for free, via Microsoft's Security TechCenter.
Google's recent release of details on multiple, previously unknown Windows bugs - including proof-of-concept exploit code that could be "weaponized" and turned into working attacks - comes after the search giant declared that any software developer should be able to fix any software flaw within 90 days.
One of Google's recent Windows bug reports centered on a privilege-escalation vulnerability in Windows 8.1 that an attacker might use to execute malicious code. The release of those bug details led to "a call for better coordinated vulnerability disclosure" from Chris Betz, senior director of the Microsoft Security Response Center, which is part of its Trustworthy Computing Group.
Betz says Microsoft requested that Google delay its planned Jan. 11 disclosure of the flaw until Jan. 13, when Microsoft would release the fix as part of its regularly scheduled, monthly "Patch Tuesday" slew of updates. Microsoft has long used the second Tuesday of every month to release all of its patches for the month at once, although it sometimes also issues "out of band" emergency fixes to address flaws that are being actively exploited in the wild.
But Google declined to wait, leading Microsoft's Betz to note: "Although following through keeps to Google's announced timeline for disclosure, the decision feels less like principles and more like a 'gotcha,' with customers the ones who may suffer as a result. What's right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal."
The war of words has continued to escalate, with Google subsequently making public - again, 90 days after having privately notified Microsoft - details on more Windows flaws. Microsoft had planned to fix one of those bugs - in CryptProtectMemory - as part of its January Patch Tuesday, but discovered compatibility problems just before the update's release, and now expects to ship a fix in February instead.
Microsoft responded to Google's bug report with this statement: "We are not aware of any cyber-attacks using the CryptProtectMemory bypass. Customers should keep in mind that to successfully exploit this, a would-be attacker would need to use another vulnerability first." Of course, details of the flaw - plus proof-of-concept exploit code - have already been made public by Google.
Google's Policy: Who Benefits?
Google's vulnerability policy has been criticized by some security experts, who note that the company competes with Microsoft on several fronts, and is not a neutral third party.
"I am very uncomfortable with technology organizations publishing details of vulnerabilities in the software of their peer organizations," London-based Fayaz Khaki, associate director of information security for market research firm IDC, tells Information Security Media Group.
Some commentators have also noted that Google employs agile development processes for its products, which makes them relatively easy and quick to update. Likewise, it maintains a browser built to automatically receive updates. Also, Google has created a mobile operating system that's open source, and thus absolves it from having to update most of the estimated 930 million devices that are running outdated versions of Android, which contain known vulnerabilities.