Microsoft views Google's disclosure as a "gotcha"

During the holiday break, Google's Project Zero team disclosed a vulnerability in Windows 8.1 after Microsoft failed to issue a patch within the 90-day deadline that Google gives vendors. That sparked a debate on whether or not Google did the right thing, and while many (not all) of our readers sided with Google, Microsoft has some information that warrants asking the question again. Specifically, Microsoft says it was scheduled to patch the vulnerability on Patch Tuesday, two days after Google's deadline, and that Google ignored its request to withhold details until that time.
"Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a 'gotcha', with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal," Microsoft's Chris Betz stated in a blog post.
The vulnerability in question could give low-level users in Windows 8.1 administrative rights. Google's Project Zero team let Microsoft know about its findings with its usual 90-day deadline attached, and when the deadline arrived, the team went ahead and posted the full exploit details online.
Those in favor of Google's decision point out that Microsoft had plenty of time to issue a fix. They also point out that hackers don't take breaks during holiday periods, so the timing of the deadline didn't matter. However, if it's true that Microsoft asked for two additional days, do you still feel it was right for Google to ignore its request?
We know Google's view, based on its actions, but what of Microsoft? Here's what Betz had to say:
"In terms of the software industry at large and each player’s responsibility, we believe in Coordinated Vulnerability Disclosure (CVD). This is a topic that the security technology profession has debated for years," Betz explains. "Ultimately, vulnerability collaboration between researchers and vendors is about limiting the field of opportunity so customers and their data are better protected against cyberattacks.
"Those in favor of full, public disclosure believe that this method pushes software vendors to fix vulnerabilities more quickly and makes customers develop and take actions to protect themselves. We disagree. Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment. It is necessary to fully assess the potential vulnerability, design and evaluate against the broader threat landscape, and issue a 'fix' before it is disclosed to the public, including those who would use the vulnerability to orchestrate an attack. We are in this latter camp."
Why did it take Microsoft 92 days to issue a fix? We don't know for sure -- it could be that other, more serious vulnerabilities were a higher priority, though Betz didn't say as much, at least not directly.
"Responding to security vulnerabilities can be a complex, extensive and time-consuming process. As a software vendor this is an area in which we have years of experience. Some of the complexity in the timing discussion is rooted in the variety of environments that we as security professionals must consider: real world impact in customer environments, the number of supported platforms the issue exists in, and the complexity of the fix," Betz added. "Vulnerabilities are not all made equal nor according to a well-defined measure. And, an update to an online service can have different complexity and dependencies than a fix to a software product, decade old software platform on which tens of thousands have built applications, or hardware devices. Thoughtful collaboration takes these attributes into account."
As the late Paul Harvey would say, now you have the rest of the story. The question is, does it change your opinion of what Google did, or does the fault still lie with Microsoft for letting 90 days elapse without a fix?
Follow Paul on Google+, Twitter, and Facebook


More...