Microsoft has heavily criticized Google and the company's security disclosure policy after Google publicly revealed a Windows 8.1 security flaw just days before Microsoft planned to issue a patch to kill the bug.
Chris Betz, senior director of the Microsoft Security Response Center, said in a lengthy blog post that the threat landscape is becoming increasingly complex, and it is time for companies to stand together in response -- rather than stand divided when it comes to cybersecurity strategies, such as in vulnerability and threat disclosure, as well as the release of security patches and fixes.
This declaration comes after Google released details concerning a Windows 8.1 security flaw two days before Microsoft was due to issue a fix. The public disclosure concerned a bug that allows low-level users to become administrators, granting themselves elevated access to sensitive functions they should not be able to tap into. While Microsoft pointed out that valid login credentials were required to exploit this flaw, this wouldn't necessarily stop a company employee with an axe to grind causing harm to a system.
The disclosure was made by Google as part of the Mountain View, Calif.-based firm's Project Zero. The project discloses vulnerabilities publicly -- as well as code required to exploit bugs -- but only after issuing affected companies with a 90-day deadline to fix problems. Microsoft was notified on October 13 2014.
The 90-day deadline passed by, no fix was issued, and the vulnerability was disclosed. However, Betz says Microsoft requested details of the vulnerability to be kept quiet until this month's Patch Tuesday, which takes place on January 13.
Microsoft is less than pleased.
"Although following through keeps to Google's announced timeline for disclosure, the decision feels less like principles and more like a 'gotcha,' with customers the ones who may suffer as a result. What's right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal," Betz said.
Betz said Microsoft believes security researchers who fully disclose a vulnerability before a fix is available do damage to "millions of people and the systems they depend upon," and while other companies may disclose these issues in order to force fixes, the risk of a security flaw being exploited increases with early disclosure.
Whether or not a 90-day deadline is long enough for a fix to be issued remains up to users and companies to decide.
Betz said the time is right for a set of practices called Coordinated Vulnerability Disclosure (CVD). Rather than release details concerning security vulnerabilities found in systems to full, public disclosure, Microsoft believes the best way to tackle security problems is to issue fixes before flaws become public knowledge.
The company asks that researchers privately disclose vulnerabilities in the future, and only release details concerning security problems into the public sphere after a fix has been made available.
"Policies and approaches that limit or ignore that partnership do not benefit the researchers, the software vendors, or our customers," Betz said. "It is a zero sum game where all parties end up injured."
Last week, Microsoft announced that its advanced security notification service (ANS) would no longer be publicly available. As part of Microsoft's "evolution" in the way security notifications are handled, only those with paid Premier support contracts and organizations "involved in its security programs" will now be privy to security updates ahead of Patch Tuesday.