On December 31st, a Google researcher discovered and disclosed a privilege escalation bug in Windows. The researcher even reveals a PoC (Proof of Concept) program for the Windows 8.1 weakness. In it, he details how to take advantage of the vulnerability.
Today, Microsoft has issued a call for 'better coordinated vulnerability disclosure.' Basically, the issue is straightforward. Some people, including Google, believe that full public disclosure convinces software vendors to fix vulnerabilities quickly and allows affected customers to take quick actions to protect themselves. This is not always "black and white" especially when it's the competitor's software you are exposing.
Microsoft disagrees with this method. In fact, Microsoft believes a software vendor should be able to fully assess the potential vulnerability, evaluate the issue against the threat landscape, and issue a fix before disclosing the information to the public. This would prevent an attacker from utilizing the vulnerability when there is no solution to fix the issue.
"Those in favor of full, public disclosure believe that this method pushes software vendors to fix vulnerabilities more quickly and makes customers develop and take actions to protect themselves. We disagree. Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment," Microsoft's Chris Betz stated in an official blog post. "It is necessary to fully assess the potential vulnerability, design and evaluate against the broader threat landscape, and issue a “fix” before it is disclosed to the public, including those who would use the vulnerability to orchestrate an attack. We are in this latter camp."
Betz singles out Google in his blog post, stating that Google released information on a vulnerability before the planned fix, which was set to take place on Patch Tuesday. In fact, the vulnerability was disclosed by Google despite Microsoft's request not to.
"Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal," Betz explains.
What’s right for Google is not always right for customers.
Betz further adds that Microsoft does not believe it is right to have security researchers find vulnerabilities in a competitors’ products, apply pressure for the need of a security fix or patch within a certain time frame, and them publicly disclose the information about the vulnerability, allowing customers to be attacked before a fix is even created.
Anyone involved in software development knows that responding to security vulnerabilities can be a complex, extensive and time-consuming process. Microsoft urges Google, as well as other companies, to work together, because ultimately it is all about the customer.
"Let’s face it, no software is perfect. It is, after all, made by human beings. Microsoft has a responsibility to work in our customers’ best interest to address security concerns quickly, comprehensively, and in a manner that continues to enable the vast ecosystem that provides technology to positively impact peoples’ lives," Betz adds. You can read his entire blog post at the VIA link below.